topic Re: Dataset name change in Cortex XDR Discussions

Dataset name change

JahidAliyev — Tue, 27 Feb 2024 11:19:28 GMT

Hello,

I have linux logs which comes as:
[INGEST:vendor="unknown", product="unknown", target_dataset="unknown_unknown_raw", no_hit = drop]

It is collected under the dataset name called "unknown_unknown_raw". But I want to change its dataset name to something else. How can I do that?

Re: Dataset name change

jmazzeo — Tue, 27 Feb 2024 12:38:38 GMT

Hi @JahidAliyev, thanks for reaching us using the Live Community.

Are you using Broker VM Syslog to forward those logs to the console?

Re: Dataset name change

JahidAliyev — Tue, 27 Feb 2024 12:42:26 GMT

Hi @jmazzeo, yes, i am using Broker VM

Re: Dataset name change

jmazzeo — Tue, 27 Feb 2024 12:57:16 GMT

Then your best option is:

- Go to your Broker VM, edit the Syslog configuration, and then hardcode the vendor and product fields with the source IP of the logs. Take a look at this example in my lab:

- This will create a NEW dataset with the configured fields like this: vendor_product_raw

We have our doc here with more Parsing Rule info: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Administrator-Guide/Create-Parsing-Rules

There is a webinar available here with some very useful basic concepts: https://live.paloaltonetworks.com/t5/cortex-xdr-webinars/cortex-customer-success-webinar-series-part-1-getting-started/ta-p/575388

Re: Dataset name change

JahidAliyev — Tue, 27 Feb 2024 13:16:07 GMT

@jmazzeo As I understand I cannot change it directly. I need to change it from syslog collector. What if I have many linux endpoints that each sends logs to Broker VM. Do I need to do this action manually? I mean source IP is different for each linux endpoint.

Re: Dataset name change

jmazzeo — Tue, 27 Feb 2024 13:28:58 GMT

You can go to Settings - Data Broker - Broker VM, click on the Syslog Applet and select "Configure".

You can edit the default rule without any specific IP, and there change the Vendor and Product.

The "Syslog Collector" settings works like a firewall rule, works from the top to the bottom. You can have specific rules with IPs on top, and a default one without that setting configured in the last position.

Re: Dataset name change

JahidAliyev — Tue, 27 Feb 2024 13:36:08 GMT

@jmazzeo I understand, thank you. And, please, can you answer this:

As you know PaloAlto has recently changed their licenses for Cortex XDR. As I know before it was Data Lake license with TBs but now, it is GB/per day. How can I calculate how much GB I need to buy for fully take advantage of this. Is there any sizing method?

Re: Dataset name change

jmazzeo — Tue, 27 Feb 2024 13:38:23 GMT

Yes, there is a sizing method available. Please talk with your PANW Sales contact and they will help you with that.

If you found any of the previous replies as the answer to the inquiry, please mark it as the solution.