This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Data Ingest per Source for Palo Alto Firewalls in Cortex XDR

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Data Ingest per Source for Palo Alto Firewalls in Cortex XDR

BH6678
L0 Member

‎07-05-2024 09:42 AM

I do not think this is in the correct Board, but I could not find a Cortex XDR channel.. First time posting so I am sure I missed it. 

 

I have Cortex XDR and we are trying to see what firewall is sending the largest amount of data by GB Ingest. We are using the collection integrations, NGFW, Panorama Managed. We have 8 firewall pairs that are sending logs to Cortex XDR. We need to see how much in GB each firewall is sending into Cortex. I am sure I am missing something. I can see how many logs, but I would like to see how much in ingest data each is using per day. 

Cortex XDR NGFW 

 

Thanks!!

Cortex XDR
Thumbnail of Cortex XDR
Palo Alto Networks
Cortex XDR
Security Operations
View on Product Page
NGFW
Thumbnail of NGFW
Palo Alto Networks
NGFW
Network Security
View on Product Page
0 Likes Likes
2 REPLIES 2

aspatil
L5 Sessionator

‎07-11-2024 02:34 AM

Hello @BH6678 ,

 

Please refer the query to find the data ingestion from the metric sources. However, the catch here is XDR doesn't provide granular visibility over each firewall ingestion as the required data is not available in data source. As of now this can be achieved by XSIAM. 

dataset = metrics_source
| fields _vendor , _product , total_size_bytes , total_size_rate
| comp sum(total_size_bytes ) as ingestion by _product
| alter Ingestion_by_GB = divide(round(multiply(divide(ingestion , pow(2,30)),10000)),10000) //rounding out to 4 decimal places and convert to MB
| fields _product ,Ingestion_by_GB
| limit 20
| sort desc Ingestion_by_GB
| view graph type = column subtype = grouped layout = horizontal show_callouts = `true` xaxis = _product yaxis = Ingestion_by_GB seriescolor("Ingestion_by_GB","#d2510e") headcolor = "#171616" gridcolor = "#38def6" font = "Arial Black"

 

You can either reach out to Accounts Team or have FR open to include the device id in metrics_source dataset.

 

If you feel this has answered your query, please let us know by clicking on Like and "mark this as a Solution".

 

Ashutosh Patil

PA_nts
L3 Networker

‎07-16-2024 12:35 AM - edited ‎07-16-2024 12:41 AM

stumbled upon this query here.. thanks helps me alot!

if i were to want to do the graph based on an hourly ingestion rate over a say 24 hour period.. how can i achieve this?

still learning xql so not my strongpoint atm.

running XSIAM as a POC atm

 

0 Likes Likes
  • 687 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks