Log Forwarding - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Product
Cortex XPANSE
Version
2
Creation date
2024-08-29
Last date published
2024-11-12
Category
User Guide
Solution
Cloud
Abstract

Cortex Xpanse enables you to forward alerts, management audit logs, and reports to external applications.

To help you stay informed and updated, you can forward Cortex Xpanse alerts, management audit logs, and reports to an external syslog receiver, a Slack channel, or to email accounts.

Log Forwarding Data Types
Abstract

In Cortex Xpanse, log forwarding includes different data types, which you can receive through different messaging formats.

To ensure you and your colleagues are informed and updated about events in your deployment, you can configure notification forwarding to Email, Slack, or a syslog receiver. The following table displays the data types supported by each notification receiver.

Data Type

Email

Slack

Syslog

Alerts

check-mark.png
check-mark.png
check-mark.png

Management Audit Log

check-mark.png

check-mark.png

Reports

check-mark.png
check-mark.png

Integrate a Syslog Receiver
Abstract

If you want to send Cortex Xpanse notifications to a Syslog receiver, you can set up log forwarding to the receiver.

To send Cortex Xpanse notifications to your Syslog server, you need to first define the settings for the Syslog server.

  1. Before you define the Syslog settings, enable access to the following Cortex Xpanse IP addresses for your deployment region in your firewall configurations:

    Region

    Log Forwarding IP Addresses

    United States - Americas (US)

    • 35.232.87.9

    • 35.224.66.220

    Germany (DE)

    • 35.234.95.96

    • 35.246.192.146

    Netherlands - Europe (EU)

    • 34.90.202.186

    • 34.90.105.250

    Canada (CA)

    • 35.203.54.204

    • 35.203.52.255

    United Kingdom (UK)

    • 34.105.227.105

    • 34.105.149.197

    Singapore (SG)

    • 35.240.192.37

    • 34.87.125.227

    Japan (JP)

    • 34.84.88.183

    • 35.243.76.189

    Australia (AU)

    • 35.189.38.167

    • 34.87.219.39

    United States - Government

    • 104.198.222.185

    • 35.239.59.210

    India (IN)

    • 34.93.247.41

    • 34.93.183.131

    Switzerland (CH)

    • 34.65.228.95

    • 34.65.74.83

  2. Select SettingsConfigurationsIntegrationsExternal Applications.

  3. In Syslog Servers, add a + New Server.

  4. Define the Syslog server parameters:

    • Unique name for the server profile.

    • Destination—IP address or fully qualified domain name (FQDN) of the Syslog server.

    • Port—The port number on which to send Syslog messages.

    • Choose one of the syslog standard values. The value maps to how your syslog server uses the facility field to manage messages. For details on the facility field, see RFC 5424.

    • Protocol—Select a method of communication with the Syslog server:

      • TCP—No validation is made on the connection with the Syslog server. However, if an error occurred with the domain used to make the connection, the Test connection will fail.

      • UDP—No error checking, error correction, or acknowledgment. No validation is done for the connection or when sending data.

      • TCP + SSLCortex Xpanse validates the syslog server certificate and uses the certificate signature and public key to encrypt the data sent over the connection.

    • Certificate—The communication between Cortex Xpanse and the Syslog destination can use TLS. In this case, upon connection, Cortex Xpanse validates that the Syslog receiver has a certificate signed by either a trusted root CA or a self-signed certificate. You may need to merge the Root and Intermediate certificate if you receive a certificate error when using a public certificate.

      Note

      Up to TLS 1.2 is supported.

      If your Syslog receiver uses a self signed CA, Browse and upload your self-signed Syslog receiver CA.

      Note

      Make sure the self-signed CA includes your public key.

      If you only use a trusted root CA leave the Certificate field empty.

    • Ignore Certificate ErrorCortex Xpanse does not recommend, but you can choose to select this option to ignore certificate errors if they occur. This will forward alerts and logs even if the certificate contains errors.

  5. Test the parameters to ensure a valid connection and Create when ready.

    You can define up to five Syslog servers. Upon success, the table displays the Syslog servers and their status.

  6. (Optional) Manage your Syslog server connection.

    In the Syslog Servers table

    • Locate your Syslog server and right-click to Send text message to test the connection.

      Cortex Xpanse sends a message to the defined Syslog server which you can check to see if the test message indeed arrived.

      If the message doesn’t arrive, Cortex Xpanse displays an error. View the error details and suggested solutions in Syslog Server Test Message Errors.

    • Locate the Status field.

      The Status field displays a Valid or Invalid TCP connection. Cortex Xpanse tests connection with the Syslog server every 10min. If no connection is found after 1 hour, Cortex Xpanse send a notice to the notification center.

    Note

    If you find the Syslog data limited, Cortex Xpanse recommends running the Get Alert API for complete alert data.

