Who rated this post

On your 3.x tenant, go to:  https://<tenant_url>/auditing (This brings you to the Management Audit Logs)

• Where you can track your Broker VM activities as per:
  https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Monitor-Broker-VM...
  • Filter by: Type = "Broker VMs"
    • Notice that no audit event is received when a Broker VM has been upgraded.
    • Notice that no audit event is received when a Broker VM enters as state of needing a reboot.

Note: There is no dataset dedicated to receiving any sort of events from the Broker VM itself.

The best practice would be the SIEM admin to check the https://<tenant_url>/configuration/broker-vms/brokers UI every Monday morning to see if an upgrade is available or a reboot is required to apply an update which is applied automatically.

For monitoring health of data ingestions, first ensure Data Ingestion Monitoring is enabled in https://<tenant_url>/configuration/general; then create correlation rules to monitor these ingestion metrics:

• Documentation: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Overview-of-data-...
• Examples: https://docs-cortex.paloaltonetworks.com/r/Cortex-XSIAM/Cortex-XSIAM-Documentation/Creating-correlat...