New Cortex Data Lake Features: Log Forwarding & More

Community Team Member

Cortex DL - Log Forwarding.png

Hello again,

For November 2020, Cortex Data Lake has some new features that we would like to tell you about. 

Log forwarding is the biggest part of the November 2020 release, along with Log filtering and LEEF format support.

Please see the list below for the details.

 

New Cortex Data Lake features *

FEATURE
DESCRIPTION
Log Forwarding Integration
You can now forward logs from within the Cortex Data Lake app, enabling you to conveniently manage onboarding, storage, and log transmission in a single application. In moving to the Cortex Data Lake app, the log forwarding interface now has a new, simplified design that makes it easier to begin configuring Syslog and email profiles to forward your Cortex Data Lake log data.
Log Filter Query Support
When creating your log forwarding profiles in Cortex Data Lake, you can now use the same query language from Explore to define precise log filters based on time, device serial number, IP address, and more.
LEEF Format Support for IBM QRadar
You can now forward logs in Log Extended Event Format (LEEF) for use with IBM QRadar SIEM.
Combined Log Types
To simplify the list of available log types for log forwarding, the tunnel log type now includes GTP logs, and Threat
 logs now include WildFire logs.
Because log forwarding profiles can only include one filter per log type, if you had a log forwarding profile with a log filter for both of the formerly separate log types, you will now see a new log forwarding profile. This profile contains the log filter that could not be duplicated in the original profile.
For example, a log forwarding profile with filters for both tunnel and GTP logs now appears as two profiles, each with a 
tunnel filter. One of the profiles will continue filtering tunnel logs and the other will filter GTP logs, which are now included in tunnel logs. The new profile will be called <original name> - GTP or, in the case of 
Threat and WildFire, <original name> - WildFire.
Non-Editable Log Forwarding Filters
Some log filters created in the previous Log Forwarding app can no longer be edited. If you would like to change such filters, you must delete them and create new ones.
Because some fields in the migrated filters are no longer available, you may not be able to recreate an identical filter if you delete it.

* - features list information taken from What’s New in Cortex Data Lake on TechDocs.

 

More Info

As always, for more information on all of the features in Cortex Data Lake, known issues and addressed issues, please see the Cortex Data Lake Release Notes.

For our coverage on everything about Cortex Data Lake, including overview videos, resources, discussions and blogs, please see the LIVEcommunity Cortex Data Lake page.

 

 

Thanks for taking time to read my blog.
If you enjoyed this, please hit the Like (thumbs up) button, and don't forget to subscribe to the LIVEcommunity Blog area.

 

As always, we welcome all comments and feedback in the comments section below.

 

Stay Secure,
Joe Delio
End of line

316 Views
Comments
L0 Member

Hi @jdelio , I have a few questions about this feature.

 

When the data lake forwards logs, do the logs come from all of Palo Alto's IPs?

 

How is this generally handled from a SIEM? Will we need to accept a new log source per IP address?

 

How are the different solutions differentiated in the log? For example, does it explicitly state a log comes from Cortex vs Prisma SaaS?

 

Thank you in advance!

61 Views
Labels