Answer these questions before studying the material to gauge your baseline understanding.
Every action taken on a Cohesity cluster -- whether a user modifies a protection policy, restores a virtual machine, or simply logs in -- is recorded in an audit log. These chronological records capture who did what, when, and from where, forming the foundation of security investigations, compliance reporting, and operational troubleshooting.
Log Architecture and Types
Cohesity DataPlatform monitors clusters for access events, file/folder changes, share and permission modifications, and configuration changes. Navigate to System > Audit Logs > Log Settings to view and configure.
Audit logs record two primary event types:
- Write actions -- changes to configuration, data, or system state (displayed by default)
- Read actions -- viewing or accessing data and settings (must be manually enabled)
The system organizes logs into 18 predefined categories (API Key, Access Token, Alert, Protection Group, Protection Policy, Recovery Task, Region, Snapshot, User, Tenant, etc.) and tracks over 50 write action types spanning the full operational lifecycle.
| Syslog Tag | Log Type |
|---|
cluster_audit | Cluster configuration and administrative actions |
filesystem_audit | File and folder access on Cohesity Views |
cohesity_alerts | Alert generation and resolution events |
dataprotection_events | Backup, replication, and recovery job events |
flowchart LR
A[Admin Action] --> B[Audit Engine]
C[File Access] --> B
D[Alert Event] --> B
E[Backup/Recovery Job] --> B
B --> F["cluster_audit"]
B --> G["filesystem_audit"]
B --> H["cohesity_alerts"]
B --> I["dataprotection_events"]
F --> J[Syslog Server / SIEM]
G --> J
H --> J
I --> J
Retention Settings
| Setting | Value |
|---|
| Default retention | 180 days |
| Minimum retention | 90 days |
| Maximum retention | 365 days |
| Configuration location | Security > Audit Logs > Settings |
Organizations requiring longer retention (e.g., PCI DSS requires 1 year, HIPAA requires 6 years for certain records) should use remote syslog forwarding to archive logs externally. Audit logs can also be exported as CSV files, which include additional detail such as IP addresses, tenant information, and impersonation data.
Interpreting Entries for Security Investigations
Cohesity provides filtering by Date Range, System, Users, Category, and Action type. In a forensic investigation, these filters help isolate relevant events. For example, investigating an unauthorized policy change involves filtering by Category "Protection Policy," setting Action to write only, and cross-referencing the user account and IP address (from CSV export) with your identity provider.
Compliance-Grade Audit Trails
For regulated industries, audit logs must be tamper-evident (forward to external syslog), complete (enable both read and write logging), retained per regulatory requirements, and accessible to auditors (CSV export + SIEM integration). Cohesity's audit framework has undergone Common Criteria evaluation.
On-cluster logs are limited: stored on the system they monitor, capped at 365 days, and isolated from other infrastructure events. Remote syslog forwarding ships log data to a centralized platform in real time, solving all three problems.
Syslog Server Integration
Configuration path: Settings > Summary > Syslog tab, then click +Add.
| Parameter | Description |
|---|
| IP Address/Hostname | Network address of the syslog server |
| Port | 514 (UDP), 601 (TCP), or 6514 (TLS) |
| Stream | Which log types to forward |
| Protocol | TCP (default) or UDP |
| Encryption (TLS) | Optional; encrypts log traffic |
Animation: Syslog forwarding configuration walkthrough -- showing the Settings > Summary > Syslog workflow with protocol selection and TLS toggle
Format and Field Mapping
Each forwarded syslog message includes: Facility/severity (standard syslog priority), timestamp, hostname (cluster node), tag (one of four Cohesity-specific tags), and a structured message body with user, action, target object, and result. Understanding this field mapping is critical for building SIEM dashboards and correlation rules.
