Save your ingested, parsed data in an external location by exporting your event logs to a temporary GCP storage bucket.
Notice
This feature requires an Event Forwarding add-on license. Only Administrators have access to this screen.
You can save your ingested, parsed data in an external location by exporting your event logs to a temporary storage bucket on Google Cloud Platform (GCP).
Note
After exporting logs, you can download them from GCP for up to 14 days. The Pub/Sub subscription messages are available for 7 days.
Event forwarding has the following purposes:
Compliance: You may have specific compliance requirements to retain logs in a separate, secure environment for long-term storage or auditing purposes.
Long-term archive: The core function is to export the event logs that the tenant has ingested and parsed to a storage location outside of the XSIAM tenant. This provides you with a copy of the normalized and processed data.
External analytics: Download the exported event logs for use in other security tools, data analysis platforms, or for offline forensic investigation.
You can forward the following events to GCP:
Endpoints Event Forwarding
Forwards raw, high-fidelity security telemetry collected by EDR, including data from endpoints through the XDR Agent and cloud endpoints (if relevant). The exported logs are raw data, without any stories, and export a subset of the endpoint data without filtering or configuration options.
Note
Requires the Endpoints Event Forwarding add-on.
GB Event Forwarding
Covers all other security data measured by daily ingestion volume (in Gigabytes). This includes non-endpoint logs such as firewall traffic, cloud audit logs, network flow logs, identity data, and general Syslogs from servers and devices. The exported logs are raw data, without any stories, and export all the data without filtering or configuration options.
Note
Requires the GB Event Forwarding add-on
Use the Event Forwarding page to activate your Event Forwarding add-ons, to retrieve the path and credentials of your external storage destination on GCP. Once this page is activated, Cortex XSIAM automatically creates the GCP bucket.
Important
Since data is aggregated and compressed, it can take up to two hours until the data is available in the forwarding bucket.
Upload to a temporary GCP storage bucket
Before you begin, ensure that you have the view/edit permission for Data Management. Instance Administrators have this permission by default.
Under → → → , activate one or more of the following:
Enable GB Event Forwarding
Enable Endpoints Event Forwarding
Save your selection.
The Destination section displays the details of the GCP bucket created by Cortex XSIAM, where your data is stored for 14 days. The data is compressed and saved as a line-delimited JSON gzip file.
Access GCP Cloud Storage using the Service Account.
Copy the storage path displayed.
Generate and download the Service Account JSON WEB TOKEN, which contains the access key.
Save it in a secure location. If you need to regenerate the access token, Replace and download a new token. This action invalidates the previous token.
The token provides access to all your data stored in this bucket and must be saved in a safe place.
Use the storage path and access key to manually retrieve your files or use an API for automated retrieval.
Using the storage path and the access key, retrieve your files manually or using an API.
(Optional) Use the Pub/Sub subscription to ensure reliable data retrieval without any loss.
Copy the Pub/Sub subscription provided.
Configure your application or system to receive messages from the Pub/Sub subscription.
Whenever a new file is added to the GCP bucket, a message is sent to the Pub/Sub subscription. The object path of the file in the bucket has the prefix
internal/.Process the received message to initiate the download of the corresponding file.