XDR Collector datasets - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

After Cortex XSIAM begins receiving data from your XDR Collectors configuration, the app automatically creates an XQL dataset.

After Cortex XSIAM begins receiving data from your XDR Collectors configuration that are dedicated for on-premises data collection on Windows and Linux machines.

  • For Filebeat, the app automatically creates an Cortex Query Language (XQL) dataset of event logs using the vendor name and the product name specified in the configuration file section of the Filebeat profile. The dataset name follows the format <vendor>_<product>_raw. If not specified, Cortex XSIAM automatically creates a new default dataset in the format <module>_<module>_raw or <input>_<input>_raw. For example, if you are using the NGINX module, the dataset is called nginx_nginx_raw.

  • For Winlogbeat, the app automatically creates an XQL dataset of event logs using the vendor name and the product name specified in the configuration file section of the Winlogbeat profile. The dataset name follows the format <vendor>_<product>_raw. If not specified, Cortex XSIAM automatically creates a new default dataset, microsoft_windows_raw, for event log collection. Winlogbeat data is also normalized to xdr_data (and thus the xdr_event_log preset).

After Cortex XSIAM creates the dataset, you can search for your XDR Collector data using XQL Search.