Alert Notification Format
Cortex XDR Agent alerts are forwarded
to external data resources according to the email, Slack, or syslog
format.
Cortex
XDR
Agent alerts are forwarded to external data resources
according to the following formats.Email Account
Alert notifications are
sent to email accounts according to the settings you configured
when you Configure Notification Forwarding.
If only one alert exists in the queue, a single alert email format
is sent. If more than one alert was grouped in the time frame, all
the alerts in the queue are forwarded together in a grouped email
format. Emails also include an alert code snippet of the fields
of the alerts according to the columns in the Alert table.
Single
Alert Email Example
Email Subject: Alert: <alert_name> Email Body: Alert Name: Suspicious Process Creation Severity: High Source: XDR Agent Category: Malware Action: Detected Host: <host name> Username:<user name> Excluded: No Starred: Yes Alert: <link to Cortex XDR app alert view> Incident: <link to Cortex XDR app incident view>
Grouped
Alert Email Example
Email Subject: Alerts: <first_highest_severity_alert> + x others Email Body: Alert Name: Suspicious Process Creation Severity: High Source: XDR Agent Category: MalwareAction: Detected Host: <host name> Username:<user name> Excluded:No Starred: Yes Alert: <link to Cortex XDR app alert view>Incident: <link to Cortex XDR app incident view> Alert Name: Behavioral Threat Protection Alert ID: 2412 Description: A really cool detection Severity: Medium Source: XDR Agent Category: Exploit Action: Prevented Host: <host name> Starred: Yes Alert: <link to Cortex XDR app alert view> Incident: <link to Cortex XDR app incident view> Notification Name: “My notification policy 2 ” Notification Description: “Starred alerts with medium severity”
Body
Email Example
{ "original_alert_json":{ "uuid":"<UUID Value>", "recordType":"threat", "customerId":"<Customer ID>", "severity":4, "generatedTime":"2020-11-03T07:46:03.166000Z", "originalAgentTime":"2020-11-03T07:46:01.372974700Z", "serverTime":"2020-11-03T07:46:03.312633", "isEndpoint":1, "agentId":"<agent ID>", "endPointHeader":{ "osVersion":"<OS version>", "agentIp":"<Agent IP Address>", "deviceName":"<Device Name>", "agentVersion":"<Agent Version>", "contentVersion":"152-40565", "policyTag":"<Policy Tag Value>", "securityStatus":0, "protectionStatus":0, "dataCollectionStatus":1, "isolationStatus":0, "agentIpList":[ "<IP Address>" ], "addresses":[ { "ip":[ "<IP Address>" ], "mac":"<Mac ID>" } ], "liveTerminalEnabled":true, "scriptExecutionEnabled":true, "fileRetrievalEnabled":true, "agentLocation":0, "fileSearchEnabled":false, "deviceDomain":"env21.local", "userName":"Aragorn", "userDomain":"env21.local", "userSid":"<User S ID>", "osType":1, "is64":1, "isVdi":0, "agentId":"<Agent ID>", "agentTime":"2020-11-03T07:46:03.166000Z", "tzOffset":120 }, "messageData":{ "eventCategory":"prevention", "moduleId":"COMPONENT_WILDFIRE", "moduleStatusId":"CYSTATUS_MALICIOUS_EXE", "preventionKey":"<Prevention Key>", "processes":[ { "pid":111, "parentId":<Parent ID>, "exeFileIdx":0, "userIdx":0, "commandLine":"\"C:\\<file path>\\test.exe\" ", "instanceId":"Instance ID", "terminated":0 } ], "files":[ { "rawFullPath":"C:\\<file path>\\test.exe", "fileName":"test.exe", "sha256":"<SHA256 Value>", "fileSize":"12800", "innerObjectSha256":"<SHA256 Value>" } ], "users":[ { "userName":"<User Name>", "userDomain":"<Domain Name>", "domainUser":"<Domain Name>\\<User Name>" } ], "urls":[ ], "postDetected":0, "sockets":[ ], "containers":[ ], "techniqueId":[ ], "tacticId":[ ], "modules":[ ], "javaStackTrace":[ ], "terminate":0, "block":0, "eventParameters":[ "C:\\<file path>\\test.exe", "B30--A56B9F", "B30--A56B9F", "1" ], "sourceProcessIdx":0, "fileIdx":0, "verdict":1, "canUpload":0, "preventionMode":"reported", "trapsSeverity":2, "profile":"Malware", "description":"WildFire Malware", "cystatusDescription":"Suspicious executable detected", "sourceProcess":{ "user":{ "userName":"<User Name>", "userDomain":"<Domain Name>", "domainUser":"<Domain Name>"\\"<User Name>" }, "pid":1111, "parentId":<Parent ID>, "exeFileIdx":0, "userIdx":0, "commandLine":"\"C:\\<file path>\\test.exe\" ", "instanceId":"<Instance ID>", "terminated":0, "rawFullPath":"C:\\<file path>\\Test.exe", "fileName":"test.exe", "sha256":"<SHA256 Value>", "fileSize":"12800", "innerObjectSha256":"<SHA256 Value>" }, "policyId":"<Policy ID>" } }, "internal_id":<Internal ID>, "external_id":"<External ID>", "severity":"SEV_030_MEDIUM", "matching_status":"MATCHED", "end_match_attempt_ts":1604389636437, "alert_source":"TRAPS", "local_insert_ts":1604570760, "source_insert_ts":160470366, "alert_name":"WildFire Malware", "alert_category":"Malware", "alert_description":"Suspicious executable detected", "bioc_indicator":null, "matching_service_rule_id":null, "attempt_counter":1, "bioc_category_enum_key":null, "alert_action_status":"REPORTED", "case_id":111, "is_whitelisted":false, "starred":false, "deduplicate_tokens":null, "filter_rule_id":null, "mitre_technique_id_and_name":[ "" ], "mitre_tactic_id_and_name":[ "" ], "agent_id":"80d2e314c92f6", "agent_version":"7.2.1.2718", "agent_ip_addresses":[ "10.208.213.137" ], "agent_hostname":"<Agent Hostname>", "agent_device_domain":"<Device Domain>", "agent_fqdn":"<FQDN Value>", "agent_os_type":"AGENT_OS_WINDOWS", "agent_os_sub_type":"<Operating System Sub-Type> ", "agent_data_collection_status":true, "mac":"<Mac ID>", "agent_is_vdi":null, "agent_install_type":"STANDARD", "agent_host_boot_time":[ 1604446615 ], "event_sub_type":null, "module_id":[ "WildFire" ], "association_strength":null, "dst_association_strength":null, "story_id":null, "is_disintegrated":null, "event_id":null, "event_type":[ 1 ], "event_timestamp":[ 1604389563166 ], "actor_effective_username":[ "<Domain Name>\\<User Name>" ], "actor_process_instance_id":[ "<Actor>\/<Instance ID>" ], "actor_process_image_path":[ "C:\\<file path>\\test.exe" ], "actor_process_image_name":[ "test.exe" ], "actor_process_command_line":[ "\"C:\\<file path>\\test.exe\" " ], "actor_process_signature_status":[ "SIGNATURE_UNSIGNED" ], "actor_process_signature_vendor":null, "actor_process_image_sha256":[ "SHA256 Value>" ], "actor_process_image_md5":[ "MD5 Value>" ], "actor_process_causality_id":[ "<Actor>\/<Causality ID>" ], "actor_causality_id":null, "actor_process_os_pid":[ 1111 ], "actor_thread_thread_id":[ 1222 ], "causality_actor_process_image_name":[ "test1.exe" ], "causality_actor_process_command_line":[ "C:\\<file path>\\test1.EXE" ], "causality_actor_process_image_path":[ "C:\\<file path>\\test1.exe" ], "causality_actor_process_signature_vendor":[ "Microsoft Corporation" ], "causality_actor_process_signature_status":[ "SIGNATURE_SIGNED" ], "causality_actor_causality_id":[ "AdaxtV\/iNIMAAAc8AAAAAA==" ], "causality_actor_process_execution_time":[ 1604389557724 ], "causality_actor_process_image_md5":null, "causality_actor_process_image_sha256":[ "SHA256 value>" ], "action_file_path":null, "action_file_name":null, "action_file_md5":null, "action_file_sha256":null, "action_file_macro_sha256":null, "action_registry_data":null, "action_registry_key_name":null, "action_registry_value_name":null, "action_registry_full_key":null, "action_local_ip":null, "action_local_port":null, "action_remote_ip":null, "action_remote_port":null, "action_external_hostname":null, "action_country":[ "UNKNOWN" ], "action_process_instance_id":null, "action_process_causality_id":null, "action_process_image_name":null, "action_process_image_sha256":null, "action_process_image_command_line":null, "action_process_signature_status":[ "SIGNATURE_UNAVAILABLE" ], "action_process_signature_vendor":null, "os_actor_effective_username":null, "os_actor_process_instance_id":null, "os_actor_process_image_path":null, "os_actor_process_image_name":null, "os_actor_process_command_line":null, "os_actor_process_signature_status":[ "SIGNATURE_UNAVAILABLE" ], "os_actor_process_signature_vendor":null, "os_actor_process_image_sha256":null, "os_actor_process_causality_id":null, "os_actor_causality_id":null, "os_actor_process_os_pid":null, "os_actor_thread_thread_id":[ 1396 ], "fw_app_id":null, "fw_interface_from":null, "fw_interface_to":null, "fw_rule":null, "fw_rule_id":null, "fw_device_name":null, "fw_serial_number":null, "fw_url_domain":null, "fw_email_subject":null, "fw_email_sender":null, "fw_email_recipient":null, "fw_app_subcategory":null, "fw_app_category":null, "fw_app_technology":null, "fw_vsys":null, "fw_xff":null, "fw_misc":null, "fw_is_phishing":[ "NOT_AVAILABLE" ], "dst_agent_id":null, "dst_causality_actor_process_execution_time":null, "dns_query_name":null, "dst_action_external_hostname":null, "dst_action_country":null, "dst_action_external_port":null, "is_pcap":null, "contains_featured_host":[ "NO" ], "contains_featured_user":[ "YES" ], "contains_featured_ip":[ "YES" ], "events_length":1, "is_excluded":false }
Slack Channel
You can send alert notifications
to a single Slack contact or a Slack channel. Notifications are
similar to the email format.
Syslog Server
Alert notification forwarded
to a Syslog server are sent in a CEF format RF 5425.
Section | Description |
|---|---|
Syslog Header |
|
CEF Header |
|
CEF Body |
|
Example
<177>1 2020-10-04T10:06:55.192016Z cortexxdr - - - - CEF:0|Palo Alto Networks|Cortex XDR|Cortex XDR 2.4|XDR Analytics|High Connection Rate|6|end=1601792870694 shost=WGHRAMG deviceFacility=None cat=Discovery externalId=98106342 request=https:\/\/iga-bh.xdr.eu.paloaltonetworks.com\/alerts\/98106342 cs1=iexplore.exe cs1Label=Initiated by cs2=\“C:\\\\Program Files (x86)\\\\Internet Explorer\\\\IEXPLORE.EXE\” SCODEF:11844 CREDAT:82946 \/prefetch:2 cs2Label=Initiator CMD cs3=Microsoft CorporationSIGNATURE_SIGNED- cs3Label=Signature cs4=iexplore.exe cs4Label=CGO name cs5=\“C:\\\\Program Files (x86)\\\\Internet Explorer\\\\IEXPLORE.EXE\” SCODEF:11844 CREDAT:82946 \/prefetch:2 cs5Label=CGO CMD cs6=Microsoft CorporationSIGNATURE_SIGNED- cs6Label=CGO Signature dst=10.12.4.37 dpt=8000 src=10.10.28.140 spt=58003 fileHash=e582676ec900249b408ab4e37976ae8c443635a7da77755daf6f896a172856a3 filePath=C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe targetprocesssignature=NoneSIGNATURE_UNAVAILABLE- tenantname=iGA tenantCDLid=1021319191 CSPaccountname=Information & eGovernment Authority initiatorSha256=e582676ec900249b408ab4e37976ae8c443635a7da77755daf6f896a172856a3 initiatorPath=C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe cgoSha256=e582676ec900249b408ab4e37976ae8c443635a7da77755daf6f896a172856a3 osParentName=iexplore.exe osParentCmd=\“C:\\\\Program Files (x86)\\\\Internet Explorer\\\\IEXPLORE.EXE\” SCODEF:11844 CREDAT:82946 \/prefetch:2 osParentSha256=e582676ec900249b408ab4e37976ae8c443635a7da77755daf6f896a172856a3 osParentSignature=SIGNATURE_SIGNED osParentSigner=Microsoft Corporation incident=118719 act=Detected suser=['root']
