https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-vie-cloud-identy-engine-logs-on-cortex/m-p/545109#M4511 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/262549">@RajeshPremSingh</a>&nbsp;</P> <P>&nbsp;</P> <P>You can use <STRONG>pan_dss_raw</STRONG> dataset to view your Cloud Identity Engine logs.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="nsinghvirk_0-1686149911477.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/50704iC2593E7958858732/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="nsinghvirk_0-1686149911477.png" alt="nsinghvirk_0-1686149911477.png" /></span></P> <P>&nbsp;</P> Wed, 07 Jun 2023 14:58:53 GMT nsinghvirk 2023-06-07T14:58:53Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-vie-cloud-identy-engine-logs-on-cortex/m-p/544489#M4503 <P>We successfully implemented the cloud identity engine on-prem and in the cloud, and we enabled the engine on the cortex as well, but we don't know how to view the logs. Could you please tell us where to look for the login logs on the cortex?</P> Fri, 02 Jun 2023 04:10:47 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-vie-cloud-identy-engine-logs-on-cortex/m-p/544489#M4503 RajeshPremSingh 2023-06-02T04:10:47Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-vie-cloud-identy-engine-logs-on-cortex/m-p/545109#M4511 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/262549">@RajeshPremSingh</a>&nbsp;</P> <P>&nbsp;</P> <P>You can use <STRONG>pan_dss_raw</STRONG> dataset to view your Cloud Identity Engine logs.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="nsinghvirk_0-1686149911477.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/50704iC2593E7958858732/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="nsinghvirk_0-1686149911477.png" alt="nsinghvirk_0-1686149911477.png" /></span></P> <P>&nbsp;</P> Wed, 07 Jun 2023 14:58:53 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-vie-cloud-identy-engine-logs-on-cortex/m-p/545109#M4511 nsinghvirk 2023-06-07T14:58:53Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-vie-cloud-identy-engine-logs-on-cortex/m-p/546058#M4580 <P>Hi RajeshPremSing,</P> <P>&nbsp;</P> <P>The Cloud Identity Agent is designed just to bring in object data from an identity provider (whether that be Azure AD, on-prem ActiveDirectory, Okta, etc.).&nbsp; It ingests information about users, groups, computers, etc. that are then available for use within Cortex XDR and other Palo Alto Networks products, it does not collect any event data like Windows Event logs.</P> <P>&nbsp;</P> <P>Collection of data about login events and other AD related activities, comes from either the XDR agent being installed on your Domain Controllers, or through collection of Windows Event logs via the XDR Collector or Windows Event Collection on a Broker VM.&nbsp; This data is then stitched in to the XDR dataset and searchable via a query like the one below.</P> <P>&nbsp;</P> <LI-CODE lang="markup">preset = xdr_event_log | filter action_evtlog_event_id = 4624</LI-CODE> Wed, 14 Jun 2023 17:14:54 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-vie-cloud-identy-engine-logs-on-cortex/m-p/546058#M4580 afurze 2023-06-14T17:14:54Z