Ingest Logs and Data from - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Use the Cortex XSIAM data collector to collect Audit Trail and Security Monitoring event logs from

The Cortex XSIAM data collector can collect Audit Trail and Security Monitoring event logs from During setup of this data collector, you can choose to accept the default collection settings, or exclude the collection of content metadata and accounts.

The data collector fetches events, and objects and metadata, including:

  • Login history

  • Setup audit trail

  • Flow Execution events

  • Transaction Security events

  • Content Distribution events

  • Package Install events

You can create multiple data collector instances in Cortex XSIAM, for different parts of your organization.

Data are intentionally collected with a delay, to ensure that all the logs have been collected (to mitigate the effects of lags on the side).

When Cortex XSIAM begins receiving logs, it creates new datasets for them, called salesforce_<object>_raw.  Examples of <object> include:

  • connectedapplication

  • permissionset

  • profile

  • groupmember

  • group

  • user

  • userrole

  • document

  • contentfolder

  • attachment

  • contentdistribution

  • tenantsecuritylogin

  • useraccountteammember

  • tenantsecurityuserperm

  • account

  • audit

  • login

  • eventlogfile

You can use these datasets to perform XQL search queries. For example queries, refer to the in-app XQL Library.


To manage collection integration in Cortex XSIAM, ensure that you have the privilege to View/Edit Log Collections (for example, Instance Administrator).

To avoid errors, the minimum required editions are Professional Edition with API access enabled, or Enterprise Edition, or higher.

How to

To use the client credentials flow required for–Cortex XSIAM integration, you must create a connected app for Cortex XSIAM in, and configure its OAuth settings and access policies. Following these activities, configure Cortex XSIAM.


For more detailed reference information, see Configure a Connected App for the OAuth 2.0 Client Credentials Flow.

Unlike other data collector setups, in this case, the setup includes obtaining an OAuth 2.0 code from, and this code is only valid for 15 minutes. Therefore, make sure that you enable the data collector within 15 minutes of obtaining the authorization code.

Perform the following procedures in the order that they appear, below.

  1. On the Setup page, in Quick Find, type App Manager.

  2. Click New Connected App.

  3. Enter a meaningful name for the connected application and for the API. For example, you could name it panw_cortex_integration.

  4. Enter your email address. This address will be used to retrieve the Consumer Key and Consumer Secret.

  5. Select the Enable OAuth Settings checkbox.

  6. In Callback URL, type


    https://{tenant external URL}

    on separate lines, where {tenant external URL} is the name of your tenant as it appears in the URL of your Cortex XSIAM tenant.

  7. For OAuth Scopes, select Full access (full) and Perform requests at any time (refresh_token, offline_access).

  8. In the next options after OAuth Scopes, ensure that only the following checkboxes are selected:

    • Require Secret for Web Server Flow

    • Require Secret for Refresh Token Flow

    • Enable Credentials Flow

  9. Click Save, and then Continue.

Consumer Key will be used for client_id, and Consumer Secret will be used for client_secret in OAuth 2.0.

  1. On the Setup page, in Quick Find, type App Manager.

  2. Find your connected application (the one that you defined for Cortex XSIAM). In the last column, click the arrow button and then click View.

  3. In the API (Enable OAuth Settings) area, click Manage Consumer Details.

  4. When you are asked to verify your identity, open the email that Salesforce sent to you, and copy the verification code. Go back to the Salesforce Verify Your Identity page, paste the code in the Verification Code box, and click Verify. One of the following will happen:

    • The Consumer Key and Consumer Secret will be sent to the email address that you configured earlier for the Cortex XSIAM connected app.

    • On the Salesforce Connected App Name page, the Consumer Details area will display the Consumer Key and Consumer Secret, and you will be able to copy them from here when required in the following procedures.

  1. On the Setup page, in Quick Find, type App Manager.

  2. Find your connected application (the one that you defined for Cortex XSIAM). In the last column, click the arrow button and then click Manage.

  3. Click Edit Policies.

  4. In the OAuth Policies area:

    • Under Permitted Users, select All users may self-authorize.

    • Choose your refresh token policy. We recommend: Expire refresh token if not used for _ Day(s). For example, select this option and set it for 7 days.

  1. In Cortex XSIAM, create a data collector instance:

    • Select SettingsConfigurationsData CollectionData Sources.

    • In the configuration, click Add Instance to begin a new configuration.

  2. Enter a unique Name for the instance, enter the Salesforce Domain Name, and the Consumer Key and the Consumer Secret credentials obtained earlier in this workflow. For example, the domain could be the API URL from which logs are received, such as

  3. (Optional) Clear options that you do not require:

    • Content metadata: when selected (default), collects documents’ metadata. 

    • Accounts: when selected (default), collects account objects.


    When these options are cleared, only these data types will be omitted from collection. All other data will be collected as usual.

  4. Click Enable. A popup which redirects you to your Salesforce instance appears, to get OAuth 2.0 authorization credentials and access.

  5. Click OK.

    In, a new tab appears.

  6. Enter your username and password, and Log In

  7. When you are asked to allow access, select Allow.

    A Salesforce data collection instance is created, and an authorization token is created and returned to Cortex XSIAM. Data collection begins.

You can edit and test an existing collector instance after a successful initial connection between and Cortex XSIAM. Do this by clicking Edit (pencil icon) for the collector instance. The log collection window will be displayed, where you can make changes or test, by clicking Test.


If for any reason, the token is not created and sent to Cortex XSIAM, after a timeout period, an authorization failure error will be returned for the collector instance. In this case, try again by clicking Edit (pencil icon) for the collector instance. The log collection window will be displayed again, where you can edit settings and retry getting the authorization code.