Manage Event Forwarding - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2024-07-16
Last date published
2024-12-02
Category
Administrator Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation
Abstract

Save your ingested, parsed data in an external location by exporting your event logs to a temporary GCP storage bucket.

Notice

This feature requires a Cortex XDR Pro license and an Event Forwarding add-on license. Only Administrators have access to this screen.

You can save your ingested, parsed data in an external location by exporting your event logs to a temporary storage bucket on Google Cloud Platform (GCP), from where you can download them for up to 7 days.

Use the Event Forwarding page to activate your Event Forwarding licenses, to retrieve the path and credentials of your external storage destination on GPC. Once this page is activated, Cortex XDR automatically creates the GCP bucket.

Upload to a temporary GCP storage bucket

  1. Under SettingsConfigurationsData ManagementEvent Forwarding, activate the licenses in the Activation section.

    • Enable GB Event Forwarding to export parsed logs for Cortex XDR Pro per GB to an external SIEM for storage. This enables you to keep data in your own storage in addition to the Cortex XDR data layer, for compliance requirements and machine learning purposes. The exported logs are raw data, without any stories. Cortex XDR exports all the data without filtering or configuration options.

    • Enable Endpoints Event Forwarding to export raw endpoint data for Cortex XDR Pro EP and Cloud Endpoints. The exported logs are raw data, without any stories. Cortex XDR exports a subset of the endpoint data without filtering or configuration options.

  2. Save your selection.

  3. Access GCP Cloud Storage using the Service Account.

    The Destination section displays the details of the GCP bucket created by Cortex XDR, where your data is stored for 7 days. The data is compressed and saved as a line-delimited JSON gzip file.

    1. Copy the storage path displayed.

    2. Generate and download the Service Account JSON WEB TOKEN, which contains the access key.

      Save it in a secure location. If you need to regenerate the access token, Replace and download a new token. This action invalidates the previous token.

      The token provides access to all your data stored in this bucket and must be saved in a safe place.

      Use the storage path and access key to manually retrieve your files or use an API for automated retrieval.

    3. Using the storage path and the access key, retrieve your files manually or using an API.

  4. (Optional) Use the Pub/Sub subscription to ensure reliable data retrieval without any loss.

    1. Copy the Pub/Sub subscription provided.

    2. Configure your application or system to receive messages from the Pub/Sub subscription.

      Whenever a new file is added to the GCS bucket, a message is sent to the Pub/Sub subscription. The object path of the file in the bucket has the prefix internal/.

    3. Process the received message to initiate the download of the corresponding file.