Ingest External Alerts - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-17
Category
Administrator Guide
Abstract

For a more complete and detailed picture of the activity involved in an incident, Cortex XSIAM can ingest alerts from any external source.

For a more complete and detailed picture of the activity involved in an incident, Cortex XSIAM can ingest alerts from any external source. Cortex XSIAM stitches the external alerts together with relevant endpoint data and displays alerts from external sources in relevant incidents and alerts tables. You can also see external alerts and related artifacts and assets in Causality views.

To ingest alerts from an external source, you configure your alert source to forward alerts (in Auto-Detect (default), CEF, LEEF, CISCO, or CORELIGHT format) to the Syslog collector. You can also ingest alerts from external sources using the Cortex XSIAM APIs.

After Cortex XSIAM begins receiving external alerts, you must map the following required fields to the Cortex XSIAM format.

  • TIMESTAMP

  • SEVERITY

  • ALERT NAME

In addition, these optional fields are available, if you want to map them to the Cortex XSIAM format.

  • SOURCE IP

  • SOURCE PORT

  • DESTINATION IP

  • DESTINATION PORT

  • DESCRIPTION

  • DIRECTION

  • EXTERNAL ID

  • CATEGORY

  • ACTION

  • PROCESS COMMAND LINE

  • PROCESS SHA256

  • DOMAIN

  • PROCESS FILE PATH

  • HOSTNAME

  • USERNAME

Note

If you send pre-parsed alerts using the Cortex XSIAM API, additional mapping is not required.

Storage of external alerts is determined by your Cortex XSIAM tenant retention policy. For more information, seeDataset Management.

To ingest external alerts.

  1. Send alerts from an external source to Cortex XSIAM.

    There are two ways to send alerts:

    • API—Use the Insert CEF Alerts API to send the raw Syslog alerts or use the Insert Parsed Alerts API to convert the Syslog alerts to the Cortex XSIAM format before sending them to Cortex XSIAM. If you use the API to send logs, you do not need to perform the additional mapping step in Cortex XSIAM.

    • Activate the Syslog collector and then configure the alert source to forward alerts to the Syslog collector. Then configure an alert mapping rule as follows.

  2. In Cortex XSIAM, select SettingsConfigurationsData Collection.

  3. Right-click the Vendor Product for your alerts and select Filter and Map.

  4. Use the filters at the top of the table to narrow the results to only the alerts you want to map.

    Cortex XSIAM displays a limited sample of results during the mapping rule creation. As you define your filters, Cortex XSIAM applies the filter to the limited sample but does not apply the filters across all alerts. As a result, you might not see any results from the alert sample during the rule creation.

  5. Click Next to begin a new mapping rule.

    On the left, configure the following.

    1. Rule Information-Define the NAME and optional DESCRIPTION to identify your mapping rule.

    2. Alerts Field-Map each required and any optional Cortex XSIAM field to a field in your alert source.

      If needed, use the field converter (field-converter.png) to translate the source field to the Cortex XSIAM syntax.

      For example, if you use a different severity system, you need to use the converter to map your severities fields to the Cortex XSIAM risks of Critical, High, Medium, and Low.

      You can also use regex to convert the fields to extract the data to facilitate matching with the Cortex XSIAM format. For example, say you need to map the port but your source field contains both the IP address and port (192.168.1.200:8080). To extract everything after the :, use the following regex:

      ^[^:]*_

      For additional context when you are investigating an incident, you can also map additional optional fields to fields in your alert source.

  6. Submit your alert filter and mapping rule when finished.