Ingest NetFlow Flow Records as Datasets - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-19
Category
Administrator Guide
Abstract

Cortex XDR can receive NetFlow flow records and IPFIX from a UDP port directly to your log repository for query and visualization purposes.

Note

Ingesting logs and data requires a Cortex XDR Pro per GB license.

Cortex XDR can receive NetFlow flow records and IPFIX from a UDP port directly to your log repository for query and visualization purposes. After you activate the NetFlow Collector applet on a Broker VM in your network, which includes configuring your NetFlow Collector settings, you can ingest NetFlow flow records and IPFIX as datasets.

The ingested NetFlow flow record format must include, at the very least:

  • Source and Destination IP addresses

  • TCP/UDP source and destination port numbers

After Cortex XDR begins receiving flow records from the UDP port, Cortex XDR automatically parses the flow records and creates a dataset with the specific name you set as the target dataset when you configured the NetFlow Collector. The NetFlow Collector adds the flow records to the dataset. You can then use XQL Search queries to view those flow records and create new IOC, BIOC, and Correlation Rules. Cortex XDR can also analyze your logs to raise Analytics alerts.

Configure Cortex XDR to receive NetFlow flow records as datasets from the routers and switches that support NetFlow.

  1. Set up your NetFlow exporter to forward flow records to the IP address of the Broker VM that runs the NetFlow collector applet.

  2. Activate the NetFlow Collector applet on a Broker VM within your network.

  3. Use the XQL Search to query your flow records, using your designated dataset.