Learn how to configure data ingestion from a variety of Palo Alto Networks and third-party sources.
Cortex XSIAM enables you to collect data across a vast and varied enterprise landscape. This necessitates distinct data source types designed for different environments and needs:
Standard data collectors (API/Built-in): These are built-in functionalities primarily focused on ingesting raw logs and security events for core security analysis, parsing, and normalization. They often involve direct API connections, such as Okta and CrowdStrike, or file collection tools, such as Amazon S3.
Broker VM data collector applets: These are modular applications installed on a local Broker VM virtual appliance, designed for on-premise data collection needs like the Syslog Collector or Database Collector.
XDR Collectors (XDRC): These are lightweight agents dedicated to on-premise log collection on Windows and Linux host machines, typically gathering logs and events using tools such as Filebeat or Winlogbeat.
Cloud Service Provider (CSP) Onboarding: These are specialized wizards for integrating cloud environments, including AWS, Azure, GCP, and OCI, enabling streamlined setup for asset discovery, posture/runtime security, and log collection.
Marketplace content packs: These packages offer specialized security functionality by bundling both a collection integration (for data ingestion) and automation components, such as playbooks and correlation rules. Note that not all data collectors have a corresponding Marketplace content pack.
Cortex XSIAM enables you to ingest data from a wide range of third-party vendors and security services. For many popular vendors, we offer a choice between distinct types of data sources to fit your needs:
Standard data sources (also called data collectors)
Cloud Service Provider (CSP) onboarding data sources
Content pack integrations
Data Source Type | Primary Use | Configuration Method | Cortex XSIAM Features | Recommendation |
|---|---|---|---|---|
Standard data source (also called data collectors) | Ingesting raw logs and events. | Configured in the Data Sources & Integrations page using the Data Source Onboarder. | Limited to data ingestion, parsing, and normalization. | Choose this if you only need raw data ingestion. |
Cloud Service Provider (CSP) onboarding data source | Ingest cloud assets | Configured in the Data Sources & Integrations page using the cloud service provider (CSP) onboarding wizard. | Designed to facilitate the seamless setup of CSP data into Cortex XSIAM. Requires minimal user input; simply define the scope of your CSP accounts and specify the scan mode. For full control of the CSP setup, you can use the advanced settings. Based on the onboarding settings, Cortex XSIAM generates an authentication template to establish trust to the CSP and grant permissions to Cortex XSIAM. | |
Content pack integration | Ingesting data and enabling rich security functionality. | Configured via a content pack downloaded from Marketplace by either:
| Includes: Data ingestion, parsing, normalization, plus built-in commands and automations, such as playbooks, scripts, correlation rules, and data model rules. | Choose this option for any of the following reasons:
|
To add a new data source, see Add a new data source or instance.
To add a content pack from Marketplace, see Install content packs.