Log Formats - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-27
Category
Administrator Guide
Abstract

Cortex XDR has different log formats that the Cortex XDR tenant forwards to an external server or email destination.

The following topics list the fields of each Cortex XDR log type that the Cortex XDR tenant can forward to an external server or email destination.

With log forwarding to a syslog receiver, the Cortex XDR tenant sends logs in the IETF syslog message format defined in RFC 5425. To facilitate parsing, the delimiter is a comma and each field is a comma-separated value (CSV) string.

Note

The FUTURE_USE tag applies to fields that Cortex XDR does not currently implement.

With log forwarding to an email destination, the Cortex XDR tenant sends an email with each field on a separate line in the email body.

Threat Logs

Syslog format: recordType, class, FUTURE_USE, eventType, generatedTime, serverTime, agentTime, tzOffset, FUTURE_USE, facility, customerId, trapsId, serverHost, serverComponentVersion, regionId, isEndpoint, agentId, osType, isVdi, osVersion, is64, agentIp, deviceName, deviceDomain, severity, trapsSeverity, agentVersion, contentVersion, protectionStatus, preventionKey, moduleId, profile, moduleStatusId, verdict, preventionMode, terminate, terminateTarget, quarantine, block, postDetected, eventParameters(Array), sourceProcessIdx(Array), targetProcessIdx(Array), fileIdx(Array), processes(Array), files(Array), users(Array), urls(Array), description(Array)

Email body format example:

recordType: threat
messageData/class: threat
messageData/subClass: 
eventType: AgentSecurityEvent
generatedTime: 2019-01-29T05:07:58.045-08:00
serverTime: 2018-07-02T20:01:39.591Z
endPointHeader/agentTime: 2018-07-02T20:01:03Z
endPointHeader/tzOffset: 180
product: 
facility: TrapsAgent
customerId: 245143
trapsId: mac510a2monday-01
serverHost: coreop-qaauta-2606-0-112132729246-266
serverComponentVersion: 2.0.2
regionId: 70
isEndpoint: 1
agentId: dc3af3198f172048082c21ff0956866b
endPointHeader/osType: 2
endPointHeader/isVdi: 0
endPointHeader/osVersion: 10.11.6
endPointHeader/is64: 1
endPointHeader/agentIp: 10.200.37.201
endPointHeader/deviceName: A1260700MC1011
endPointHeader/deviceDomain: 
severity: emergency
messageData/trapsSeverity: medium
endPointHeader/agentVersion: 5.1.0.1401
endPointHeader/contentVersion: 26-3625
endPointHeader/protectionStatus: 0
messageData/preventionKey: 9a94965188d2455486dd8d60cf4b3849
messageData/moduleId: COMPONENT_EPM_J01
messageData/profile: ExploitModules
messageData/moduleStatusId: CYSTATUS_JIT_EXCEPTION
messageData/verdict: 
messageData/preventionMode: blocked
messageData/terminate: 1
messageData/terminateTarget: 
quarantine: 
messageData/block: 0
messageData/postDetected: 0
messageData/eventParameters: "[""/Users/administrator/Desktop/JitMac/j01_test"",""711046b89e2f2c70cdbb41f615c54bd1b4270ecbbb176edeb1bb4fe4619""]"
messageData/sourceProcessIdx: 0
messageData/targetProcessIdx: -1
messageData/fileIdx: 0
messageData/processes: "[{""exeFileIdx"":0,""commandLine"":""/Users/Administrator/Desktop/JitMac/j01_test test=system depth=1"",""userIdx"":0,""pid"":1359,""parentId"":452}]"
messageData/files: "[{""sha256"":""711046b89e2f2c70cdbb41f615c54bd1b4270ecbbb176edeb1bb4654619"", ""rawFullPath"":""/Users/administrator/Desktop/JitMac/j01_test"",""signers"":[""N/A""],""fileName"":""j01_test""}]"
messageData/users: "[{""userName"":""Administrator""}]"
messageData/urls: []
messageData/description: Memory Corruption Exploit

Field Name

Description

recordType

Record type associated with the event and that you can use when managing logging quotas. In this case, the record type is threat which includes logs related to security events that occur on the endpoints.

class

Class of Cortex XDR agent log: config, policy, system, or agent_log.

eventType

Subtype of event: AgentActionReport, AgentDeviceControlViolation, AgentGenericMessage, AgentSamReport, AgentScanReport, AgentSecurityEvent, AgentStatistics, AgentTimelineEvent, ServerLogPerAgent, ServerLogPerTenant, or ServerLogSystem.

generatedTime

Coordinated Universal Time (UTC) equivalent of the time at which an event was logged. For agent events, this represents the time on the endpoint. For policy, configuration, and system events, this represents the time on Cortex XDR in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z).

serverTime

Coordinated Universal Time (UTC) equivalent of the time at which the server generated the log. If the log was generated on an endpoint, this field identifies the time the server received the log in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z).

