What is required to enable ingestion of on-premises firewall logs into Cortex XDR?
To get logs from on-premises hardware into the cloud-native Cortex Data Lake, a 'bridge' is required. This is the role of the Broker VM.
Local Collector: The Broker VM is a virtual machine (running on ESXi or Hyper-V) that sits inside your local network. It acts as a local syslog server, NetFlow collector, or Windows Event collector.
Secure Forwarding: It receives the raw logs from on-premises Firewalls, compresses and encrypts them, and then securely uploads them to the Cortex Data Lake.
Management: It also serves as a proxy for the Cortex XDR agents and helps with tasks like Local Scanning and Directory Sync. Without the Broker VM, on-premises firewalls that cannot natively reach the cloud would have no way to contribute their data to the XDR 'stitching' process.
Currently there are no comments in this discussion, be the first to comment!