  7. Syslog Server Test Message Errors.

    After you integrate with your Syslog receiver, you can configure your forwarding settings.

Integrate Slack for Outbound Notifications
Abstract

Cortex Xpanse enables you to integrate the Slack messaging application for outbound notifications to be received by Slack recipients.

Integrate Expander with your Slack workspace to better manage and highlight your Cortex Xpanse alerts and reports. By creating a Cortex Xpanse Slack channel, you ensure that defined Cortex Xpanse alerts are exposed on laptop and mobile devices using the Slack interface. Unlike email notifications, Slack channels are dedicated to spaces that you can use to contact specific members regarding your Cortex Xpanse alerts.

To configure a Slack notification, you must first install and configure the Cortex Xpanse app on Slack.

  1. From Cortex Xpanse , select SettingsConfigurationsIntegrationsExternal Applications.

  2. Select the provided link to install Cortex Xpanse on your Slack workspace.

    Note

    You are directed to the Slack browser to install the Cortex Xpanse app. You can only use this link to install Cortex Xpanse on Slack. Attempting to install from Slack marketplace will redirect you to Cortex Xpanse documentation.

  3. Click Submit.

    Upon successful installation, Cortex Xpanse displays the workspace to which you connected.

  4. Configure Notification Forwarding.

    After you integrate with your Slack workspace, you can configure your forwarding settings.

Configure Notification Forwarding
Abstract

Set up notifications to keep your teams up to date on the audit logs and alerts that matter to them.

With Cortex Xpanse you can set up notifications to keep your teams up to date on the audit log and alerts that matter to them. To set up notifications, you create a forwarding configuration that specifies the log type you want to forward. You can also add filters to your configuration to send notifications that match specific criteria. Notifications can be configured for people or teams who are not Xpanse users.

Note

Cortex Xpanse applies the filter only to future alerts.

Use this workflow to configure notifications for alerts and management audit logs. To receive notifications about reports, see Create a Report from Scratch.

  1. Select SettingsConfigurationsGeneralNotifications.

  2. + Add Forwarding Configuration.

  3. Define the configuration Name and Description.

  4. Select the Log Type you want to forward:

    • Alerts—Send notifications for specific alert types.

    • Management Audit Logs—Send notifications for audit logs about events related to your Cortex Xpanse management console.

  5. In the Configuration Scope, Filter the type of information you want included in a notification.

    For example, set a filter Severity = High, Resolution Status = New. Cortex Xpanse sends the alerts or events matching this filter as a notification.

  6. (Optional) Define your Email Configuration.

    1. In Email Distribution, add the email addresses to which you want to send email notifications.

    2. Define the Email Grouping Time Frame, in minutes, to specify how often Cortex Xpanse sends notifications. Every 30 alerts aggregated within this time frame are sent together in one notification, sorted according to the severity. To send a notification when one alert is generated, set the time frame to 0.

    3. Choose whether you want Cortex Xpanse to provide an auto-generated subject.

    4. If you previously used the Log Forwarding app and want to continue forwarding logs in the same format, you can Use Legacy Log Format. See Log Format for IOC and BIOC Alerts.Log Format for IOC and BIOC Alerts

  7. Configure additional forwarding options.

    Depending on the notification integrations supported by the Log Type, configure the desired Slack channel or Syslog receiver notification settings.

    Note

    Before you can select a Slack channel or Syslog receiver you must Integrate Slack for Outbound Notifications and Integrate a Syslog Receiver.

    1. Enter the Slack channel name and select from the list of available channels.

      Slack channels are managed independently of Cortex Xpanse in your Slack workspace. After integrating your Slack account with your Cortex Xpanse tenant, Cortex Xpanse displays a list of specific Slack channels associated with the integrated Slack workspace.

    2. Select a Syslog receiver.

      Cortex Xpanse displays the list of receivers integrated with your Cortex Xpanse tenant.

  8. Select Done to create the forwarding configuration.

  9. (Optional) To later modify a saved forwarding configuration, right-click the configuration, and Edit, Disable, or Delete it.

Syslog Server Test Message Errors
Abstract

Learn more about Syslog Server test message errors.

When configuring a syslog message, Cortex Xpanse sends a test message. If a test message cannot be sent, Cortex Xpanse displays an error message to help you troubleshoot. Below are the descriptions and suggested solutions for the error messages.

Error Message

Description

Suggested Solution

Host Resolving Failed

The IP address or hostname you provided doesn't exist, or can't be resolved.

Ensure you have the correct IP address or the hostname.

Configured Local Address

The IP address or hostname you provided is internal and can't be used.

Ensure you have the correct IP address or the hostname.

Wrong Certificate Format

The certificate you uploaded is in an unexpected format and can't be used. The certificate must be an ASCII string or a bytes-like object.