agentTime

Coordinated Universal Time (UTC) equivalent of the time at which an agent logged an event in ISO-8601 string representation.

tzOffset

Effective endpoint time zone offset from UTC, in minutes.

facility

The Cortex XDR system component that initiated the event, for example: TrapsAgent, TrapsServiceCore, TrapsServiceManagement, and TrapsServiceBackend.

customerId

The ID that uniquely identifies the Cortex XDR tenant instance which received this log record.

trapsId

Tenant external ID.

serverHost

Hostname of Cortex XDR.

serverComponentVersion

Software version of Cortex XDR.

regionId

ID of Cortex XDR region:

  • 10—Americas (N. Virginia)

  • 70—EMEA (Frankfurt)

isEndpoint

Indicates whether the event occurred on an endpoint.

  • 0—No, host is not an endpoint.

  • 1—Yes, host is an endpoint.

agentId

Unique identifier for the Cortex XDR agent.

osType

Operating system of the endpoint:

  • 1—Windows

  • 2—OS X/macOS

  • 3—Android

  • 4—Linux

isVdi

Indicates whether the endpoint is a virtual desktop infrastructure (VDI):

  • 0—The endpoint is not a VDI

  • 1—The endpoint is a VDI

osVersion

Full version number of the operating system running on the endpoint. For example, 6.1.7601.19135.

is64

Indicates whether the endpoint is running a 64-bit version of Windows:

  • 0—The endpoint is not running x64 architecture

  • 1—The endpoint is running x64 architecture

agentIp

IP address of the endpoint.

deviceName

Hostname of the endpoint on which the event was logged.

deviceDomain

Domain to which the endpoint belongs.

severity

Syslog severity level associated with the event.

  • 2—Critical. Used for events that require immediate attention.

  • 3—Error. Used for events that require special handling.

  • 4—Warning. Used for events that sometimes require special handling.

  • 5—Notice. Used for normal but significant events that can require attention.

  • 6—Informational. Informational events that do not require attention.

Each event also has an associated Cortex XDR severity. See the messageData.trapsSeverity field for details.

trapsSeverity

Severity level associated with the event defined for Cortex XDR. Each of these severities corresponds to a syslog severity level:

  • 0—Informational. Informational messages that do not require attention. Identical to the syslog 6 (Informational) severity level.

  • 1—Low. Used for normal but significant events that can require attention. Corresponds to the syslog 5 (Notice) severity level.

  • 2—Medium. Used for events that sometimes require special handling. Corresponds to the syslog 4 (Warning) severity level.

  • 3—High. Used for events that require special handling. Corresponds to the syslog 3 (Error) severity level.

  • 4—Critical. Used for events that require immediate attention. Corresponds to the syslog 2 (Critical) severity level.

See also the severity log field.

agentVersion

Version of the Cortex XDR agent.

contentVersion

Content version in the local security policy.

protectionStatus

Cortex XDR agent protection status:

  • 0—Protected

  • 1—OsVersionIncompatible

  • 2—AgentIncompatible

preventionKey

Unique identifier for security events.

moduleId

Security module name.

profile

Name of the security profile that triggered the event.

moduleStatusId

Identifies the specific component of Cortex XDR modules.

