Send the Audit Trail to an External Log Service - Administrator Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-12-05
End_of_Life
EoL
Category
Administrator Guide
Abstract

Send the Cortex XSOAR audit trail to an external log service by adding custom server configurations.

Organizations that are required to implement centralized logging for compliance and monitor requirements benefit from the syslog export.

Note

By default, audit logs are retained for 365 days on the server. If you are sending logs to an external syslog, you may want to limit the retention on the server to a shorter period of time, such as 90 days., using the demisto.audits.purge.retention server configuration. For more information, see Audit Trail.

To send the Cortex XSOAR audit trail to an external log service, you create several custom server configurations.

  1. Select SettingsAboutTroubleshootingAdd Server Configuration.

  2. Add the following required keys and values:

    Key

    Value

    Required

    syslog.enabled

    true

    Required

    syslog.protocol

    tcp

    udp

    tcp+tls

    unix

    Default: unix (for localhost syslogging)

    Required

    syslog.host

    <syslog server>

    Required. This key is not required for UNIX protocol.

    syslog.port

    <destination port>

    Required. This key is not required for UNIX protocol.

    syslog.tag

    <syslog tag> Default is Demisto.

    Optional

    syslog.format

    RFC3164

    RFC5424

    Default is empty, which uses a custom format that is a combination of both formats.

    Optional

    syslog.filter

    <object/action>

    Optional

    syslog.priority

    Default is a number for LOG_INFO with LOG_DAEMON. If you want to change the default, contact Cortex XSOAR Customer Support.

    Optional

  3. (Optional) To modify the facility level of syslogs, in the syslog.priority parameter, add the facility and severity levels and the resulting number in the following format:

    <severity level>|<facility level>=<resulting number>.

    For example, to view informational messages for log level local7 add the 6|184=190 value.

    Where as

    6 = severity level (informational)

    184 = facility level (local7), calculated by 23*8

    190 = total of the severity and facility levels

    For information about the syslog facility and severity levels, see What are Syslog Facilities and Levels

Example

In this example, we want to match audit trail entries of login success and login failure. To accomplish this, we set the syslog.filter parameter to login/.*.

Sample Syslog

CEF:0|Palo Alto Networks|Palo Alto Networks Cortex XSOAR|3.6.0-master.27665.da330b76ddbdf9bbf8e1dab82978550f2b5446c8|login|failure|3|suser=john startTime=1521835930684963 cs1=john cs1Label=identifier cs2=Cookie: [hsfirstvisit\=http%3A%2F%2Flocalhost%3A7070%2F||1464113050169; _ga\=GA1.1.296351272.1461620234; __hstc\=181257784.72e717e61ded2087506747f5da786796.1464113050173.1464122836548.1469409642245.3; __hssrc\=1; hubspotutk\=72e717e61ded2087506747f5da786796; local-theme\=light; XSRF-TOKEN\=AgF4Peo0Gqa8zlIB31fLl9rHrbsLn2uri/zJ+cWVdfE06qS+e59V3iNhJ1uhCFsPQ+N+s7nIXmvz6coWudI0/XTPhC5q4nZeyZNmL+8/u4nQlWQEPNX2Go2RsbnY3J8b14Je4Ch8mMfVE2ES69TcLkE1Vq3/UaIQdkBV3v9IyCY\=]\n\nReferer: [http://localhost:8080/]\n\nAccept: [application/json]\n\nX-Xsrf-Token: [AgF4Peo0Gqa8zlIBk1GLl9rHrbsLn2uri/zJ+cWVdfE06qS+e59V3iNhJ1uhCFsPQ+N+s7nIXmvz6coWudI0/XTPhC5q4nZeyZNmL+8/u4nQlWQEPNX2Go2RsbnY3J8b14Je4Ch8mMfVE2ES69TcLkE1Vq3/UaIQdkBV3v9IyCY\=]\n\nContent-Length: [142]\n\nAccept-Language: [en-US,en;q\=0.9,he;q\=0.8,ms;q\=0.7]\n\nContent-Type: [application/json]\n\nhost/ip: [::1]:62296\nConnection: [keep-alive]\n\nUser-Agent: [Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.162 Safari/537.36]\n\nApi_truncate_results: [true]\n\nOrigin: [http://localhost:8080]\n\nAccept-Encoding: [gzip, deflate, br]\n\nerror: Invalid credentials:Invalid username or password\nDnt: [1]\n cs2Label=details
 
CEF:0|Palo Alto Networks|Palo Alto Networks Cortex XSOAR|3.6.0-master.27665.da330b76ddbdf9bbf8e1dab82978550f2b5446c8|login|in|3|suser=john startTime=1521835934123052 cs1=john cs1Label=identifier cs2=host/ip: [::1]:62296\nUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.162 Safari/537.36 cs2Label=details client: 127.0.0.1:57284
 
message: CEF:0|Palo Alto Networks|Palo Alto Networks Cortex XSOAR|3.6.0-master.27665.da330b76ddbdf9bbf8e1dab82978550f2b5446c8|login|out|3|suser=john startTime=1521835927224046 cs1=john cs1Label=identifier cs2=N/A cs2Label=details

Audit Trail Format

Cortex XSOAR audit trail details are formatted using Common Event Format (CEF) with custom CEF fields. The audit format is:

CEF:<CEFVersion>|<CEFVendor>|<CEFProduct>|<server version>|<audit category>|<action>|3|suser=<user> startTime=<audit log time> cs1=<id of item being audited> cs1Label=identifier cs2=<action info> cs2Label=details

For example, from the first log in the sample Syslog above:

<CEFVersion> = 0

<CEFVendor> = Palo Alto Networks

<CEFProduct> = Palo Alto Networks Cortex XSOAR

<audit category> = login (can be accounts, incidents, login, automation, and so on)

<action> = failure (can be delete, create, add and so on)

<action info> = 3 (can be any kind of additional info)