Activate the CSV Collector - Administrator Guide - Cortex XSIAM - Cortex

Activate the CSV Collector - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product

Cortex XSIAM

Creation date

2024-02-26

Last date published

2024-04-18

Danger

Before activating the CSV Collector applet, review and perform the following:

Configure the Broker VM.
Ensure that you share the applicable CSV files.
Know the complete file path for the Windows directory.

How to activate the CSV Collector

Select Settings → Configurations → Data Broker → Broker VMs.
In either the Brokers tab or the Clusters tab, locate your Broker VM.
You can either right-click the Broker VM and select Add App → CSV Collector, or in the APPS column, left-click Add → CSV Collector.
Configure your CSV Collector by defining the list of folders mounted to the Broker VM and specifying the list of CSV files to monitor and upload to Cortex XSIAM. You must also specify a username and password.
Mounted Folders
Define the folders mounted onto the Broker VM:
Folder Path
Specify the complete file path to the Windows directory containing the shared CSV files using the format: //host/<folder_path>. For example, //testenv1pc10/CSVFiles.
Username
Specify the username for accessing the Windows directory.
Password
Specify the password for accessing the Windows directory.
After you configure the mounted folder details, Add () details to the applet.
Mounted CSV Files
Folder Path + Name
Select the monitored Windows directory and specify the name of the CSV file. Use a wildcard file search using these characters in the name of the directory, CSV file name, and Path Exclusion.
?: Matches a single char, such as 202?-report.csv.
*: Matches either multiple characters, such as 2021-report*.csv, or all CSV files with *.csv.
**: Searches all directories and subdirectories. For example, if you want to include all the CSV files in the directory and any subdirectories, use the syntax //host/<folder_path>/**/*.csv.
Note
When you implement a wildcard file search, ensure that the CSV files share the same columns and header rows as all other logs that are collected from the CSV files to create a single dataset.
(Optional) Path Exclusion
Specify the complete file path for any files from the Windows directory that you do not want included. The same wildcard file search characters are allowed in this field as explained above for the FOLDER PATH +NAME field. For example, if you want to exclude any CSV file prefixed with 'exclude_' in the directory and subdirectories of //host/<folder_path>, use the syntax //host/<folder_path>/**/exclude_*.csv.
(Optional) Tags
To easily query the CSV data in the database, you can add a tag to the collected CSV data. This tag is appended to the data using the format <data>_<tag>.
Target Dataset
Either select the target dataset for the CSV data or create a new dataset by specifying the name for the new dataset.
Activate the CSV Collector applet.
After a successful activation, the APPS field displays CSV with a green dot indicating a successful connection.
Note
The CSV Collector checks for new CSV files every 10 minutes.
(Optional) To view metrics about the CSV Collector, left-click the CSV connection in the APPS field for your Broker VM.
Cortex XSIAM displays Resources, including the amount of CPU, Memory, and Disk space the applet is using.
Manage the CSV Collector.
After you activate the CSV Collector, you can make additional changes as needed. To modify a configuration, left-click the CSV connection in the APPS column to display the CSV settings, and select:
- Configure to redefine the CSV Collector configurations.
- Deactivate to disable the CSV Collector.
You can also Ingest CSV Files as Datasets.

Danger

How to activate the CSV Collector

Note

Note