Skip to main content

NVIDIA DOCA Argus

This pack provides Modeling Rules to parse and map NVIDIA DOCA Argus logs to the Cortex Data Model (XDM)

Overview

DOCA Argus is a DOCA service running on NVIDIA® BlueField® networking platforms, designed to immediately detect and enable response to attacks, minimizing their potential impact and risk.

This pack includes

Data normalization capabilities:

  • Rules for parsing and modeling NVIDIA DOCA Argus logs that are ingested via the HTTP Event Collector into Cortex XSIAM.
    • The ingested logs can be queried in XQL Search using the nvidia_doca_argus dataset.

Supported log categories

Category Category Display Name
Event EVENT
Alert ALERT
System Activity SYSTEM_ACTIVITY

Supported timestamp formats

iso_8601 (2025-11-18T10:18:50.625005951+00:00)

Data Collection

Cortex XSIAM side - Custom - HTTP based Collector

  1. Navigate to Settings -> Data Sources -> Add Data Source.

  2. If you have already configured a Custom - HTTP based Collector, select the 3 dots, and then select + Add New Instance. If not, select + Add Data Source, search for "http" and then select Connect.

  3. Set the following values:

    Parameter Value
    Name nvidia doca_argus Logs
    Compression Select the desired compression
    Log Format Select json
    Vendor Enter nvidia
    Product Enter doca_argus

  4. Creating a new HTTP Log Collector will allow you to generate a unique token, please save it since it will be used later.

  5. Click the 3 dots sign next to the newly created instance and copy the API URL, it will also be used later.

For more information, see this doc.

Nvidia BlueField service deployment

For detailed Information and Prerequisites, please refer to DOCA Argus Service Guide.

Fluent Bit side

Fluent Bit is a lightweight, high-performance log processor and forwarder used to collect, parse, enrich, and route logs from systems, containers, and services to external destinations.
In this integration, Fluent Bit acts as the log shipping layer between NVIDIA DOCA Argus and Cortex XSIAM.

HTTP out to XSIAM — fill in your [OUTPUT] details

Edit Fluent Bit conf file /fluent-bit/etc/fluent-bit.conf and input the following:

Parameter Value
Name http
Match argus
Host api-.xdr..paloaltonetworks.com
Port 443
URI /logs/v1/event
Format json
tls On
tls.verify On
Header Authorization Bearer
Retry_Limit False

Refer to the Fluent Bit manual for details on additional output plugins and configurations.

PUBLISHER

PLATFORMS

Cortex XSIAM

INFO

CertificationRead more
Supported ByCortex
CreatedFebruary 8, 2026
Last ReleaseFebruary 8, 2026
Network Security
DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise.