Configure management audit notification forwarding - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2024-12-05
Category
Administrator Guide
Solution
Cloud
Abstract

Send Management Audit logs to a Syslog Server or an email distribution list.

You can forward management audit notifications to an email distribution list or a Syslog Server. If you are forwarding to a Syslog Server, add a Syslog Server before forwarding.

By default, all management audit notifications are forwarded.

  1. Navigate to Settings & InfoSettingsSystemAudit NotificationsAdd Forwarding Configuration.

  2. Enter a name and a description for the configuration and click Next.

  3. Define the Management Audit log scope.

    To select a subset of the management audit notifications, click the filter button, select the relevant filters, and perform a search. For example, if you want to forward only notifications related to API keys, click the filter button, select Type, and then select the Api Key value.

  4. Click Next.

  5. Update the following fields:

    Field

    Description

    Mandatory

    Distribution List

    Add at least one email address to receive management audit notifications.

    Yes

    Notification Timezone

    Change the notification timezone. The notification timezone only affects the time listed in email notifications. You can use the timezone configured in Cortex XSOAR or select Coordinated Universal Time (UTC).

    No

    Grouping Timeframe

    Change the grouping time frame. The grouping time frame specifies how often Cortex XSOAR sends notifications. Every 30 notifications aggregated within this time frame are sent together. To send every notification as soon as it is generated, set the time frame to 0.

    By default, the grouping time frame is 10 minutes.

    No

    Subject

    Select to generate the subject automatically or deselect and enter the email subject. By default, this field is selected.

    Optional

    Syslog Server

    Select the Syslog Server (if already configured).

    No

  6. Click Done to send the notification.