  • CYSTATUS_ABNORMAL_PROCESS_TERMINATION

  • CYSTATUS_ALIGNED_HEAP_SPRAY_DETECTED

  • CYSTATUS_CHILD_PROCESS_BLOCKED

  • CYSTATUS_CORE_LIBRARY_LOADED

  • CYSTATUS_CORE_LIBRARY_UNLOADING

  • CYSTATUS_CPLPROT_BLACKLIST

  • CYSTATUS_CPLPROT_REMOTE_DRIVE

  • CYSTATUS_CPLPROT_REMOVABLE_DRIVE

  • CYSTATUS_CYINJCT_DISPATCH

  • CYSTATUS_CYINJCT_MAPPING

  • CYSTATUS_CYVERA_PREVENTION

  • CYSTATUS_DANGEROUS_SYSTEM_SERVICE_CALLED

  • CYSTATUS_DEMO_EVENT

  • CYSTATUS_DEP_SEH_INF_VIOLATION

  • CYSTATUS_DEP_SEH_VIOLATION

  • CYSTATUS_DEP_VIOLATION

  • CYSTATUS_DEP_VIOLATION_UNALLOCATED

  • CYSTATUS_DEVICE_BLOCKED

  • CYSTATUS_DLLPROT_BLACKLIST

  • CYSTATUS_DLLPROT_CURRENT_WORKING_DIRECTORY

  • CYSTATUS_DLLPROT_REMOTE_DRIVE

  • CYSTATUS_DLLPROT_REMVABLE_DRIVE

  • CYSTATUS_DOTNET_CRITICAL

  • CYSTATUS_DSE

  • CYSTATUS_EPM_INIT_FAILED

  • CYSTATUS_FAILED_CHECK_MEDIA

  • CYSTATUS_FILE_DELETION_BOOT_DONE

  • CYSTATUS_FILE_DELETION_FAILED

  • CYSTATUS_FILE_DELETION_SUCCEEDED

  • CYSTATUS_FINGERPRINTING_ATTEMPT

  • CYSTATUS_FONT_PROT_DUQU

  • CYSTATUS_FORBIDDEN_MEDIA

  • CYSTATUS_FORBIDDEN_OPTICAL_MEDIA

  • CYSTATUS_FORBIDDEN_REMOTE_MEDIA

  • CYSTATUS_FORBIDDEN_REMOVABLE_MEDIA

  • CYSTATUS_GS_COOKIE_CORRUPTED_COOKIE

  • CYSTATUS_GUARD_PAGE_VIOLATION

  • CYSTATUS_HASH_CONTROL

  • CYSTATUS_HEAP_CORRUPTION

  • CYSTATUS_HOOKING_ENTRY_POINT_FAILED

  • CYSTATUS_HOTPATCH_HIJACKING

  • CYSTATUS_ILLEGAL_EXECUTABLE

  • CYSTATUS_ILLEGAL_UNSIGNED_EXECUTABLE

  • CYSTATUS_INJ_APPCONTAINER_FAILURE

  • CYSTATUS_INJ_CTX_FAILURE

  • CYSTATUS_JAVA_FILE

  • CYSTATUS_JAVA_PROC

  • CYSTATUS_JAVA_REG

  • CYSTATUS_JIT_EXCEPTION

  • CYSTATUS_LINUX_BRUTEFORCE_PREVENTED

  • CYSTATUS_LINUX_ROOT_ESCALATION_PREVENTED

  • CYSTATUS_LINUX_SHELLCODE_PREVENTED

  • CYSTATUS_LINUX_SOCKET_SHELL_PREVENTED

  • CYSTATUS_LOCAL_ANALYSIS

  • CYSTATUS_MACOS_DLPROT_CWD_HIJACK

  • CYSTATUS_MACOS_DLPROT_DUPLICATE_PATH_CHECK

  • CYSTATUS_MACOS_G02_BLOCK_ALL

  • CYSTATUS_MACOS_G02_SIGNER_NAME_MISMATCH

  • CYSTATUS_MACOS_G02_SIGN_LEVEL_BELOW_MIN

  • CYSTATUS_MACOS_G02_SIGN_LEVEL_BELOW_PARENT

  • CYSTATUS_MACOS_MALICIOUS_DYLIB

  • CYSTATUS_MACOS_ROOT_ESCALATION_PREVENTED

  • CYSTATUS_MALICIOUS_APK

  • CYSTATUS_MALICIOUS_DLL

  • CYSTATUS_MALICIOUS_EXE

  • CYSTATUS_MALICIOUS_EXE_ASYNC

  • CYSTATUS_MALICIOUS_MACRO

  • CYSTATUS_MALICIOUS_STRING_DETECTED

  • CYSTATUS_MEMORY_USAGE_LIMIT_EXCEEDED

  • CYSTATUS_NOP_SLED_DETECTED

  • CYSTATUS_NO_MEMORY

  • CYSTATUS_NO_REGISTER_CORRECTED

  • CYSTATUS_PREALLOCATED_ADDR_ACCESSED

  • CYSTATUS_PROCESS_CREATION_VIOLATION

  • CYSTATUS_QUARANTINE_FAILED

  • CYSTATUS_QUARANTINE_SUCCEEDED

  • CYSTATUS_RANSOMWARE

  • CYSTATUS_RESTORE_FAILED

  • CYSTATUS_RESTORE_SUCCEEDED

  • CYSTATUS_ROP_MITIGATION

  • CYSTATUS_SEH_CRITICAL

  • CYSTATUS_SEH_INF_CRITICAL

  • CYSTATUS_SHELL_CODE_TRAP_CALLED

  • CYSTATUS_STACK_OVERFLOW

  • CYSTATUS_SUSPENDED_PROCESS_BLOCKED

  • CYSTATUS_SUSPICIOUS_APC

  • CYSTATUS_SUSPICIOUS_LINK_FILE

  • CYSTATUS_SYSTEM_SCAN_FINISHED

  • CYSTATUS_SYSTEM_SCAN_STARTED

  • CYSTATUS_THREAD_INJECTION

  • CYSTATUS_TLA_MODEL_NOT_LOADED

  • CYSTATUS_TOKEN_THEFT_FILE_OPERATION

  • CYSTATUS_TOKEN_THEFT_PROCESS_CREATED

  • CYSTATUS_TOKEN_THEFT_REGISTRY_OPERATION

  • CYSTATUS_TOKEN_THEFT_THREAD_CREATED

  • CYSTATUS_TOKEN_THEFT_THREAD_INJECTED

  • CYSTATUS_TOKEN_THEFT_THREAD_STARTED

  • CYSTATUS_UASLR_CRITICAL

  • CYSTATUS_UNALLOWED_CODE_SEGMENT

  • CYSTATUS_UNAUTHORIZED_CALL_TO_SYSTEM_SERVICE

  • CYSTATUS_UNSIGNED_CHILD_PROCESS_BLOCKED

  • CYSTATUS_WILDFIRE_GRAYWARE

  • CYSTATUS_WILDFIRE_MALWARE

  • CYSTATUS_WILDFIRE_UNKNOWN

verdict

Verdict for the file:

  • 0—Benign

  • 1—Malware

  • 2—Grayware

  • 4—Phishing

  • 99—Unknown

preventionMode

Action carried out by the Cortex XDR agent (block or notify). The prevention mode is specified in the rule configuration.

terminate

Termination action taken on the file.

