RULE

COLLECT

INGEST

CONST

Syslog Collector applet is automatically initiated, enters an active state on the primary node, and is on standby on the standby nodes.

Kafka Collector applet is automatically initiated, enters an active state on the primary node, and is on standby on the standby nodes.

Syslog Collector applet is active on all cluster nodes, including primary and standby.

Kafka Collector applet is active on all cluster nodes, including primary and standby.

Logging service in the isolated zone

Broker VM

Integration using filebeat

Engine

In a different region than Cortex XSIAM; logs can be verified using pan_dss_raw dataset

In a different region than Cortex XSIAM; logs can be verified using endpoints dataset

In the same region as Cortex XSIAM; logs can be verified using pan_dss_raw dataset

In the same region as Cortex XSIAM; logs can be verified using endpoints dataset

Only " Alert Info " tab can be removed.

Only " Alert Info " and " War Room " tabs can be removed.

Only " War Room " and " Work Plan " tabs can be removed.

Only " Work Plan " tab can be removed.

Device Configuration profile applied to the XDR agent must specify the Broker VM as a Download Source.

Agent Settings profile applied to the XDR agent must specify the Broker VM as a Download Source.

Broker VM must be configured with an FQDN.

XDR agent must authenticate to the Broker VM using a machine certificate.\

It uses regular expressions exclusively for data modifications, discards unmatched logs by default, and only retains fields with non-null values.

It is bound to all vendors and products, performs data parsing once per log, and does not allow grouping.

It is bound to a specific vendor and product, performs data parsing once per log, and does not allow grouping.

It is bound to a specific vendor and product which allow grouping with a no-match policy, and retains all fields.