Ingest NetFlow flow records as datasets - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-07
Category
Administrator Guide
Abstract

Cortex XSIAM can receive NetFlow flow records and IPFIX from a UDP port directly to your log repository for query and visualization purposes.

Cortex XSIAM can receive NetFlow flow records and IPFIX from a UDP port directly to your log repository for query and visualization purposes. After you activate the NetFlow Collector applet on a Broker VM in your network, which includes configuring your NetFlow Collector settings, you can ingest NetFlow flow records and IPFIX as datasets.

The ingested NetFlow flow record format must include, at the very least:

  • Source and Destination IP addresses

  • TCP/UDP source and destination port numbers

After Cortex XSIAM begins receiving flow records from the UDP port, Cortex XSIAM automatically parses the flow records and creates a dataset with the specific name you set as the target dataset when you configured the NetFlow Collector. The NetFlow Collector adds the flow records to the dataset. You can then use XQL Search queries to view those flow records and create new IOC, BIOC, and Correlation Rules. Cortex XSIAM can also analyze your logs to raise Analytics alerts.

Configure Cortex XSIAM to receive NetFlow flow records as datasets from the routers and switches that support NetFlow.

  1. Set up your NetFlow exporter to forward flow records to the IP address of the Broker VM that runs the NetFlow collector applet.

  2. Activate the NetFlow Collector applet on a Broker VM within your network.

  3. Use the XQL Search to query your flow records, using your designated dataset.