Learn more about Cortex XSIAM Data Sources and a unified approach to integrations.
Data sources are the foundational mechanisms used to ingest security and operational data, including logs, events, and asset metadata, into Cortex XSIAM for analysis, correlation, and response. By consolidating data from diverse origins like endpoints, network devices, cloud environments, and third-party security tools, Cortex XSIAM constructs a comprehensive and contextualized security story.
Configuring ingestion components in the Cortex XSIAM user interface (UI) currently involves navigating multiple areas and different terminologies:
The broad, overarching concept is the data source, representing any integration that provides data to Cortex XSIAM.
Built-in tools primarily focused on raw log ingestion are often referred to in the UI as data collectors. This includes generic logs that can be ingested, such as by the XDR Collectors and core ingestion functionalities found using the Data Source Onboarder.
The Broker VM applets are specialized applications running on the Broker VM that function as collectors, such as the Syslog Collector.
Marketplace content packs that include collection integrations are also referred to as data sources, as content packs that fetch data are configured through the Data Source Onboarder on the Data Sources & Integrations page.
In this documentation, data source is used as the general category for all ingestion methods, but specific components like data collectors and Broker VM applets are named explicitly when discussing their configuration.
Cortex XSIAM enables you to collect data across a vast and varied enterprise landscape. This necessitates distinct data source types designed for different environments and needs:
Standard data collectors (API/Built-in): These are built-in functionalities primarily focused on ingesting raw logs and security events for core security analysis, parsing, and normalization. They often involve direct API connections, such as Okta and CrowdStrike, or file collection tools, such as Amazon S3.
Broker VM data collector applets: These are modular applications installed on a local Broker VM virtual appliance, designed for on-premise data collection needs like the Syslog Collector or Database Collector.
XDR Collectors (XDRC): These are lightweight agents dedicated to on-premise log collection on Windows and Linux host machines, typically gathering logs and events using tools such as Filebeat or Winlogbeat.
Cloud Service Provider (CSP) Onboarding: These are specialized wizards for integrating cloud environments, including AWS, Azure, GCP, and OCI, enabling streamlined setup for asset discovery, posture/runtime security, and log collection.
Marketplace content packs: These packages offer specialized security functionality by bundling both a collection integration (for data ingestion) and automation components, such as playbooks and correlation rules. Note that not all data collectors have a corresponding Marketplace content pack.
Cloud Posture and Runtime Security data sources: These data sources provide agentless visibility and real-time control over cloud risks by using cloud-native APIs to monitor misconfigurations, scan container registries, and secure serverless functions or sensitive data across multi-cloud environments.
The existence of diverse collector types currently necessitates multiple points of configuration within the Cortex XSIAM UI as explained in the table below.
Important
We are actively working to evolve the UI to create a single, unified point of configuration for all data ingestion and integration points. This documentation is structured to help you navigate the current segmented process until that UI update is available.
Data Source Type | Primary UI Location(s) for Configuration |
|---|---|
CSP onboarding and standard collectors | Data Sources & Integrations page (Settings → Data Sources & Integrations → + Add New) |
Broker VM applets | Broker VMs page (Settings → Configurations → Data Broker → Broker VMs) |
XDR Collectors | XDR Collectors page (Settings → Configurations → XDR Collectors) |
Marketplace content packs | Data Sources & Integrations page (Settings → Data Sources & Integrations via Data Source Onboarder, for packs with data ingestion or after a Marketplace install) NoteSome content packs provide parsing rules and data model rules for data sources ingested using a Syslog Collector applet of the Broker VM or for standard data sources, and won't be listed in the Data Sources & Integrations page. |
Cloud Posture and Runtime Security data sources |
|