  • 0Cortex XDR did not terminate the file.

  • 1Cortex XDR terminated the file.

terminateTarget

Termination action taken on the target file (relevant for some child process execution events where we terminate the child process but not the parent process):

  • 0—Target file was not terminated.

  • 1—Target file was terminated.

quarantine

Quarantine action taken on the file:

  • 0—File was not quarantined.

  • 1—File was quarantined.

block

Block action taken on the file:

  • 0—File was not blocked

  • 1—File was blocked.

postDetected

Post detection status of the file:

  • 0—Initial prevention.

  • 1—Detected after an initial execution.

eventParameters(Array)

Parameters associated with the type of event. For example, username, endpoint hostname, and filename.

sourceProcessIdx(Array)

The prevention source process index in the processes array.

targetProcessIdx(Array)

Target process index in the processes array. A missing or negative value means there is no target process.

fileIdx(Array)

Index of target files for specific security events such as: Scanning, Malicious DLL, Malicious Macro events.

processes(Array)

All related details for the process file that triggered an event:

  • 1—System process ID

  • 2—Parent process ID

  • 3—File object corresponding to the process executable file

  • 4—Command line arguments (if any)

  • 5—Description field of the VERSIONINFO resource

  • 6—File version field of the VERSIONINFO resource

files(Array)

File object includes:

  • 1—SHA256 hash value of the file

  • 2—SHA256 hash value of the macro

  • 3—Raw full filepath

  • 4—A predefined drive type: local, network mapped drive, UNC path host, removable media, etc.

  • 5—File name (with no extension), such as AdapterTroubleshooter

  • 6—File extension (for example, EXE or DLL)

  • 7—File type defined by the XDR agent

  • 8—UTC file creation time

  • 9—UTC file modification time

  • 10—UTC file access time

  • 11—File attributes bitmask

  • 12—File size in bytes

  • 13—Signer field of the code signing certificate

users(Array)

Details about the active user on the endpoint when the event occurred:

  • 1—Username of the active user on the endpoint.

  • 2—Domain to which the user account belongs.

urls(Array)

Additional details related to a URL:

  • 1—Raw URL

  • 2—URL schema; For example: HTTP, HTTPS, FTP, LDAP

  • 3—Hostname in punycode

  • 4—Host port

  • 5—Canonicalized URL path part according to schema requirements

  • 6—Query parameters (for http\s only)

  • 7—Fragment parameters (for http\s only)

description(Array)

(Mac only) Description of components related to Cortex XDR . For example, the description of the ROP, JIT, Dylib hijacking modules for Mac endpoints is Memory Corruption Exploit.

Config Logs

Syslog format: recordType, class, FUTURE_USE, subClassId, eventType, eventCategory, generatedTime, serverTime, FUTURE_USE, facility, customerId, trapsId, serverHost, serverComponentVersion, regionId, isEndpoint, severity, trapsSeverity, messageCode, friendlyName, FUTURE_USE, msgTextEn, userFullName, userName, userRole, userDomain, additionalData(Array), messageCode, errorText, errorData, resultData

Email body format example:

recordType: system
messageData/class: system
messageData/subClass: Provisioning
messageData/subClassId: 13
eventType: ServerLogPerTenant
messageData/eventCategory: tenant
generatedTime: 2019-01-31T18:15:19.000000+00:00
serverTime: 2019-01-31T18:15:19.000000+00:00
product: 
facility: TrapsServerManagement
customerId: 004403511
trapsId: 18520498190303952
serverHost: 14917869646-201.proda.brz
serverComponentVersion: 2.0.9+624
regionId: 
isEndpoint: 0
agentId: 
severity: notice
messageData/trapsSeverity: informational
messageData/messageCode: 19015
messageData/friendlyName: User Login
messageData/msgTextLoc: 
messageData/msgTextEn: User username@paloaltonetworks.com has logged in with role superadmin
endPointHeader/userFullName: 
endPointHeader/username: 
endPointHeader/userRole: 
endPointHeader/userDomain: 
endPointHeader/agentTime: 
endPointHeader/tzOffset: 
endPointHeader/osType: 
endPointHeader/isVdi: 
endPointHeader/osVersion: 
endPointHeader/is64: 
endPointHeader/agentIp: 
endPointHeader/deviceName: 
endPointHeader/deviceDomain: 
endPointHeader/agentVersion: 
endPointHeader/contentVersion: 
endPointHeader/protectionStatus: 
messageData/userFullName: 
messageData/username: 
messageData/userRole: 
messageData/userDomain: 
messageData/messageName: 
messageData/messageId: 
messageData/processStatus: 
messageData/errorText: 
messageData/errorData: 
messageData/resultData: 
messageData/parameters: 
messageData/additionalData: {}

