Ingest Detection Data from Strata Logging Service - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-16
Category
Administrator Guide
Abstract

Learn how to ingest detection data from Strata Logging Service.

Note

Ingesting logs from Strata Logging Service requires an XSIAM license.

Note

This topic is only relevant for tenants that have a Strata Logging Service license. If you do not have a Strata Logging Service license, this option is not available, and you need to configure each Palo Alto Networks integration, such as New Generation Firewalls (NGFW) and Prisma Access, separately.

Existing Strata Logging Service integrations can be migrated to the Cortex Native Data Lake up to two weeks before your Strata Logging Service license expires, using the Migrate Devices buttons on the Data Sources page. Make sure you select all your devices to connect directly to Cortex XSIAM.

If you do not manually migrate your Strata Logging Service integrations, they will be migrated automatically two weeks before the end of the Strata Logging Service contract.

Roll-back of Strata Logging Service is not supported.

To streamline the connection and management of all Palo Alto Networks generated logs across products in Cortex XSIAM with a Strata Logging Service license, Cortex XSIAM can ingest detection data from Strata Logging Service using the Strata Logging Service data collector.

You can configure the Strata Logging Service data collector to take logs from other Palo Alto Networks products already logging to one or more existing Strata Logging Service instance.

For stitched raw data, use the XQL query xdr_data dataset or any preset designated for stitched data, such as network_story. For query examples, refer to the in-app XQL Library. Cortex XSIAM can also raise Cortex XSIAM alerts (Analytics, Correlation Rules, IOC, and BIOC only), when relevant, from Strata Logging Service detection data. While Correlation Rules alerts are raised on non-normalized and normalized logs, Analytics, IOC, and BIOC alerts are only raised on normalized logs.

Note

IOC and BIOC alerts are applicable on stitched data only and are not available on raw data.

To ingest detection data from Strata Logging Service.

  1. Activate Strata Logging Service.

    You can configure Cortex XSIAM to take Palo Alto generated firewall logs from other Palo Alto Networks products already logging to an existing Strata Logging Service instance.

  2. Select SettingsData Sources.

  3. In the Strata Logging Service configuration, click Add Instance to begin a new configuration.

  4. Select Strata Logging Service Instance.

    Select one or more existing Strata Logging Service instances that you want to connect to this Strata Logging Service instance.

  5. Save your Strata Logging Service configuration.

    Once events start to come in, a green check mark appears underneath the Strata Logging Service configuration.

  6. (Optional) Manage your Strata Logging Service Collector.

    After you create the Strata Logging Service Collector, you can make additional changes, as needed.

    • Delete the Strata Logging Service Collector.

  7. After Cortex XSIAM begins receiving data from a Strata Logging Service instance, you can use XQL Search to search for specific data, using the xdr_data dataset.