flowchart TD
subgraph Cohesity Cluster
A[Audit Logs] --> B[Syslog Forwarder]
end
B -->|UDP Port 514| C[Syslog Server]
B -->|TCP Port 601| C
B -->|TCP+TLS Port 6514| C
C --> D[Splunk]
C --> E[Google Chronicle]
C --> F[ELK Stack]
C --> G[Other SIEM]
Splunk, ELK, and SIEM Integration
- Splunk -- Splunk Connect for Syslog provides pre-built Cohesity integration; enables correlation with firewall, endpoint, and identity logs
- Google Chronicle -- Default parser for Cohesity log ingestion with automated normalization
- ELK Stack -- Logstash receives syslog, parses via tags, stores in Elasticsearch, visualizes in Kibana
- Cohesity Marketplace -- Pre-built connectors and dashboards for common SIEM platforms
| Protocol | Use Case | Trade-offs |
|---|
| UDP | High-volume, latency-sensitive | Fastest; no delivery guarantee |
| TCP | Most production environments | Reliable with acknowledgment; slight overhead |
| TCP + TLS | Security/compliance environments | Encrypted + reliable; requires cert management |
DataHawk is Cohesity's SaaS-based security solution combining three pillars: threat protection (deep learning ransomware detection), ML-based data classification (powered by BigID), and cyber vaulting (FortKnox). It scans backup data without impacting production workloads.
flowchart TD
A[Cohesity DataHawk] --> B[Threat Protection]
A --> C[Data Classification]
A --> D[Cyber Vaulting - FortKnox]
B --> B1[Deep Learning Ransomware Detection]
B --> B2[IOC Scanning - 100K+ Indicators]
B --> B3[Custom YARA Rules]
C --> C1[200+ ML Classifiers]
C --> C2[50+ Compliance Policies]
D --> D1[Immutable Backup Copies]
D --> D2[Air-Gapped Storage]
Anomaly Detection
DataHawk's ML engine applies an anomaly strength score to each backup. When the score exceeds a configured threshold, it triggers automations. The system monitors for:
- Sudden, widespread file encryption (ransomware hallmark)
- Abnormal data volume fluctuations
- Mass password change patterns
- Unusual user behavior anomalies
The DataIngestAnomalyAlert (CE01516011) fires at Warning severity with a 1-hour interval when anomalous data ingest rate changes are detected. Recommended response: restore from the most recent clean snapshot using Instant Recovery.
Animation: Anomaly detection pipeline -- showing normal backup (50 GB) transitioning to anomalous spike (400 GB), triggering alert cascade through SIEM to SOC analyst response
IOC Scanning
DataHawk scans using 100,000+ Indicators of Compromise and custom YARA rules. IOC categories:
| IOC Type | What It Detects | Example |
|---|
| Network-based | Suspicious communication patterns | C2 server connections |
| File-based | Malicious filenames/hashes | Known ransomware SHA-256 hashes |
| Behavioral | Event log patterns | Mass file rename operations |
Threat feeds are updated daily without manual intervention. Scans can be scheduled as single execution or recurring at specified frequencies.
Data Classification
Powered by BigID, DataHawk provides 200+ ML-driven classifiers and 50+ predefined policies for GDPR, PCI, HIPAA, and other regulations. Classification identifies PII, financial records, health records, and confidential business documents -- providing immediate context during breach response about which sensitive data is in the blast radius.
Security Tool Integrations
DataHawk integrates with CrowdStrike, Microsoft Sentinel, Palo Alto, Cisco SecureX, and others. Threat feeds from external tools can be ingested, and DataHawk alerts can be embedded into SOC incident response playbooks.
Alert Configuration and Severity
| Severity | Meaning | Example |
|---|
| Critical | Immediate action required | Node failure, storage exhausted |
| Warning | Action needed, core functionality OK | DataIngestAnomalyAlert, degraded replication |
| Informational | Awareness only | Successful backup, scheduled maintenance |
Alert notification rules are configured from Health > Notification, matching specific categories, severities, and alert names to notification channels.
Notification Channels
| Channel | Best For | Latency | Integration Effort |
|---|
| Email | Small teams, backup notifications | Minutes | Low |
| SNMP | NOC teams with existing infrastructure | Seconds | Medium |
| Syslog | SIEM correlation and compliance | Seconds | Medium |
| Webhooks | Automation, ChatOps, ticketing | Seconds | Medium-High |
Webhooks support customized payload templates with placeholders that resolve to actual alert values at delivery time, enabling integration with virtually any HTTP-accepting system.
