Endpoint Data Collected by Cortex XDR

To aid in endpoint detection and alert investigation, the Cortex XDR agent collects information when an alert triggers and can log additional endpoint activity.
When the Cortex XDR agent alerts on endpoint activity, the agent collects a minimum set of data about the endpoint as described in Data Collected for All Alerts.
When you enable behavioral threat protection in your endpoint security policy, the Cortex XDR agent can also continuously monitor endpoint activity for malicious event chains identified by Palo Alto Networks. The endpoint data that the Cortex XDR agent collects when you enable these capabilities varies by the platform type:

Data Collected for All Alerts

When Cortex XDR raises an alert on an endpoint, the Cortex XDR agent collects the following data and sends it to Cortex XDR.
Field
Description
Absolute Timestamp
Kernel system time
Relative Timestamp
Uptime since the computer booted
Thread ID
ID of the originating thread
Process ID
ID of the originating process
Process Creation Time
Part of process unique ID per boot session (PID + creation time)
Sequence ID
Unique integer per boot session
Primary User SID
Unique identifier of the user
Impersonating User SID
Unique identifier of the impersonating user, if applicable

Additional Endpoint Data Collected for Windows Endpoints

Category
Events
Attributes
Executable metadata (
Traps 6.1 and later
)
Process start
  • File size
  • File access time
Files
  • Create
  • Write
  • Delete
  • Rename
  • Move
  • Modification (
    Traps 6.1 and later
    )
  • Symbolic links (
    Traps 6.1 and later
    )
  • Full path of the modified file before and after modification
  • SHA256 and MD5 hash for the file after modification
  • SetInformationFile for timestamps (
    Traps 6.1 and later
    )
  • File set security (DACL) information (
    Traps 6.1 and later
    )
  • Resolve hostnames on local network (
    Traps 6.1 and later
    )
  • Symbolic-link/hard-link and reparse point creation (
    Traps 6.1 and later
    )
Image (DLL)
Load
  • Full path 
  • Base address
  • Target process-id/thread-id
  • Image size
  • Signature (
    Traps 6.1 and later
    )
  • SHA256 and MD5 hash for the DLL (
    Traps 6.1 and later
    )
  • File size (
    Traps 6.1 and later
    )
  • File access time (
    Traps 6.1 and later
    )
Process
  • Create
  • Terminate
  • Process ID (PID) of the parent process
  • PID of the process
  • Full path
  • Command line arguments
  • Integrity level to determine if the process is running with elevated privileges
  • Hash (SHA256 and MD5)
  • Signature or signing certificate details
Thread
Injection
  • Thread ID of the parent thread
  • Thread ID of the new or terminating thread
  • Process that initiated the thread if from another process
Network
  • Accept
  • Connect
  • Create
  • Listen
  • Close
  • Bind
  • Source IP address and port
  • Destination IP address and port
  • Failed connection
  • Protocol (TCP/UDP)
  • Resolve hostnames on local network
Network Protocols
  • DNS request and UDP response
  • HTTP connect
  • HTTP disconnect
  • HTTP proxy parsing
  • Origin country
  • Remote IP address and port
  • Local IP address and port
  • Destination IP address and port if proxy connection
  • Network connection ID
  • IPv6 connection status (true/false)
Network Statistics
  • On-close statistics
  • Periodic statistics
  • Upload volume on TCP link
  • Download volume on TCP link
Traps sends statistics on connection close and periodically while connection is open
Registry
  • Registry value:
    • Deletion
    • Set
  • Registry key:
    • Creation
    • Deletion
    • Rename
    • Addition
    • Modification (set information)
    • Restore
    • Save
  • Registry path of the modified value or key
  • Name of the modified value or key
  • Data of the modified value
Session
  • Log on
  • Log off
  • Connect
  • Disconnect
  • Interactive log-on to the computer
  • Session ID
  • Session State (equivalent to the event type)
  • Local (physically on the computer) or remote (connected using a terminal services session)
Host Status
  • Boot
  • Suspend
  • Resume
  • Host name
  • OS Version
  • Domain
  • Previous and current state
User Presence (
Traps 6.1 and later
)
User Detection
Detection when a user is present or idle per active user session on the computer.
Windows Event Logs
See the Windows Event Logs table for the list of Windows Event Logs that the agent can collect.
In Traps 6.1.3 and later releases, Cortex XDR and Traps agents can collect the following Windows Event Logs:
Windows Event Logs
Path
Provider
Event IDs
Description
Application
EMET
Application
Windows Error Reporting
WER events for application crashes only
Application
Microsoft-Windows-User Profiles Service
1511, 1518
User logging on with temporary profile (1511), Cannot create profile using temporary profile (1518)
Application
Application Error
1000
Application crash/hang events, similar to WER/1001. These include full path to faulting EXE/Module
Application
Application Hang
1002
Application crash/hang events, similar to WER/1001. These include full path to faulting EXE/Module
Microsoft-Windows-CAPI2/Operational
11, 70, 90
CAPI events Build Chain (11), Private Key accessed (70), X509 object (90)
Microsoft-Windows-DNS-Client/Operational
3008
DNS Query Completed (3008) without local machine na,e resolution events and without enmpty name resolution events
Microsoft-Windows-DriverFrameworks-UserMode/Operational
2004
Detect User-Mode drivers loaded - for potential BadUSB detection
Microsoft-Windows-PowerShell/Operational
4103, 4104, 4105, 4106
PowerShell execute block activity (4103), Remote Command (4104), Start Command (4105), Stop Command (4106)
Microsoft-Windows-TaskScheduler/Operational
Microsoft-Windows-TaskScheduler
106, 129, 141, 142, 200, 201
Microsoft-Windows-TerminalServices-RDPClient/Operational
1024
Log attempted TS connect to remote server
Microsoft-Windows-Windows Defender/Operational
1006, 1009
Modern Windows Defender event provider Detection events (1006 and 1009)
Microsoft-Windows-Windows Defender/Operational
1116, 1119
Modern Windows Defender event provider Detection events (1116 and 1119)
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall
Microsoft-Windows-Windows Firewall With Advanced Security
2004, 2005, 2006, 2009, 2033
Windows Firewall With Advanced Security Local Modifications (Levels 0, 2, 4)
Security
4698, 4702
Security
4778, 4779
TS Session reconnect (4778), TS Session disconnect (4779)
Security
5140
Network share object access without IPC$ and Netlogon shares
Security
5140, 5142, 5144, 5145
Network Share create (5142), Network Share Delete (5144), A network share object was checked to see whether client can be granted desired access (5145), Network share object access (5140)
Security
4616
System Time Change (4616)
Security
4624
Local logons without network or service events
Security
1100, 1102
Security Log cleared events (1102), EventLog Service shutdown (1100)
Security
4647
User initiated logoff
Security
4634
User logoff for all non-network logon sessions
Security
4624
Service logon events if the user account isn't LocalSystem, NetworkService, LocalService
Security
5142, 5144
Network Share create (5142), Network Share Delete (5144)
Security
4688
Process Create (4688)
Security
Microsoft-Windows-Eventlog
Event log service events specific to Security channel
Security
4672
Special Privileges (Admin-equivalent Access) assigned to new logon, excluding LocalSystem
Security
4732
New user added to local security group
Security
4728
New user added to global security group
Security
4756
New user added to universal security group
Security
4733
User removed from local Administrators group
Security
4886, 4887, 4888
Certificate Services received certificate request (4886), Approved and Certificate issued (4887), Denied request (4888)
Security
4720, 4722, 4725, 4726
New User Account Created(4720), User Account Enabled (4722), User Account Disabled (4725), User Account Deleted (4726)
Security
4624
Network logon events
Security
4880, 4881, 4896, 4898
CA Service Stopped (4880), CA Service Started (4881), CA DB row(s) deleted (4896), CA Template loaded (4898)
Security
4634
Logoff events - for Network Logon events
Security
6272, 6280
RRAS events – only generated on Microsoft IAS server
Security
4689
Process Terminate (4689)
Security
4648, 4776
Local credential authentication events (4776), Logon with explicit credentials (4648)

