Platform logging integration with Cortex XSIAM

Introduction

The Modernisation Platform shares data with the Security Operations Cortex XSIAM application for the purpose of protective monitoring.

Categories of data shared with Security Operations

The following data is collected for Cortex XSIAM consumption:

• CloudTrail logs aggregated from all Modernisation Platform accounts in the core-logging account

• AWS Config logs aggregated from all Modernisation Platform accounts are stored centrally in the core-logging account.

• Network Firewall "Alert" Logs based in core-network-services

• Route53 Resolver Query Logs for live_data VPCs based in core-* accounts

• VPC Flow Logs

  • for the external_inspection VPC based in core-network-services
  • for live_data VPCs based in core-* accounts

• SecurityHub, GuardDuty and Inspector findings from all MoJ AWS accounts aggregated in the organisation-security account

• Organizations data based in the moj-master account

Log delivery methods

S3

• VPC Flow Log data is pulled from the core-logging-vpc-flow-logs S3 bucket in the core-logging account.
• Route 53 Resolver Query Log data is pulled from the core-logging-r53-resolver-logs S3 bucket in the core-logging account.
• Cloudtrail log data is pulled from the modernisation-platform-logs-cloudtrail S3 bucket in the core-logging account.
• AWS Config log data is pulled from the modernisation-platform-logs-config S3 bucket in the core-logging account.

Data Firehose

• The Cortex XSIAM application receives Network Firewall alert logs by way of an Amazon Data Firehose configured in the core-network-services account.

IAM Users

• XsoarIntegration and XsiamIntegration IAM users based in the moj-master and organisation-security accounts to enable the AWS Organizations and AWS Security Hub Event Collector integrations

IAM Role/CloudFormation

• Cloud Inventory Data is shared with Xsiam using roles deployed into each AWS account in the organization using a CloudFormation StackSet based in the organisation-security account

Known Contacts:

• Vinnie Burtonshaw - Vincent.Burtonshaw@justice.gov.uk. Implements the Cortex Xsiam endpoints that receive the Firehose transfers. (https://www.paloaltonetworks.com/cortex/cortex-xsiam)

• The Protective Monitoring Team who will be managing the Cortex Xsiam platform going forward - monitoring-and-integration-platform@justice.gov.uk

This page was last reviewed on 20 May 2025. It needs to be reviewed again on 20 November 2025 by the page owner #modernisation-platform .