Field Name

Description

recordType

Record type associated with the event and that you can use when managing logging quotas. In this case, the record type is config which includes logs related to Cortex XDR administration and configuration changes.

class

Class of Cortex XDR log. System logs have a value of system.

subClass

Subclass of event. Used to categorize logs in Cortex XDR.

subClassId

Numeric representation of the subClass field for easy sorting and filtering.

eventType

Subtype of event.

eventCategory

Category of event, used internally for processing the flow of logs. Event categories vary by class:

  • config—deviceManagement, distributionManagement, reportManagement, securityEventManagement, systemManagement

  • policy—exceptionManagement, policyManagement, profileManagement, sam

  • system—licensing, provisioning, tenant, userAuthentication, workerProcessing

  • agent_log—agentFlow

generatedTime

Coordinated Universal Time (UTC) equivalent of the time at which an event was logged. For agent events, this represents the time on the endpoint. For policy, configuration, and system events, this represents the time on Cortex XDR in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z).

serverTime

Coordinated Universal Time (UTC) equivalent of the time at which the server generated the log. If the log was generated on an endpoint, this field identifies the time the server received the log in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z).

facility

The Cortex XDR system component that initiated the event, for example: TrapsAgent, TrapsServiceCore, TrapsServiceManagement, and TrapsServiceBackend.

customerId

The ID that uniquely identifies the Cortex XDR tenant instance which received this log record.

trapsId

Tenant external ID.

serverHost

Hostname of Cortex XDR.

serverComponentVersion

Software version of Cortex XDR.

regionId

ID of Cortex XDR region:

  • 10—Americas (N. Virginia)

  • 70—EMEA (Frankfurt)

isEndpoint

Indicates whether the event occurred on an endpoint.

  • 0—No, host is not an endpoint.

  • 1—Yes, host is an endpoint.

agentId

Unique identifier for the Cortex XDR agent.

severity

Syslog severity level associated with the event.

  • 2—Critical. Used for events that require immediate attention.

  • 3—Error. Used for events that require special handling.

  • 4—Warning. Used for events that sometimes require special handling.

  • 5—Notice. Used for normal but significant events that can require attention.

  • 6—Informational. Informational events that do not require attention.

Each event also has an associated Cortex XDR severity. See the messageData.trapsSeverity field for details.

trapsSeverity

Severity level associated with the event defined for Cortex XDR. Each of these severities corresponds to a syslog severity level:

  • 0—Informational. Informational messages that do not require attention. Identical to the syslog 6 (Informational) severity level.

  • 1—Low. Used for normal but significant events that can require attention. Corresponds to the syslog 5 (Notice) severity level.

  • 2—Medium. Used for events that sometimes require special handling. Corresponds to the syslog 4 (Warning) severity level.

  • 3—High. Used for events that require special handling. Corresponds to the syslog 3 (Error) severity level.

  • 4—Critical. Used for events that require immediate attention. Corresponds to the syslog 2 (Critical) severity level.

See also the severity log field.

messageCode

System-wide unique message code.

friendlyName

Descriptive log message name.

msgTextEn

Description of the event, in English.

userFullName

Full username of Cortex XDR user.

userName

Username associated with Cortex XDR user.

userRole

Role assigned to Cortex XDR user.

userDomain

Domain to which the user belongs.

agentTime

Coordinated Universal Time (UTC) equivalent of the time at which an agent logged an event in ISO-8601 string representation.

tzOffset

Effective endpoint time zone offset from UTC, in minutes.

osType

Operating system of the endpoint:

  • 1—Windows

  • 2—OS X/macOS

  • 3—Android

  • 4—Linux

isVdi

Indicates whether the endpoint is a virtual desktop infrastructure (VDI):

  • 0—The endpoint is not a VDI

  • 1—The endpoint is a VDI

osVersion

Full version number of the operating system running on the endpoint. For example, 6.1.7601.19135.

is64

Indicates whether the endpoint is running a 64-bit version of Windows:

  • 0—The endpoint is not running x64 architecture

  • 1—The endpoint is running x64 architecture

agentIp

IP address of the endpoint.

deviceName

Hostname of the endpoint on which the event was logged.

deviceDomain

Domain to which the endpoint belongs.

agentVersion

Version of the Cortex XDR agent.

contentVersion

Content version in the local security policy.

protectionStatus

Cortex XDR agent protection status:

  • 0—Protected

  • 1—OsVersionIncompatible

  • 2—AgentIncompatible

userFullName

Full name of Cortex XDR user.

userName

Username associated with Cortex XDR user.

userRole

Role assigned to Cortex XDR user.

userDomain

Domain to which the user belongs.

messageName

Name of the message.

messageId

Unique numeric identifier of the message.

processStatus

State of the process related to the event.

errorText

If known, a description of the documented error.

errorData

Parameters related to an event error.

resultData

Parameters related to a successful event.

parameters

Parameters supplied in the log message.

additionalData(Array)

Additional information regarding event parameters.

loggedInUser

User that is logged in to the Cortex XDR.

