Endpoint Data Collected by Cortex XDREndpoint Data Collection
Endpoint Data Collected by Cortex XDR
Endpoint Data Collection
To aid in endpoint detection and alert investigation,
the Cortex XDR agent collects endpoint information when an alert
is triggered.
When the
Cortex
XDR
agent raises an alert
on endpoint activity, a minimum set of metadata about the endpoint
is sent to the server as described in Metadata Collected for Cortex XDR Agent Alerts. When you enable
behavioral threat protection in your endpoint security policy, the
Cortex
XDR
agent can also continuously
monitor endpoint activity for malicious event chains identified
by Palo Alto Networks. The endpoint data that the Cortex
XDR
agent collects when you enable
these capabilities varies by the platform type.Metadata Collected for Cortex XDR Agent Alerts
Cortex
XDR
Agent AlertsWhen the
Cortex
XDR
agent raises an alert
on endpoint activity, the following metadata is sent to the server:Field | Description |
---|---|
Absolute Timestamp | Kernel system time |
Relative Timestamp | Uptime since the computer booted |
Thread ID | ID of the originating thread |
Process ID | ID of the originating process |
Process Creation Time | Part of process unique ID per boot session
(PID + creation time) |
Sequence ID | Unique integer per boot session |
Primary User SID | Unique identifier of the user |
Impersonating User SID | Unique identifier of the impersonating user,
if applicable |
EDR Data Collected for Windows Endpoints
Category | Events | Attributes |
---|---|---|
Executable metadata ( Traps 6.1 and later ) | Process start |
|
Files |
|
|
Image (DLL) | Load |
|
Process |
|
|
Thread | Injection |
|
Network |
|
|
Network Protocols |
|
|
Network Statistics |
|
Traps sends statistics
on connection close and periodically while connection is open |
Registry |
|
|
Session |
|
|
Host Status |
|
|
User Presence ( Traps 6.1 and later ) | User Detection | Detection when a user is present or idle per
active user session on the computer. |
Event Log | See the Windows Event Logs table
for the list of Windows Event Logs that can be sent to the server. |
In Traps 6.1.3 and later releases,
Cortex
XDR
and Traps agents can send the following Windows
Event Logs to the server:Path | Provider | Event IDs | Description |
---|---|---|---|
Application | EMET | ||
Application | Windows Error Reporting | WER events for application crashes only | |
Application | Microsoft-Windows-User Profiles Service | 1511, 1518 | User logging on with temporary profile (1511), Cannot
create profile using temporary profile (1518) |
Application | Application Error | 1000 | Application crash/hang events, similar to WER/1001.
These include full path to faulting EXE/Module |
Application | Application Hang | 1002 | Application crash/hang events, similar to WER/1001.
These include full path to faulting EXE/Module |
Microsoft-Windows-CAPI2/Operational | 11, 70, 90 | CAPI events Build Chain (11), Private Key accessed (70),
X509 object (90) | |
Microsoft-Windows-DNS-Client/Operational | 3008 | DNS Query Completed (3008) without local machine
na,e resolution events and without enmpty name resolution events | |
Microsoft-Windows-DriverFrameworks-UserMode/Operational | 2004 | Detect User-Mode drivers loaded - for potential BadUSB
detection | |
Microsoft-Windows-PowerShell/Operational | 4103, 4104, 4105, 4106 | PowerShell execute block activity (4103), Remote Command
(4104), Start Command (4105), Stop Command (4106) | |
Microsoft-Windows-TaskScheduler/Operational | Microsoft-Windows-TaskScheduler | 106, 129, 141, 142, 200, 201 | |
Microsoft-Windows-TerminalServices-RDPClient/Operational | 1024 | Log attempted TS connect to remote server | |
Microsoft-Windows-Windows Defender/Operational | 1006, 1009 | Modern Windows Defender event provider Detection events
(1006 and 1009) | |
