Ingest Logs in a Network Share as Datasets - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2024-07-16
Last date published
2024-10-06
Category
Administrator Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation
Abstract

Cortex XDR can receive logs from files and folders in a network share directly to your log repository for query and visualization purposes.

Note

Ingesting logs and data requires a Cortex XDR Pro per GB license.

Cortex XDR can receive logs from files and folders in a network share directly to your log repository for query and visualization purposes. After you activate the Files and Folders Collector applet on a Broker VM in your network, which includes defining the connection details and settings related to the list of files to monitor and upload to Cortex XDR, you can collect files as datasets.

After Cortex XDR begins receiving logs from files and folders in a network share, Cortex XDR automatically parses the logs and creates a dataset with the specific name you set as the target dataset when you configured the Files and Folders Collector using the format <Vendor>_<Product>_raw. The Files and Folders Collector reads and processes the configured files one by one, as well as any new files added to the configured files and folders, in the network share according to the execution frequency of collection that you configured and adds the data in these files to the dataset. You can then use XQL Search queries to view logs and create new Correlation Rules.

Note

The Files and Folders Collector applet only starts to collect files that are more than 256 bytes.

Configure Cortex XDR to receive logs as datasets from files and folders in a network share.

  1. Activate the Files and Folders Collector applet on a Broker VM within your network.

  2. Use the XQL Search to query and review logs.