Analytics Logs

Syslog format: recordType, class, FUTURE_USE, eventType, eventCategory, generatedTime, serverTime, agentTime, tzOffset, FUTURE_USE, facility, customerId, trapsId, serverHost, serverComponentVersion, regionId, isEndpoint, agentId, osType, isVdi, osVersion, is64, agentIp, deviceName, deviceDomain, severity, agentVersion, contentVersion, protectionStatus, sha256, type, parentSha256, lastSeen, fileName, filePath, fileSize, localAnalysisResult, reported, blocked, executionCount

Email body format example:

recordType: analytics
messageData/class: agent_data
messageData/subClass: 
eventType: AgentTimelineEvent
messageData/eventCategory: hash
generatedTime: 2019-01-31T18:00:43Z
serverTime: 2019-01-31T18:59:46.586Z
endPointHeader/agentTime: 2019-01-31T18:00:43Z
endPointHeader/tzOffset: -480
product: 
facility: TrapsAgent
customerId: 110044035
trapsId: 18520039498190352
serverHost: coreop-f-proda-mnmauto03930348053-311.proda.brz
serverComponentVersion: 2.0.9+564
regionId: 10
isEndpoint: 1
agentId: 3bcf7e5ff56e2891c78684a38b728e49
endPointHeader/osType: 2
endPointHeader/isVdi: 0
endPointHeader/osVersion: 10.12.6
endPointHeader/is64: 1
endPointHeader/agentIp: 192.168.0.21
endPointHeader/deviceName: Jeffreys-MacBook-Pro.local
endPointHeader/deviceDomain: 
severity: 
endPointHeader/agentVersion: 5.0.5.1193
endPointHeader/contentVersion: 42-6337
endPointHeader/protectionStatus: 0
messageData/sha256: 87e27ba9128d9c3b3d113c67623a06817a030b3bbb4d2871d1e6da9002206f26
messageData/type: macho
messageData/parentSha256: 
messageData/lastSeen: 2019-01-31T18:00:43Z
messageData/fileName: crashpad_handler
messageData/filePath: /users/username/library/google/googlesoftwareupdate/googlesoftwareupdate.bundle/contents/macos/
messageData/fileSize: 353680
messageData/localAnalysisResult: "{""contentVersion"":""42-6337"",""result"":""Benign"",""trusted"":""None"",
	""publishers"":[""developer id application: google, inc. (eqhxz8m8av)""],""resultId"":0,""trustedId"":0}"
messageData/reported: 0
messageData/blocked: 0
messageData/executionCount: 4179

Field Name

Description

recordType

Record type associated with the event and that you can use when managing logging quotas. In this case, the record type is analytics which includes hash execution reports from the agent.

class

Class of Cortex XDR log: config, policy, system, and agent_log.

eventType

Subtype of event.

eventCategory

Category of event, used internally for processing the flow of logs. Event categories vary by class:

  • config—deviceManagement, distributionManagement, securityEventManagement, systemManagement

  • policy—exceptionManagement, policyManagement, profileManagement, sam

  • system—licensing, provisioning, tenant, userAuthentication, workerProcessing

  • agent_log—agentFlow

generatedTime

Coordinated Universal Time (UTC) equivalent of the time at which an event was logged. For agent events, this represents the time on the endpoint. For policy, configuration, and system events, this represents the time on Cortex XDR in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z).

serverTime

Coordinated Universal Time (UTC) equivalent of the time at which the server generated the log. If the log was generated on an endpoint, this field identifies the time the server received the log in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z).

agentTime

Coordinated Universal Time (UTC) equivalent of the time at which an agent logged an event in ISO-8601 string representation.

tzOffset

Effective endpoint time zone offset from UTC, in minutes.

facility

The Cortex XDR system component that initiated the event, for example: TrapsAgent, TrapsServiceCore, TrapsServiceManagement, and TrapsServiceBackend.

customerId

The ID that uniquely identifies the Cortex XDR tenant instance which received this log record.

trapsId

Tenant external ID.

serverHost

Hostname of Cortex XDR.

serverComponentVersion

Software version of Cortex XDR.

regionId

ID of Cortex XDR region:

  • 10—Americas (N. Virginia)

  • 70—EMEA (Frankfurt)

isEndpoint

Indicates whether the event occurred on an endpoint.

  • 0—No, host is not an endpoint.