Re-create the certificate in the correct format, for example:

-----BEGIN CERTIFICATE-----MIIDHTCCAgWgAwIBAgIQSwieRyGdh6BNRQyp406bnTANBgkqhkiG9w0BAQsFADAhMR8wHQYDVQQDExZTVVJTLUNoYXJsaWVBbHBoYS1Sb290MB4XDTIwMDQzMDE4MjEzNFoXDTMwMDQzMDE4MzEzNFowITEfMB0GA1UEAxMWU1VSUy1DaGFybGllQWxwaGEtUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJHH2HR/CzVzm9lOIu6rrtF9opYeIJdtgJR2Le7w4M56lFKIoziAfZD9qR0DqXpAV+42PZC8Oe4ueweD44OKTnaofbOxQvygelvHkFyAj+oz0VppzhmeUXh1Eux96QKB+Q+vSm8FbNlBL2SI8RhceYsWtZe5vBm/zDdV2alO5LJ3rEj9ycG1a7re1wSDQ67NaSrny+C/7IL5utlVspcgjslEiGM7D30uKszpq3CCeV9f7aPHCVZbbFRBxe4cbgZjGvE7Mm1OBbsypMT3z8jmSj7Kz5ui6R8mlqtll5MkIGtvmc1aypJHKrobwcs2ozEmLiVR0F1oJrl+PIZy5MXhBUcCAwEAAaNRME8wCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFIJ1ZhG0dkgwF8OOB/eT4u/9yowaMBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3DQEBCwUAA4IBAQBvDQ4Epr0zxQHuyziDtlauddVsrLpckljHc+dCIhBvGMzGEj47Cb0c/eNt6tHrPThyzRxOHd9GBMX4AxLccPNuCZdWIRTgb4SYzDspGEYDK7v/N5+FvpYdWRgB4msUXhHt36ivH450XuY8Slt+qbQWNVU2+xIkMSSA3mUwnK+hz1GwO/Zc2JYOaVZUrW39EuzNePJ+O6BlgMRMRPNGzgT+xSxt316r/QnVA2sk4IXshdGGMG0VcuzBCyeuiCRP5/2QeFthas5EoXbdlB5eK3VzqLtiKyua/kS/hPuKahN9mI8FZ4TNB+nd6+eRQs2nsnbVOFmmOYu5KkGnDOjTzRh4-----END CERTIFICATE-----

Connection Timed Out

Cortex Xpanse didn’t connect to the syslog server in the expected time. This could be because your firewall blocked the connection or because the configuration of the syslog server caused it to drop the connection.

Check the firewall logs and the connection using WireShark.

Connection Refused

The syslog server refused the connection. This could be because your firewall blocked the connection or because the configuration of the syslog server caused it to drop the connection.

Check the firewall logs and the connection using WireShark.

Connection Reset

The connection was reset by the syslog server. This could be because your firewall blocked the connection or because the configuration of the syslog server caused it to drop the connection.

Check the firewall logs and the connection using WireShark.

Certificate Verification Failed

The uploaded certificate couldn’t be verified for one of the following reasons.

  • The certificate doesn't correspond to the certificate on the syslog server and can't be validated.

  • The certificate doesn’t have the correct hostname.

  • You are using a certificate chain and didn’t merge the certificates into one certificate.

  • Incorrect certificate—to check that the certificate you are uploading corresponds to the server syslog certificate, use the following openssl command.

    openssl verify -verbose -CAfile cortex_upload_certificate syslog_certificate

    If the certificate is correct, the result is syslog_certificate: OK.

  • Incorrect hostname—make sure that the hostname/ip in the certificate matches the syslog server.

  • Certificate chain—If you are using a list of certificates, merge the chain into one certificate. You can concatenate the certificates using the following cat command in Linux or macOS.

    cat intermediate_cert root_cert > merged_syslog.crt       

    If the concatenated certificate doesn’t work, change the order of the root and intermediate certificates, and try again.

    To verify that the chain certificate was saved correctly, use the following openssl command.

    openssl verify -verbose -CAfile cortex_upload_certificate syslog_certificate

    If the certificate is correct, the result is syslog_certificate: OK.

Connection Terminated Abruptly

The firewall or the syslog server dropped the connection unexpectedly. This could be because the firewall on the customer side limits the number of connections, the configuration on the syslog server drops the connection, or the network is unstable.

Check the firewall logs and the connection using WireShark.

Host Unreachable

The network configuration is faulty and the connection can't reach the syslog server.

Check the network configuration to make sure that everything is configured correctly like a firewall or a load balancer which may be accidentally directing the connection to a dead server.

SSL Error

Unknown SSL error.

To investigate the issue, contact support.

Connection Unavailable

General error.

To investigate the issue, contact support.