Learn how to configure data ingestion ingest data from a variety of Palo Alto Networks and third-party sources.
To get you up and running in Cortex XSIAM, you can start ingesting data and logs from multiple products to assist your investigation. On the Data Sources page ( → ) you can view and add data sources to suit your security use cases. For more information about how to add data sources, see Adding a new data source or instance.
On the Data Sources page, you can ingest the following data and logs:
Data Source | Description | See More |
---|---|---|
Ingest data from third-party products | In Cortex XSIAM content includes many items such as playbooks, scripts, integrations, correlation rules, and data model rules. Content is organized into content packs to support specific security orchestration use cases. In Marketplace, you can download, install, manage, and contribute content packs. For example, the Microsoft Exchange Online content pack includes scripts, integrations, and playbooks. After downloading the content pack you need to configure the integration on the Automation & Feed Integrations page to enable Cortex XSIAM to communicate with the Exchange server. However, to simplify the onboarding process, on the Data Source page, you can add a data source. The Data Onboarder wizard guides you through the steps for installing the integration instance and enables you to configure your integration. Cortex XSIAM automatically downloads and installs the required Marketplace content packs for the integration, and recommends additional beneficial content such as playbooks and dashboards that are relevant for the specific data source. NoteNot all content packs are available to download on the Data Sources page. If you require content packs such as Phishing, and Malware, you need to download the pack from Marketplace and configure the integration. The Data Sources page is designed for third-party integrations to help you onboard. | |
Ingest data from PANW products | Cortex XSIAM supports streaming data directly from Prisma Access accounts, Next-Generation Firewalls (NGFW), and Panorama devices to your tenants using the Strata Logging Service. | |
Ingest network connection logs | Ingest network connection logs from different third-party sources, such as Amazon S3. NoteFor some vendors, to receive data from an external source, you must first set up the Syslog Collector applet on a Broker VM within your network. For more information, see Activate Syslog Collector. | |
Ingest authentication logs and data | Ingest authentication logs and data from an external source, such as AWS Cloud Trail. Cortex XSIAM can place that information into authentication stories. | |
Ingest operation and system logs from cloud providers | Ingest operation and system logs from supported cloud providers, such as Amazon Cloud Watch. | |
Ingest cloud assets | Ingest cloud assets from third-party sources, such as Google Cloud Platform. | |
Ingest custom log methods | Cortex XSIAM supports several custom log ingestion methods, such as ingesting Apache Kafka events as datasets. You need to activate the Syslog collect applet on a Broker VM within your network to receive logs. |