Add an XDR Collector profile for Windows - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

Add a Cortex XDR Collector profile which defines the data that is collected from a Windows collector machine.

Note

Ingestion of logs larger than 5 MB is not supported.

An XDR Collector Windows profile defines the data that is collected from a Windows collector machine. For Windows, you can configure a Filebeat profile, A Winlogbeat profile, or a Settings profile.

After you add an XDR Collector profile, to associate it with a collector machine, you must use a policy.

Note

  1. In Cortex XSIAM, select SettingsConfigurationsXDR CollectorsProfiles+Add ProfileWindows.

  2. Select Filebeat profile, Winlogbeat profile, or Settings profile, then click Next.

  3. Configure the General Information parameters.

    • Profile Name: Specify a unique Profile Name to identify the profile. The name can contain only letters, numbers, or spaces, and must be no more than 30 characters. The name you choose will be visible from the list of profiles when you configure a policy.

    • Add description here: (Optional) To provide additional context for the purpose or business reason that explains why you are creating the profile, specify a profile description.

  4. Configure the settings for the profile selected in Step 2.

    • For an XDR Collector Filebeat profile, configure the Filebeat configuration file. In the Filebeat Configuration File editor, you can define the data collection for your Elasticsearch Filebeat configuration file called filebeat.yml. Cortex XSIAM supports the various input types and modules available in Elasticsearch Filebeat. For more information on the input types supported, see Configure Filebeat Inputs in Elasticsearch. For more information on the modules supported, see Configure Filebeat Modules in Elasticsearch.

      To facilitate the configuration of the YAML file, you can use out-of-the-box collection templates and templates added by the content packs installed from the XSIAM Marketplace. Using the templates saves you time and doesn't require previous knowledge of configuration file generation. You can edit and combine the provided templates, and you can add your own collection settings to the configuration file.

      Cortex XSIAM provides YAML templates for DHCP, DNS, IIS, XDR Collector Logs, NGINX, and any templates added by the content packs installed from the XSIAM Marketplace. To add a template, select it and click Add.

      Cortex XSIAM also supports all sections in the filebeat.yml configuration file, such as support for Filebeat fields and tags. This enables you to use the add_fields processor to identify the product/vendor for the data collected by the XDR Collectors so the collected events go through the ingestion flow (Parsing Rules). To configure the product/vendor ensure that you use the default fields attribute, as opposed to the target attribute, as shown in the following example.

      processors:
        - add_fields:
            fields:
              vendor: <Vendor>
              product: <Product>

      You can configure the Filebeat configuration file to collect Windows DHCP logs and Windows DNS Debug logs.

      Note

      Cortex XSIAM collects all logs in either a JSON or text format that are uncompressed. Compressed files, such as in a gzip format, are unsupported.

      Cortex XSIAM supports logs in single line format or multiline format. For more information on handling messages that span multiple lines of text in Elasticsearch Filebeat, see Manage Multiline Messages.

    • For an XDR Collector Winlogbeat profile, configure the Winlogbeat configuration file. In the Winlogbeat Configuration File editor, you can define the data collection for your Elasticsearch Winlogbeat configuration file called winlogbeat.yml. Cortex XSIAM supports the various modules available in Elasticsearch Winlogbeat. For more information on the modules supported, see Winlogbeat Modules in ElasticSearch.

      To facilitate the configuration of the YAML file, you can use out-of-the-box collection templates and templates added by the content packs installed from the XSIAM Marketplace. Using the templates saves you time and doesn't require previous knowledge of configuration file generation. You can edit and combine the provided templates, and you can add your own collection settings to the configuration file.

      Cortex XSIAM provides YAML templates for Windows Security and any templates added by the content packs installed from the XSIAM Marketplace. To add a template, select it and click Add.

      Cortex XSIAM also supports all sections in the winlogbeat.yml configuration file, such as support for Winlogbeat fields and tags. This enables you to use the add_fields processor to identify the product/vendor for the data collected by the XDR Collectors so the collected events go through the ingestion flow (Parsing Rules). To configure the product/vendor ensure that you use the default fields attribute, as opposed to the target attribute, as shown in the following example.

      processors:
        - add_fields:
            fields:
              vendor: <Vendor>
              product: <Product>

      After ingestion, Cortex XSIAM normalizes and saves the Windows event logs collected by the Winlogbeat profile in the dataset xdr_data. The normalized logs are also saved in a unified format in <vendor>_<product>_raw if the product and vendor are defined, and in microsoft_windows_raw otherwise. This enables you to search the data using Cortex Query Language XQL queries, build correlation rules, and generate dashboards based on the data.

    • For an XDR Collector Windows Settings profile, configure the Collector Upgrade parameters. You can configure an automatic upgrade for the XDR Collector release. By default, this is disabled and the Use Default (Disabled) is selected. To implement an automatic upgrade, follow these steps:

      1. Clear the Use Default (Disabled) checkbox.

      2. For the Collector Auto-Upgrade field, select Enabled.

        When configuring this field, the following additional fields are displayed for defining the scope of the automatic upgrade.

      3. You can configure the scope of the automatic upgrade to whenever a new XDR Collector release is available including maintenance releases and new features.

        To ensure the latest XDR Collector release is used, leave the Use Default (Latest collector release) checkbox selected.

        To configure only a particular scope, perform the following steps.

        a. Clear the Use Default (Latest collector release) checkbox.

        b. For the Auto Upgrade Scope, select one of the following options.

        -Latest collector release: Configures the scope of the automatic upgrade to whenever a new XDR Collector release is available including maintenance releases and new features.

        -Only maintenance release: Configures the scope of the automatic upgrade to whenever a new XDR Collector maintenance release is available.

        -Only maintenance releases in a specific version: Configures the scope of the automatic upgrade to whenever a new XDR Collector maintenance release is available for a specific version. When this option is selected, you can select the specific Release Version.

  5. Create your new profile, which is listed under the applicable platform in the XDR Collectors Profiles page.

  6. Apply profiles to collection machine policies.

    You can do this in two ways. You can Create a new policy rule using this profile from the right-click menu or you can launch the new policy wizard from XDR CollectorsPoliciesXDR Collectors Policies page.

  7. Other available options:

    As needed, you can return to the XDR Collectors Profiles page to manage your XDR Collectors profiles. To manage a specific profile, right click anywhere in the XDR Collector profile row, and select the desired action:

    • Edit the XDR Collector profile settings.

    • Save As New: Enables you to copy the existing profile with its current settings, make any modifications, and save it as a new profile by adding a unique name.

    • Delete the XDR Collector profile.

    • View Collector Policies: Opens a new tab with the XDR Collectors Policies page displayed, so you can easily see the current policies that are associated to your XDR Collector profiles.

    • Copy text to clipboard to copy the text from a specific field in the row of a XDR Collector profile.

    • Copy entire row to copy the text from the entire row of a XDR Collector profile.