Configure Notification Forwarding - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide
Product
Cortex XPANSE
Version
2
Creation date
2024-03-28
Last date published
2024-04-17
Category
User Guide
Solution
Cloud
Abstract

Set up notifications to keep your teams up to date on the audit logs and alerts that matter to them.

With Cortex Xpanse you can set up notifications to keep your teams up to date on the audit log and alerts that matter to them. To set up notifications, you create a forwarding configuration that specifies the log type you want to forward. You can also add filters to your configuration to send notifications that match specific criteria. Notifications can be configured for people or teams who are not Xpanse users.

Note

Cortex Xpanse applies the filter only to future alerts.

Use this workflow to configure notifications for alerts and management audit logs. To receive notifications about reports, see Create a Report from Scratch.

  1. Select SettingsConfigurationsGeneralNotifications.

  2. + Add Forwarding Configuration.

  3. Define the configuration Name and Description.

  4. Select the Log Type you want to forward:

    • Alerts—Send notifications for specific alert types.

    • Management Audit Logs—Send notifications for audit logs about events related to your Cortex Xpanse management console.

  5. In the Configuration Scope, Filter the type of information you want included in a notification.

    For example, set a filter Severity = High, Resolution Status = New. Cortex Xpanse sends the alerts or events matching this filter as a notification.

  6. (Optional) Define your Email Configuration.

    1. In Email Distribution, add the email addresses to which you want to send email notifications.

    2. Define the Email Grouping Time Frame, in minutes, to specify how often Cortex Xpanse sends notifications. Every 30 alerts aggregated within this time frame are sent together in one notification, sorted according to the severity. To send a notification when one alert is generated, set the time frame to 0.

    3. Choose whether you want Cortex Xpanse to provide an auto-generated subject.

    4. If you previously used the Log Forwarding app and want to continue forwarding logs in the same format, you can Use Legacy Log Format. See Log Format for IOC and BIOC Alerts.Log Format for IOC and BIOC Alerts

  7. Configure additional forwarding options.

    Depending on the notification integrations supported by the Log Type, configure the desired Slack channel or Syslog receiver notification settings.

    Note

    Before you can select a Slack channel or Syslog receiver you must Integrate Slack for Outbound Notifications and Integrate a Syslog Receiver.

    1. Enter the Slack channel name and select from the list of available channels.

      Slack channels are managed independently of Cortex Xpanse in your Slack workspace. After integrating your Slack account with your Cortex Xpanse tenant, Cortex Xpanse displays a list of specific Slack channels associated with the integrated Slack workspace.

    2. Select a Syslog receiver.

      Cortex Xpanse displays the list of receivers integrated with your Cortex Xpanse tenant.

  8. Select Done to create the forwarding configuration.

  9. (Optional) To later modify a saved forwarding configuration, right-click the configuration, and Edit, Disable, or Delete it.