Visibility of Logs and Alerts from External Sources - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2024-07-16
Last date published
2024-10-06
Category
Administrator Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation
Abstract

Cortex XDR provides visibility into your external logs. The availability of logs and alerts varies by the data source.

The following table describes the visibility of each vendor and device type, and where you can view information ingested from external sources, depending on the data source.

check-mark.png indicates support and a dash (—) indicates the feature is not supported.

Vendor and Device Type

Raw Data Visibility

Normalized Log Visibility

Cortex XDR Alert Visibility

Vendor Alert Visibility

Amazon S3 (flow logs)

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Option to ingest network flow logs as Cortex XDR network connection stories that are searchable in the Query Builder and in XQL Search.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC, and Correlation Rules) when relevant from logs.

Note

While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC and BIOC alerts are only raised on normalized logs.

Amazon S3 (Route 53 logs)

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Option to ingest network Route 53 DNS logs as Cortex XDR network connection stories that are searchable in the Query Builder and in XQL Search.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC, and Correlation Rules) when relevant from logs.

Note

While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC and BIOC alerts are only raised on normalized logs.

Azure Event Hub

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Correlation Rules only) when relevant from flow logs.

Azure Network Watcher (flow logs)

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Option to ingest network flow logs as Cortex XDR network connection stories that are searchable in the Query Builder and in XQL Search.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC, and Correlation Rules) when relevant from flow logs.

Note

While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC and BIOC alerts are only raised on normalized logs.

Check Point FW1/VPN1

check-mark.png

Raw data is searchable in XQL Search.

Note

Logs with sessionid = 0 are dropped.

check-mark.png

Network stories that include Check Point network connection logs are searchable in the Query Builder and in XQL Search.

Note

Logs with sessionid = 0 are dropped.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC, and Correlation Rules) when relevant from logs.

Note

While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC and BIOC alerts are only raised on normalized logs.

check-mark.png

Alerts from Check Point firewalls are raised throughout Cortex XDR when relevant.

Corelight Zeek

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Network stories that include Corelight Zeek network connection logs are searchable in the Query Builder and in XQL Search.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC, and Correlation Rules) when relevant from logs.

Note

While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC and BIOC alerts are only raised on normalized logs.

Cisco ASA and Cisco AnyConnect VPN

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Network stories that include Cisco network connection logs are searchable in the Query Builder and in XQL Search.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC, and Correlation Rules) when relevant from logs.

Note

While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC and BIOC alerts are only raised on normalized logs.

Fortinet Fortigate

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Network stories that include Fortinet network connection logs are searchable in the Query Builder and in XQL Search.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC, and Correlation Rules) when relevant from logs.

Note

While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC and BIOC alerts are only raised on normalized logs.

check-mark.png

Alerts from Fortinet firewalls are raised throughout Cortex XDR when relevant.

Google Cloud Platform (flow logs, DNS logs)

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Option to ingest network flow logs as Cortex XDR network connection stories and Google Cloud DNS logs that are searchable in the Query Builder and in XQL Search.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC, and Correlation Rules) when relevant from logs.

Note

While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC and BIOC alerts are only raised on normalized logs.

Okta

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC, and Correlation Rules) when relevant from logs.

Note

  • While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC and BIOC alerts are only raised on normalized logs.

  • IOCs and BIOCs are only raised for these event types: sso and session_start.

Windows DHCP via Elasticsearch Filebeat

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Cortex XDR uses Windows DHCP logs to enrich your network logs with hostnames and MAC addresses that are searchable in XQL Search.

Zscaler Internet Access (ZIA)

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Network stories that include ZIA network connection and firewall logs are searchable in the Query Builder and in XQL Search.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC, and Correlation Rules) when relevant from logs.

Note

  • While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC and BIOC alerts are only raised on normalized logs.

  • Analytics, IOCs and BIOCs are only raised on the Firewall data.

  • The Zscaler Nanolog Streaming Service (NSS) feed for web logs is only used for Correlation Rules and threat hunting.

Zscaler Private Access (ZPA)

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Network stories that include ZPA network connection logs are searchable in the Query Builder and in XQL Search.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC, and Correlation Rules) when relevant from logs.

Note

  • While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC and BIOC alerts are only raised on normalized logs.

  • The Zscaler Nanolog Streaming Service (NSS) feed for web logs is only used for Correlation Rules and threat hunting.

Vendor and Device Type

Raw Data Visibility

Normalized Log Visibility

Cortex XDR Alert Visibility

Vendor Alert Visibility

Amazon S3 (audit logs)

check-mark.png

Logs and stories are searchable in XQL Search

check-mark.png

Option to stitch audit logs with authentication stories that are searchable in the Query Builder and XQL Search.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC, and Correlation Rules) when relevant from logs.

Note

While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC and BIOC alerts are only raised on normalized logs.

