Configure Notification Forwarding - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-07-16
Last date published
2024-12-11
Category
Administrator Guide
Abstract

With Cortex XSIAM you can choose to receive notifications to keep up with the alerts and events that matter to your teams.

With Cortex XSIAM you can choose to receive notifications to keep up with the alerts and events that matter to your teams. To forward notifications, you create a forwarding configuration that specifies the log type you want to forward. You can also add filters to your configuration to send notifications that match specific criteria.

Note

Cortex XSIAM applies the filter only to future alertsand events.

Use this workflow to configure notifications for alerts, agent audit logs, and management audit logs. To receive notifications about reports, see Create a Report from Scratch.

  1. Select SettingsConfigurationsGeneralNotifications.

  2. + Add Forwarding Configuration.

  3. Define the configuration Name and Description.

  4. Select the Log Type you want to forward:

    • Alerts—Send notifications for specific alert types (for example, XDR Agent or BIOC).

      Note

      To configure notification forwarding for Health alerts, select Log Type = Alerts and filter the Alerts table by Alert Domain = Health.

    • Agent Audit Logs—Send notifications for audit logs reported by your Cortex XSIAM agents.

    • Management Audit Logs—Send notifications for audit logs about events related to your Cortex XSIAM management console.

    • Health Alerts—Send notifications for health alerts. (for example, Ingestion, Event Forwarding, and Correlation rule errors).

      Note

      This option will be deprecated in the next release. Configure alerts with the filter Alert Domain = Health instead.

  5. In the Configuration Scope, Filter the type of information you want included in a notification.

    Example 15. 

    With the following filter, Cortex XSIAM notifies you of security alerts or events from the XDR Agent with a medium severity level:

    Domain = Security, Severity = Medium, Alert Source = XDR Agent


  6. (Optional) Define your Email Configuration.

    1. In Email Distribution, add the email addresses to which you want to send email notifications.

    2. Define the Email Grouping Time Frame, in minutes, to specify how often Cortex XSIAM sends notifications. Every 20 alerts or 20 events aggregated within this time frame are sent together in one notification, sorted according to the severity. To send a notification when one alert or event is generated, set the time frame to 0.

    3. Choose whether you want Cortex XSIAM to provide an auto-generated subject.

    4. If you previously used the Log Forwarding app and want to continue forwarding logs in the same format, you can Use Legacy Log Format. See Log Format for IOC and BIOC Alerts.

  7. Configure additional forwarding options.

    Depending on the notification integrations supported by the Log Type, configure the desired Slack channel or Syslog receiver notification settings.

    Note

    Before you can select a Slack channel or Syslog receiver you must Integrate Slack for Outbound Notifications and Integrate a Syslog Receiver.

    1. Enter the Slack channel name and select from the list of available channels.

      Slack channels are managed independently of Cortex XSIAM in your Slack workspace. After integrating your Slack account with your Cortex XSIAM tenant, Cortex XSIAM displays a list of specific Slack channels associated with the integrated Slack workspace.

    2. Select a Syslog receiver.

      Cortex XSIAM displays the list of receivers integrated with your Cortex XSIAM tenant.

  8. Select Done to create the forwarding configuration.

  9. (Optional) To later modify a saved forwarding configuration, right-click the configuration, and Edit, Disable, or Delete it.