Additional Endpoint Data Collected for Mac Endpoints

Category
Events
Attributes
Files
  • Create
  • Write
  • Delete
  • Rename
  • Move
  • Open
  • Full path of the modified file before and after modification
  • SHA256 and MD5 hash for the file after modification
Process
  • Start
  • Stop
  • Process ID (PID) of the parent process
  • PID of the process
  • Full path
  • Command line arguments
  • Integrity level to determine if the process is running with elevated privileges
  • Hash (SHA256 and MD5)
  • Signature or signing certificate details
Network
  • Accept
  • Connect
  • Connect Failure
  • Disconnect
  • Listen
  • Statistics
  • Source IP address and port
  • Destination IP address and port
  • Failed connection
  • Protocol (TCP/UDP)
  • Aggregated send/receive statistics for the connection

Additional Endpoint Data Collected for Linux Endpoints

Category
Events
Attributes
Files
  • Create
  • Open
  • Write
  • Delete
  • Full path of the file
  • Hash of the file
For specific files only and only if the file was written.
  • Copy
  • Move (rename)
  • Full paths of both the original and the modified files
  • Change owner (chown)
  • Change mode (chmod)
  • Full path of the file
  • Newly set owner/attributes
Network
  • Listen
  • Accept
  • Connect
  • Connect failure
  • Disconnect
  • Source IP address and port for explicit binds
  • Destination IP address and port
  • Failed TCP connections
  • Protocol (TCP/UDP)
Process
  • Start
  • PID of the child process
  • PID of the parent process
  • Full image path of the process
  • Command line of the process
  • Hash of the image (SHA256 & MD5)
  • Stop
  • PID of the stopped process

Recommended For You