Azure Event Hub (audit logs, AKS logs)

check-mark.png

Logs and stories are searchable in XQL Search

check-mark.png

Option to stitch audit logs with authentication stories that are searchable in the Query Builder and XQL Search.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC, and Correlation Rules) when relevant from logs.

Note

While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC and BIOC alerts are only raised on normalized logs.

Google Cloud Platform (audit logs, GKE logs)

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Option to stitch audit logs with authentication stories that are searchable in the Query Builder and XQL Search.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC, and Correlation Rules) when relevant from logs.

Note

While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC and BIOC alerts are only raised on normalized logs.

Google Workspace

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Relevant Login, Token, Google drive, SAML, Admin Console, Enterprise Groups, and Rules audit logs normalized into authentication stories. All are searchable in the Query Builder.

check-mark.png

For all logs, Cortex XDR can raise Cortex XDR alerts (Analytics and Correlation Rules) when relevant from logs.

Microsoft 365 email

check-mark.png

Email logs are searchable in XQL Search

check-mark.png

Microsoft 365 normalized email stories

check-mark.png

For Microsoft 365 email logs, Cortex XDR can also raise Cortex XDR alerts (Analytics, IOC, BIOC, and Correlation Rules) when relevant from the email logs.

Microsoft Office 365Ingest Logs from Microsoft Office 365

check-mark.png

Logs and stories (Azure AD authentication and audit logs only) are searchable in XQL Search

check-mark.png

Azure AD authentication logs and Azure AD Sign-in logs normalized into authentication stories. Azure AD audit logs normalized to cloud audit logs stories. Exchange Online, SharePoint Online, and General audit logs normalized into stories. All are searchable in the Query Builder.

check-mark.png

For all Microsoft Office 365 logs, Cortex XDR can also raise Cortex XDR alerts (Analytics, IOC, BIOC, and Correlation Rules) when relevant from Office 365 logs.

Note

While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC and BIOC alerts are only raised on normalized logs.

Okta

check-mark.png

Logs and stories are searchable in XQL Search

check-mark.png

Logs stitched with authentication stories are searchable in the Query Builder.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC, and Correlation Rules only) when relevant from logs.

Note

  • While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC and BIOC alerts are only raised on normalized logs.

  • IOCs and BIOCs are only raised for these event types: sso and session_start.

OneLogin

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

All log types are normalized into authentication stories, and are searchable in the Query Builder.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC, and Correlation Rules) when relevant from logs.

Note

While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC and BIOC alerts are only raised on normalized logs.

PingFederate

check-mark.png

Logs and stories are searchable in XQL Search

check-mark.png

Logs stitched with authentication stories are searchable in the Query Builder.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC, and Correlation Rules) when relevant from logs.

Note

While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC and BIOC alerts are only raised on normalized logs.

PingOne for Enterprise

check-mark.png

Raw data is searchable in XQL Search

check-mark.png

Logs stitched with authentication stories are searchable in the Query Builder.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC, and Correlation Rules) when relevant from logs.

Note

While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC and BIOC alerts are only raised on normalized logs.

Vendor and Device Type

Raw Data Visibility

Normalized Log Visibility

Cortex XDR Alert Visibility

Vendor Alert Visibility

Amazon S3 (generic logs)

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Correlation Rules only) when relevant from logs.

Amazon CloudWatch (generic logs, EKS logs)

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png
check-mark.png

Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC, and Correlation Rules) when relevant from logs.

Note

While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC and BIOC alerts are only raised on normalized logs.

Azure Event Hub

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Correlation Rules only) when relevant from logs.

Google Cloud Platform

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Correlation Rules only) when relevant from logs.

Google Kubernetes Engine

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Correlation Rules only) when relevant from logs.

Okta

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC, and Correlation Rules) when relevant from logs.

Note

While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC and BIOC alerts are only raised on normalized logs.

Prisma Cloud (alerts)

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Prisma Cloud alerts are stitched with Cloud Provider logs when relevant.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Correlation Rules only) when relevant from logs.

check-mark.png

Alerts from Prisma Cloud are raised throughout Cortex XDR when relevant.

Prisma Cloud Compute (alerts)

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Correlation Rules only) when relevant from logs.

check-mark.png

Alerts from Prisma Cloud Compute are raised throughout Cortex XDR when relevant.

Vendor and Device Type

Raw Data Visibility

Normalized Log Visibility

Cortex XDR Alert Visibility

Vendor Alert Visibility

Windows Event CollectorActivate Windows Event Collector

check-mark.png

Windows event logs are available with agent EDR data and are searchable in XQL Search.

The normalized Windows event log data is also available in microsoft_windows_raw and is searchable in XQL Search.

check-mark.png

Windows event logs are stitched with agent EDR data and are searchable in the Query Builder.

