Ingest Logs in a Network Share as Datasets - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-05-12
Category
Administrator Guide
Abstract

Cortex XSIAM can receive logs from files and folders in a network share directly to your log repository for query and visualization purposes.

Cortex XSIAM can receive logs from files and folders in a network share directly to your log repository for query and visualization purposes. After you activate the Files and Folders Collector applet on a Broker VM in your network, which includes defining the connection details and settings related to the list of files to monitor and upload to Cortex XSIAM, you can collect files as datasets.

After Cortex XSIAM begins receiving logs from files and folders in a network share, Cortex XSIAM automatically parses the logs and creates a dataset with the specific name you set as the target dataset when you configured the Files and Folders Collector using the format <Vendor>_<Product>_raw. The Files and Folders Collector reads and processes the configured files one by one, as well as any new files added to the configured files and folders, in the network share according to the execution frequency of collection that you configured and adds the data in these files to the dataset. You can then use XQL Search queries to view logs and create new Correlation Rules.

Note

The Files and Folders Collector applet only starts to collect files that are more than 256 bytes.

Configure Cortex XSIAM to receive logs as datasets from files and folders in a network share.

  1. Activate the Files and Folders Collector applet on a Broker VM within your network.

  2. Use the XQL Search to query and review logs.