Manage Event Forwarding - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide


This feature requires a Cortex XDR Pro license and an Event Forwarding add-on license. Only Administrators have access to this screen.

You can save your ingested, parsed data in an external location by exporting your logs to a bucket from where you can download them for two weeks.

The Event Forwarding page enables you to activate your Event Forwarding licenses and retrieve the path and credentials of your external storage destination. This page is available when you purchase the Event Forwarding add-on license.

Start forwarding event logs.

  1. Under SettingsConfigurationsData ManagementEvent Forwarding, activate the licenses in the Activation section.

    • Enable GB Event Forwarding to export parsed logs for Cortex XDR Pro per GB to an external SIEM for storage. This enables you to keep data in your own storage in addition to the Cortex XDR data layer, for compliance requirements and machine learning purposes. The exported logs are raw data, without any stories. Cortex XDR exports all the data without filtering or configuration options.

    • Enable Endpoints Event Forwarding to export raw endpoint data for Cortex XDR Pro EP and Cloud Endpoints. The exported logs are raw data, without any stories. Cortex XDR exports a subset of the endpoint data without filtering or configuration options.

  2. Save your selection.

  3. Access GCP Cloud Storage using the Service Account

    The Destination section displays the details of the Google Cloud Platform (GCP) bucket where your data is stored for 14 days. The data is compressed and saved as a line-delimited JSON gzip file.

    1. Copy the storage path displayed.

    2. Generate and download the Service Account JSON WEB TOKEN, which contains the access key.

      Save it in a secure location. If you need to regenerate the access token, Replace and download a new token. This action invalidates the previous token.

      The token provides access to all your data stored in this bucket and must be saved in a safe place.

      Use the storage path and access key to manually retrieve your files or use an API for automated retrieval.

    3. Using the storage path and the access key, retrieve your files manually or using an API.

  4. (Optional) Use the Pub/Sub subscription to ensure reliable data retrieval without any loss.

    1. Copy the Pub/Sub subscription provided.

    2. Configure your application or system to receive messages from the Pub/Sub subscription.

      Whenever a new file is added to the GCS bucket, a message is sent to the Pub/Sub subscription.

    3. Process the received message to initiate the download of the corresponding file.