  • 1—Yes, host is an endpoint.

agentId

Unique identifier for the Cortex XDR agent.

osType

Operating system of the endpoint:

  • 1—Windows

  • 2—OS X/macOS

  • 3—Android

  • 4—Linux

isVdi

Indicates whether the endpoint is a virtual desktop infrastructure (VDI):

  • 0—The endpoint is not a VDI

  • 1—The endpoint is a VDI

osVersion

Full version number of the operating system running on the endpoint. For example, 6.1.7601.19135.

is64

Indicates whether the endpoint is running a 64-bit version of Windows:

  • 0—The endpoint is not running x64 architecture

  • 1—The endpoint is running x64 architecture

agentIp

IP address of the endpoint.

deviceName

Hostname of the endpoint on which the event was logged.

deviceDomain

Domain to which the endpoint belongs.

severity

Syslog severity level associated with the event.

  • 2—Critical. Used for events that require immediate attention.

  • 3—Error. Used for events that require special handling.

  • 4—Warning. Used for events that sometimes require special handling.

  • 5—Notice. Used for normal but significant events that can require attention.

  • 6—Informational. Informational events that do not require attention.

Each event also has an associated Cortex XDR severity. See the messageData.trapsSeverity field for details.

agentVersion

Version of the Cortex XDR agent.

contentVersion

Content version in the local security policy.

protectionStatus

Cortex XDR agent protection status:

  • 0—Protected

  • 1—OsVersionIncompatible

  • 2—AgentIncompatible

sha256

Hash of the file using SHA256 encoding.

type

Type of file:

  • 0—Unknown

  • 1—PE

  • 2—Mach-o

  • 3—DLL

  • 4—Office file (containing a macro)

parentSha256

Hash of the parent file using SHA256 encoding.

lastSeen

Coordinated Universal Time (UTC) equivalent of the time when the file last ran on an endpoint in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z).

fileName

File name, without the path or the file type extension.

filePath

Full path, aligned to the OS format.

fileSize

Size of the file in bytes.

localAnalysisResult

This object includes the content version, local analysis module version, verdict result, file signer, and trusted signer result. The trusted signer result is an integer value:

  • 0Cortex XDR did not evaluate the signer of the file.

  • 1—The signer is trusted.

  • 2—The signer is not trusted.

reported

Reporting status of the file, in integer value:

  • 0Cortex XDR did not report the security event.

  • 1Cortex XDR reported the security event.

blocked

Blocking status of the file, in integer value:

  • 0Cortex XDR did not block the process or file.

  • 1Cortex XDR blocked the process or file.

executionCount

The total number of times a file identified by a specific hash was executed.

System Logs

Syslog format: recordType, class, FUTURE_USE, subClassId, eventType, eventCategory, generatedTime, serverTime, FUTURE_USE, facility, customerId, trapsId, serverHost, serverComponentVersion, regionId, isEndpoint, agentId, severity, trapsSeverity, messageCode, friendlyName, FUTURE_USE, msgTextEn, userFullName, username, userRole, userDomain, agentTime, tzOffset, osType, isVdi, osVersion, is64, agentIp, deviceName, deviceDomain, agentVersion, contentVersion, protectionStatus, userFullName, username, userRole, userDomain, messageName, messageId, processStatus, errorText, errorData, resultData, parameters, additionalData(Array)

Email body format example:

recordType: system
messageData/class: system
messageData/subClass: Provisioning
messageData/subClassId: 13
eventType: ServerLogPerTenant
messageData/eventCategory: tenant
generatedTime: 2019-01-31T18:15:19.000000+00:00
serverTime: 2019-01-31T18:15:19.000000+00:00
product: 
facility: TrapsServerManagement
customerId: 004403511
trapsId: 18520498190303952
serverHost: 14917869646-201.proda.brz
serverComponentVersion: 2.0.9+624
regionId: 
isEndpoint: 0
agentId: 
severity: notice
messageData/trapsSeverity: informational
messageData/messageCode: 19015
messageData/friendlyName: User Login
messageData/msgTextLoc: 
messageData/msgTextEn: User username@paloaltonetworks.com has logged in with role superadmin
endPointHeader/userFullName: 
endPointHeader/username: 
endPointHeader/userRole: 
endPointHeader/userDomain: 
endPointHeader/agentTime: 
endPointHeader/tzOffset: 
endPointHeader/osType: 
endPointHeader/isVdi: 
endPointHeader/osVersion: 
endPointHeader/is64: 
endPointHeader/agentIp: 
endPointHeader/deviceName: 
endPointHeader/deviceDomain: 
endPointHeader/agentVersion: 
endPointHeader/contentVersion: 
endPointHeader/protectionStatus: 
messageData/userFullName: 
messageData/username: 
messageData/userRole: 
messageData/userDomain: 
messageData/messageName: 
messageData/messageId: 
messageData/processStatus: 
messageData/errorText: 
messageData/errorData: 
messageData/resultData: 
messageData/parameters: 
messageData/additionalData: {}

