Add an XDR Collector Profile for Linux - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-18
Category
Administrator Guide
Abstract

Add a Cortex XDR Collector profile which defines the data that is collected from a Linux collector machine.

Note

Ingestion of logs larger than 5 MB is not supported.

An XDR Collector Linux profile defines the data that is collected from a Linux collector machine. For Linux, you can configure a Filebeat profile or a Settings profile.

  • An XDR Collector Linux Filebeat profile enables you to collect file and log data using the Elasticsearch Filebeat default configuration file called filebeat.yml. Cortex XSIAM supports using Filebeat version 8.8.1 with the different operating systems listed in the Elasticsearch Support Matrix that conform to the collector machine operating systems supported by Cortex XDR. Cortex XSIAM supports the various input types and modules available in Elasticsearch Filebeat. For more information on the input types supported, see Configure Filebeat Inputs in Elasticsearch. For more information on the modules supported, see Configure Filebeat Modules in Elasticsearch.

    Note

    Fileset validation is enforced. You must enable at least one fileset in the module as filesets are disabled by default.

  • An XDR Collector Linux Settings profile enables you to configure whether to implement an automatic upgrade for the XDR Collector release.

After you add an XDR Collector profile, to associate it with a collector machine, you must use a policy.

Note

For more information on Elasticsearch Filebeat, see the Elasticsearch Filebeat Overview Documentation.

  1. In Cortex XSIAM , select SettingsConfigurationsXDR CollectorsProfiles+Add ProfileLinux.

  2. Select Filebeat profile or Settings profile, then click Next.

  3. Configure the General Information parameters.

    • Profile Name—Specify a unique Profile Name to identify the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name you choose will be visible from the list of profiles when you configure a policy.

    • Add description here—(Optional) To provide additional context for the purpose or business reason that explains why you are creating the profile, specify a profile description.

  4. Configure the settings for the profile selected in Step 2.

    • For an XDR Collector Filebeat profile, configure the Filebeat configuration file. In the Filebeat Configuration File editor, define the data collection for your Elasticsearch Filebeat configuration file called filebeat.yml. Cortex XSIAM supports the various input types and modules available in Elasticsearch Filebeat. For more information on the input types supported, see Configure Filebeat Inputs in Elasticsearch. For more information on the modules supported, see Configure Filebeat Modules in Elasticsearch.

      To facilitate the configuration of the YAML file, you can use out-of-the-box collection templates and templates added by the content packs installed from the XSIAM Marketplace. Using the templates saves you time and doesn't require previous knowledge of configuration file generation. You can edit and combine the provided templates, and you can add your own collection settings to the configuration file.

      Cortex XSIAM provides YAML templates for XDR Collector Logs, RHEL/CentOS, MySQL, NGINX, Debian/Ubuntu, and any templates added by the content packs installed from the XSIAM Marketplace. To add a template, select it and click Add.

      Cortex XSIAM supports all sections in the filebeat.yml configuration file, such as support for Filebeat fields and tags. This enables you to use the add_fields processor to identify the product/vendor for the data collected by the XDR Collectors so the collected events go through the ingestion flow (Parsing Rules). To identify the product/vendor ensure that you use the default fields attribute, as opposed to the target attribute, as shown in the following example.

      processors:
        - add_fields:
            fields:
              vendor: <Vendor>
              product: <Product>

      Note

      Cortex XSIAM collects all logs in either a JSON or text format that are uncompressed. Compressed files, such as in a gzip format, are unsupported.

      Cortex XSIAM supports logs in single line format or multiline format. For more information on handling messages that span multiple lines of text in Elasticsearch Filebeat, see Manage Multiline Messages.

    • For an XDR Collector Linux Settings profile, configure the Collector Upgrade parameters. You can configure an automatic upgrade for the XDR Collector release. By default, this is disabled and the Use Default (Disabled) is selected. To implement an automatic upgrade, follow these steps.

      1. Clear the Use Default (Disabled) checkbox.

      2. For the Collector Auto-Upgrade field, select Enabled.

        When configuring this field, the following additional fields are displayed for defining the scope of the automatic upgrade.

      3. You can configure the scope of the automatic upgrade to whenever a new XDR Collector release is available including maintenance releases and new features.

        To ensure the latest XDR Collector release is used, leave the Use Default (Latest collector release) checkbox selected.

        To configure only a particular scope, perform the following steps.

        a. Clear the Use Default (Latest collector release) checkbox.

        b. For the Auto Upgrade Scope, select one of the following options.

        -Latest collector release—Configures the scope of the automatic upgrade to whenever a new XDR Collector release is available including maintenance releases and new features.

        -Only maintenance release—Configures the scope of the automatic upgrade to whenever a new XDR Collector maintenance release is available.

        -Only maintenance releases in a specific version—Configures the scope of the automatic upgrade to whenever a new XDR Collector maintenance release is available for a specific version. When this option is selected, you can select the specific Release Version.

  5. Create your new profile, which appears under the applicable platform in the XDR Collectors Profiles page.

  6. Apply Profiles to Collection Machine Policies.

    You can do this in two ways. You can Create a new policy rule using this profile from the right-click menu or you can launch the new policy wizard from XDR CollectorsPoliciesXDR Collectors Policies page.

  7. Other available options.

    As needed, you can return to the XDR Collectors Profiles page to manage your XDR Collectors profiles. To manage a specific profile, right click anywhere in the XDR Collector profile row, and select the desired action:

    • Edit the XDR Collector profile settings.

    • Save As New—Enables you to copy the existing profile with its current settings, make any modifications, and save it as a new profile by adding a unique name.

    • Delete the XDR Collector profile.

    • View Collector Policies—Opens a new tab with the XDR Collectors Policies page displayed, so you can easily see the current policies that are associated to your XDR Collector profiles.

    • Copy text to clipboard to copy the text from a specific field in the row of an XDR Collector profile.

    • Copy entire row to copy the text from the entire row of an XDR Collector profile.