Manage Event Forwarding - Administrator Guide - Cortex XDR - Cortex XSIAM - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Cortex XDR
Creation date
Last date published


This feature requires a Cortex XDR Pro license and an Event Forwarding add-on license. Only Administrators have access to this screen.

You can save your ingested, parsed data in an external location by exporting your logs to a bucket from where you can download them for two weeks.

The Event Forwarding page enables you to activate your Event Forwarding licenses and retrieve the path and credentials of your external storage destination. This page is available when you purchase the Event Forwarding add-on license.

Start forwarding event logs.

  1. Under SettingsConfigurationsData ManagementEvent Forwarding, activate the licenses in the Activation section.

    • Enable GB Event Forwarding to export parsed logs for XDR pro TB to an external SIEM for storage. This enables you to keep data in your own storage in addition to the Cortex XDR data layer, for compliance requirements and machine learning purposes. The exported logs are raw data, without any stories. Cortex XDR exports all the data without filtering or configuration options.

    • Enable Endpoints Event Forwarding to export raw endpoint data for Cortex XDR Pro EP and Cloud Endpoints. The exported logs are raw data, without any stories. Cortex XDR exports a subset of the endpoint data without filtering or configuration options.

  2. Save your selection.

  3. To retrieve the data, access GCP Cloud Storage through the Service Account.

    The Destination section displays the details of the Google Cloud Platform (GCP) bucket where your data is stored for 14 days. The data is compressed and saved as a line-delimited JSON gzip file.

    1. Copy the path displayed.

    2. Generate and download the Service Account JSON WEB TOKEN, which contains the access key. The token provides access to all your data stored in this bucket on the service account and must be saved in a safe place.

      If you need to regenerate your access token, Replace and download a new access token. This action invalidates your previous token.

    3. Using the path and the access key, retrieve your files manually or using an API.