Escalation Framework
flowchart TD
A[Cohesity Alert Generated] --> B{Severity?}
B -->|Informational| C[Tier 1: Automated]
B -->|Warning| D[Tier 2: Operational]
B -->|Critical| E[Tier 3: Security Escalation]
C --> C1[Log to SIEM only]
D --> D1[Email to Ops Team]
D --> D2[Log to SIEM]
E --> E1[Webhook to PagerDuty/ServiceNow]
E --> E2[Email to Security On-Call]
E --> E3[Log to SIEM]
E1 --> F[Incident Created]
- Tier 1 (Automated) -- Informational alerts log to SIEM only, no human notification
- Tier 2 (Operational) -- Warning alerts notify ops team via email within business hours
- Tier 3 (Security Escalation) -- Critical/security alerts trigger immediate webhook to PagerDuty/ServiceNow + security on-call email
Third-Party Integrations
| Platform | Method | Use Case |
|---|
| ServiceNow | Webhook; Cohesity App | Automated incident creation/resolution |
| PagerDuty | Webhook | On-call alerting and escalation |
| Nagios | SNMP | Infrastructure health monitoring |
| LogicMonitor | API/SNMP | Unified monitoring dashboard |
System Health Insights is a SaaS-based AI/ML platform that analyzes Call Home data to proactively alert administrators to potential problems before they become incidents.
Now that you have studied the material, answer these questions to measure your improvement.
1. What is the default audit log retention period on a Cohesity cluster?
30 days
90 days
180 days
365 days
2. Which syslog tag identifies file and folder access events when forwarded from a Cohesity cluster?
cluster_audit
filesystem_audit
cohesity_alerts
file_access_log
3. Which protocol and port combination provides encrypted syslog delivery from Cohesity to a remote server?
UDP port 514
TCP port 601
TCP+TLS port 6514
HTTPS port 443
4. What three capabilities does Cohesity DataHawk combine into a single SaaS offering?
Firewall, encryption, and access control
Threat protection, data classification, and cyber vaulting
Backup, replication, and disaster recovery
Monitoring, alerting, and reporting
5. What is the recommended response when a DataIngestAnomalyAlert fires on a protected source?
Immediately delete all recent snapshots
Restore the source using Instant Recovery from the most recent clean snapshot
Disable all backup jobs and wait for manual investigation
Reboot all cluster nodes to clear the anomaly
6. How many predefined categories does Cohesity's audit log system organize events into?
8
12
18
25
7. What technology powers DataHawk's data classification capability?
CrowdStrike Falcon
BigID
Splunk Enterprise Security
Microsoft Purview
8. At what interval does the DataIngestAnomalyAlert fire (minimum time between repeated alerts)?
60 seconds
600 seconds (10 minutes)
3600 seconds (1 hour)
86400 seconds (24 hours)
9. Which notification channel is best suited for automated incident ticket creation in ServiceNow?
Email
SNMP
Syslog
Webhook
10. Why does the Security Hardening Guide recommend remote syslog forwarding?
To reduce cluster storage consumption
To assure log availability and integrity if the cluster is compromised
To improve backup job performance
To satisfy the minimum 90-day retention requirement
11. How many Indicators of Compromise does DataHawk use for threat scanning?
1,000+
10,000+
100,000+
1,000,000+
12. In a tiered escalation framework, which tier handles DataIngestAnomalyAlert events?
Tier 1 -- Automated (syslog only)
Tier 2 -- Operational (email to ops team)
Tier 3 -- Security Escalation (webhook + on-call)
No tier -- handled by System Health Insights only
13. What additional detail does the CSV export of audit logs provide that the Helios Dashboard does not display?
Alert severity ratings
IP addresses, tenant information, and impersonation data
Mermaid diagrams of event flows
Encrypted password hashes