External Data Ingestion Vendor Support - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-16
Category
Administrator Guide
Abstract

To augment your Cortex XSIAM data, you can set up Cortex XSIAM to ingest data from a variety of external third-party sources.

To provide you with a more complete and detailed picture of the activity involved in an incident, you can ingest data from a variety of external, third-party sources into Cortex XSIAM.

Cortex XSIAM can receive logs, or both logs and alerts, from the source. Depending on the data source, Cortex XSIAM can provide visibility into your external data in the form of:

  • Log stitching with other logs in order to create network or authentication stories.

  • Raw data in queries from XQL Search.

  • Alerts reported by the vendor throughout Cortex XSIAM, such as in the alerts table, incidents, and views.

  • Alerts raised by Cortex XSIAM on log data, such as analytics alerts.

To ingest data, you must set up the Syslog Collector applet on a Broker VM within your network.

The following table summarizes the vendor data that can be ingested, according to log or data type.

Log/Data Type

Vendor Support

Network Connections

Authentication Services/Audit Logs

Operation and System Logs from Cloud Providers

Cloud Assets

Custom External Sources