Skip to main content

Platform logging integration with Cortex XSIAM

Introduction

The Modernisation Platform shares data with the Security Operations Cortex XSIAM application for purpose of the protective monitoring.

Categories of data shared with Security Operations

The following data is collected for Cortex XSIAM consumption:

  • core-logging Aggregated Cloudtrail log data from all Modernisation Platform accounts.

  • core-network-services Network Firewall alert logs.

  • core-vpc-production Route53 Resolver Query Log data.

  • core-* Route53 Resolver Query Log data live_data VPCs.

  • core-network-services VPC Flow Log data for the external_inspection VPC.

  • core-vpc-production VPC Flow Log data.

  • core-* VPC Flow Log data for live_data VPCs.

Log delivery methods

The Cortex XSIAM application consumes data using S3 as a preferential source from the following:

  • VPC Flow Log data is pulled from the core-logging-vpc-flow-logs S3 bucket in the core-logging account.
  • Route 53 Resolver Query Log data is pulled from the core-logging-r53-resolver-logs S3 bucket in the core-logging account.
  • Cloudtrail log data is pulled from the modernisation-platform-logs-cloudtrail S3 bucket in the core-logging account.

The Cortex XSIAM application receives Network Firewall alert logs by way of an Amazon Data Stream configured in the core-network-services account.

Known Contacts:

  • Vinnie Burtonshaw - Vincent.Burtonshaw@justice.gov.uk. Implements the Cortex Xsiam endpoints that receive the Firehose transfers. (https://www.paloaltonetworks.com/cortex/cortex-xsiam)

  • The Protective Monitoring Team who will be managing the Cortex Xsiam platform going forward - monitoring-and-integration-platform@justice.gov.uk

This page was last reviewed on 20 May 2025. It needs to be reviewed again on 20 November 2025 by the page owner #modernisation-platform .