Microsoft-Windows-Windows Defender/Operational | 1116, 1119 | Modern Windows Defender event provider Detection events
(1116 and 1119) | |
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall | Microsoft-Windows-Windows Firewall With Advanced
Security | 2004, 2005, 2006, 2009, 2033 | Windows Firewall With Advanced Security Local Modifications
(Levels 0, 2, 4) |
Security | 1102 | Security Log cleared events (1102) | |
Security | 5142, 5144 | Network Share create (5142), Network Share Delete
(5144) | |
Security | Microsoft-Windows-Eventlog | Event log service events specific to Security
channel | |
Security | 4880, 4881, 4896, 4898 | CA Service Stopped (4880), CA Service Started (4881),
CA DB row(s) deleted (4896), CA Template loaded (4898) | |
Security | 6272, 6280 | RRAS events – only generated on Microsoft IAS server | |
Security | Microsoft-Windows-Security-Auditing | 4624, 4625, 4634, 4647, 4648, 4649, 4672, 4768, 4769,
4770, 4771, 4776, 4778, 4800, 4801, 4802, 4803 | Successful logon (4624), Failed logon (4625),
Logoff (4634), User initiated logoff (4647), Logon attempted, explicit
credentials (4648), Replay attack (4649), Special privileges attempted
login (4672), Kerberos TGT request (4768), Kerberos service ticket
requested (4769), Kerberos service ticket renewal (4770), Kerberos pre-authentication
failed (4771), Domain controller validation attempt (4776), Session
was reconnected to a Windows station (4778), Workstation locked
(4800), Workstation unlocked (4801), Screensaver was invoked (4802), Screensaver
was dismissed (4803) |
Security | Microsoft-Windows-Security-Auditing | 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729,
4731, 4732, 4733, 4735, 4737, 4738, 4740, 4741, 4742, 4743, 4754, 4755,
4756, 4757, 4764, 4765, 4766, 4767, 4780, 4799 | A user account was created (4720), A user account
was enabled (4722), An attempt was made to change an account's password
(4723), An attempt was made to reset an account’s password (4724),
A user account was disabled (4725), A user account was deleted (4726),
Group creations (4727, 4731, 4754), Group member additions (4728, 4732,
4756), Group member removals (4729, 4733, 4757), Group changes (4735,
4737, 4755, 4764), A user account was changed (4738), A user account
was locked out (4740), A computer account was created (4741), A computer
account was changed (4742), A computer account was deleted (4743),
SID history (4765, 4766), A user account was unlocked (4767), ACL
set on accounts (4780), Group membership enumeration (4799) |
Secuirty | Microsoft-Windows-Security-Auditing | 4616, 4821, 4822, 4823, 4824 | System time was changed (4616), Kerberos service ticket
was denied (4821), NTLM authentication failed (4822, 4823), Kerberos preuathentication
failed (4824), User denied access to Remote Desktop (4825), Key
file operation (5058), Key migration operation (5059) |
Security | Microsoft-Windows-Security-Auditing | 4698, 4702, 4886, 4887, 4899, 4900, 5140 | A scheduled task was created (4698), A scheduled
task was updated (4702), Certificate Services received a certificate
request (4886), Certificate Services approved a certificate request
(4887), A Certificate Services template was updated (4899), Certificate
Services template security was updated (4900), A network share object
was accessed (5140) |
Security | Microsoft-Windows-Security-Auditing | 4713 | Kerberos policy was changed |
Security | Microsoft-Windows-Security-Auditing | 4662 | An operation was performed on an object |
EDR Data Collected for Mac Endpoints
Category | Events | Attributes |
---|---|---|
Files |
|
|
Process |
|
|
Network |
|
|
Event Log |
|
|
EDR Data Collected for Linux Endpoints
Category | Events | Attributes |
---|---|---|
Files |
|
For specific files
only and only if the file was written. |
|
| |
|
| |
Network |
|
|
Process |
|
|
|
| |
Event Log |
|
|
Recommended For You
Recommended Videos
Recommended videos not found.