The Windows event logs are also normalized into the common Cortex Windows event format in microsoft_windows_raw and are searchable using the Query Builder.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC, and Correlation Rules) when relevant from logs.

Note

While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC and BIOC alerts are only raised on normalized logs.

Vendor and Device Type

Raw Data Visibility

Normalized Log Visibility

Cortex XDR Alert Visibility

Vendor Alert Visibility

AWS

N/A

N/A

N/A

Google Cloud Platform

N/A

N/A

N/A

Microsoft Azure

N/A

N/A

N/A

Vendor and Device Type

Raw Data Visibility

Normalized Log Visibility

Cortex XDR Alert Visibility

Vendor Alert Visibility

Any Vendor Sending CEF, LEEF, CISCO, CORELIGHT, or RAW formatted Syslog

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC, and Correlation Rules) when relevant from logs.

Note

While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC and BIOC alerts are only raised on normalized logs.

check-mark.png

To enable Cortex XDR to display alerts from other vendors, you must map your alert fields to the Cortex XDR field format (see Ingest External Alerts).

Any vendor CSV files on a shared Windows directory

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Correlation Rules only) when relevant from logs.

Any vendor logs stored in a database

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Correlation Rules only) when relevant from logs.

Any vendor logs stored in files on a network share

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Correlation Rules only) when relevant from logs.

Any vendor logs from a third party source over FTP, FTPS, or SFTP

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Correlation Rules only) when relevant from logs.

Any vendor sending NetFlow flow records

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

NetFlow events are stitched with the Agent’s EDR data and other Network products to a Session Story, and are searchable in the Query Builder and in XQL.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC, and Correlation Rules) when relevant from logs.

Note

While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC and BIOC alerts are only raised on normalized logs.

Any vendor sending logs over HTTP

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Correlation Rules only) when relevant from logs.

check-mark.png

To enable Cortex XDR to display alerts from other vendors, you must map your alert fields to the Cortex XDR field format (see Ingest External Alerts).

Apache Kafka

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC, and Correlation Rules) when relevant from logs.

Note

While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC and BIOC alerts are only raised on normalized logs.

BeyondTrust Privilege Management Cloud

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Correlation Rules only) when relevant from logs.

Box

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Selected Box audit event logs are normalized into stories and are searchable in the Query Builder and in XQL.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC, and Correlation Rules) when relevant from logs.

Note

While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC and BIOC alerts are only raised on normalized logs.

Dropbox

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Selected Box audit event logs are normalized into stories and are searchable in the Query Builder and in XQL.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC, and Correlation Rules) when relevant from logs.

Note

While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC and BIOC alerts are only raised on normalized logs.

Elasticsearch Filebeat

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Correlation Rules only) when relevant from logs.

Forcepoint DLP

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Correlation Rules only) when relevant from logs.

IoT Security

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Cortex XDR uses IoT Security information to improve analytics detection and assets management information.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC, and Correlation Rules) when relevant from logs.

Note

While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC and BIOC alerts are only raised on normalized logs.

Proofpoint Targeted Attack Protection

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Cortex XDRCortex XDR alerts (Correlation Rules only) when relevant from logs.

Salesforce.com

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Correlation Rules only) when relevant from logs.

ServiceNow CMDB

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Cortex XDRCortex XDR alerts (Correlation Rules only) when relevant from logs.

Strata Logging Service

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Detection events are stitched with other Palo Alto Networks product logs to stories, and are searchable in the Query Builder and in XQL.

check-mark.png

Cortex XDR can raise Cortex XDR alerts (Analytics, IOC, BIOC, and Correlation Rules) when relevant from logs.

Note

While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC and BIOC alerts are only raised on normalized logs.

check-mark.png

Alerts from NGFW are raised throughout Cortex XDR when relevant.

Workday

check-mark.png

Raw data is searchable in XQL Search.

check-mark.png

Cortex XDRCortex XDR alerts (Correlation Rules only) when relevant from logs.

Any vendor sending alerts

check-mark.png

Alerts are surfaced throughout Cortex XDR when relevant. To enable Cortex XDR to display your alerts, you must map your alert fields to the Cortex XDR field format (see Ingest External Alerts).

Datasets created from ingesting data

When ingesting data from an external source, Cortex XDR creates a dataset that you can query using Cortex Query Language (XQL). Datasets created in this way use the following naming convention.

            <vendor_name>_<product_name>_raw

For example: cisco_asa_raw

The datatypes used for the fields in an imported dataset are automatically assigned based on the input content. Fields can have a datatype of stringintfloatarraytime, or boolean. All other fields are ingested as a JSON object.

For CEF type files, when extension values are quoted, the CEF parser automatically removes the quotes from the values. In addition, files containing invalid UTF-8 are parsed under XQL mapping field _invalid_utf8.