Learn how to forward logs and data from Cortex XSIAM to external third-party services such as email, Slack, syslog, and Splunk.
You can forward logs, cases, and issues from Cortex XSIAM to an external service. By forwarding logs and data, you can manage alerts and investigations in external systems and meet data retention requirements. Available services include the following:
Slack channel and/or syslog receiver: Configure the external application with Cortex XSIAM. After the application is configured, configure notification forwarding, specifying the data/log type you want to forward.
Email distribution list: Configure notification forwarding, specifying the data/log type you want to forward.
Splunk, Amazon SQS, Amazon S3, and Webhook: Only cases and issues can be forwarded to these services. The external application must be configured in Cortex XSIAM and egress configured in the Cortex Gateway before forwarding to these services.
The following table shows the log types supported for each notification type:
Data/log type | Slack | Syslog | Splunk, Amazon SQS, Amazon S3, Webhook | |
|---|---|---|---|---|
Issues | ✓ | ✓ | ✓ | ✓ |
Cases | ✓ | ✓ | — | ✓ |
Agent Audit Logs NoticeRequires an XDR Agent. | ✓ | — | ✓ | — |
Management Audit Logs | ✓ | — | ✓ | — |
Health Issues (Deprecated) | ✓ | ✓ | ✓ | — |