Field Name

Description

recordType

Record type associated with the event and that you can use when managing logging quotas. In this case, the record type is system which includes logs related to automated system management and agent reporting events.

class

Class of Cortex XDR log. System logs have a value of system.

subClass

Subclass of event. Used to categorize logs in Cortex XDR user interface.

subClassId

Numeric representation of the subClass field for easy sorting and filtering.

eventType

Subtype of event.

eventCategory

Category of event, used internally for processing the flow of logs. Event categories vary by class:

  • config—deviceManagement, distributionManagement, securityEventManagement, systemManagement

  • policy—exceptionManagement, policyManagement, profileManagement, sam

  • system—licensing, provisioning, tenant, userAuthentication, workerProcessing

  • agent_log—agentFlow

generatedTime

Coordinated Universal Time (UTC) equivalent of the time at which an event was logged. For agent events, this represents the time on the endpoint. For policy, configuration, and system events, this represents the time on Cortex XDR in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z).

serverTime

Coordinated Universal Time (UTC) equivalent of the time at which the server generated the log. If the log was generated on an endpoint, this field identifies the time the server received the log in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z).

facility

The Cortex XDR system component that initiated the event, for example: TrapsAgent, TrapsServiceCore, TrapsServiceManagement, and TrapsServiceBackend.

customerId

The ID that uniquely identifies the Cortex XDR tenant instance which received this log record.

trapsId

Tenant external ID.

serverHost

Hostname of Cortex XDR.

serverComponentVersion

Software version of Cortex XDR.

regionId

ID of Cortex XDR region:

  • 10—Americas (N. Virginia)

  • 70—EMEA (Frankfurt)

isEndpoint

Indicates whether the event occurred on an endpoint.

  • 0—No, host is not an endpoint.

  • 1—Yes, host is an endpoint.

agentId

Unique identifier for the Cortex XDR agent.

severity

Syslog severity level associated with the event.

  • 2—Critical. Used for events that require immediate attention.

  • 3—Error. Used for events that require special handling.

  • 4—Warning. Used for events that sometimes require special handling.

  • 5—Notice. Used for normal but significant events that can require attention.

  • 6—Informational. Informational events that do not require attention.

Each event also has an associated Cortex XDR severity. See the messageData.trapsSeverity field for details.

trapsSeverity

Severity level associated with the event defined for Cortex XDR. Each of these severities corresponds to a syslog severity level:

  • 0—Informational. Informational messages that do not require attention. Identical to the syslog 6 (Informational) severity level.

  • 1—Low. Used for normal but significant events that can require attention. Corresponds to the syslog 5 (Notice) severity level.

  • 2—Medium. Used for events that sometimes require special handling. Corresponds to the syslog 4 (Warning) severity level.

  • 3—High. Used for events that require special handling. Corresponds to the syslog 3 (Error) severity level.

  • 4—Critical. Used for events that require immediate attention. Corresponds to the syslog 2 (Critical) severity level.

See also the severity log field.

messageCode

System-wide unique message code.

friendlyName

Descriptive log message name.

msgTextEn

Description of the event, in English.

userFullName

Full username of Cortex XDR user.

userName

Username associated with Cortex XDR user.

userRole

Role assigned to Cortex XDR user.

userDomain

Domain to which the user belongs.

agentTime

Coordinated Universal Time (UTC) equivalent of the time at which an agent logged an event in ISO-8601 string representation.

tzOffset

Effective endpoint time zone offset from UTC, in minutes.

osType

Operating system of the endpoint:

  • 1—Windows

  • 2—OS X/macOS

  • 3—Android

  • 4—Linux

isVdi

Indicates whether the endpoint is a virtual desktop infrastructure (VDI):

  • 0—The endpoint is not a VDI

  • 1—The endpoint is a VDI

osVersion

Full version number of the operating system running on the endpoint. For example, 6.1.7601.19135.

is64

Indicates whether the endpoint is running a 64-bit version of Windows:

  • 0—The endpoint is not running x64 architecture

  • 1—The endpoint is running x64 architecture

agentIp

IP address of the endpoint.

deviceName

Hostname of the endpoint on which the event was logged.

deviceDomain

Domain to which the endpoint belongs.

agentVersion

Version of the Cortex XDR agent.

contentVersion

Content version in the local security policy.

protectionStatus

Cortex XDR agent protection status:

  • 0—Protected

  • 1—OsVersionIncompatible

  • 2—AgentIncompatible

userFullName

Full name of Cortex XDR user.

userName

Username associated with Cortex XDR user.

userRole

Role assigned to Cortex XDR user.

userDomain

Domain to which the user belongs.

messageName

Name of the message.

messageId

Unique numeric identifier of the message.

processStatus

State of the process related to the event.

errorText

If known, a description of the documented error.

errorData

Parameters related to an event error.

resultData

Parameters related to a successful event.

parameters

Parameters supplied in the log message.

additionalData(Array)

Additional information regarding event parameters.

loggedInUser

User that is logged in to the Cortex XDR.