Examples of the types of data that enhanced
application logs gather includes records of DNS queries, the HTTP
header User Agent field that specifies the web browser or tool used
to access a URL, and information about DHCP automatic IP address
assignment. With DHCP information, for example,
Cortex XDR™ can alert
on unusual activity based on hostname instead of IP address. This
allows the security analyst using Cortex XDR to meaningfully assess
whether the user’s activity is within the scope of his or her role,
and if not, to more quickly take action to stop the activity.
To
benefit from the most comprehensive set of enhanced application
logs, you should enable
User-ID; deployments for the Windows-based
User-ID agent and the PAN-OS integrated User-ID agent both collect
some data that is not reflected in the firewall User-ID logs but
that is useful towards associating network activity with specific
users.
To start forwarding enhanced application logs to Cortex
Data Lake, turn on enhanced application logging globally, and then
enable it on a per-security rule basis (using a Log Forwarding profile).
The global setting is required and captures data for traffic that
is not session-based (ARP requests, for example). The per-security
policy rule setting is strongly recommended; the majority of enhanced
application logs are gathered from the session-based traffic that
your security policy rules enforce.