Alert Notification Format

Cortex XDR Agent alerts are forwarded to external data resources according to the email, Slack, or syslog format.
Cortex XDR Agent alerts are forwarded to external data resources according to the following formats.

Email Account

Alert notifications are sent to email accounts according to the settings you configured when you Configure Notification Forwarding. If only one alert exists in the queue, a single alert email format is sent. If more than one alert was grouped in the time frame, all the alerts in the queue are forwarded together in a grouped email format. Emails also include an alert code snippet of the fields of the alerts according to the columns in the Alert table.
Single Alert Email
Email Subject: Alert: <alert_name>Email Body:Alert Name: Suspicious Process CreationAlert ID: 2411Description: Suspicious process creation detectedSeverity: HighSource: XDR AgentCategory: MalwareAction: DetectedHost: WIN-RN4A1D7IM6LStarred: YesAlert: https://xdr20apac.xdr.eu.paloaltonetworks.com/alerts/5463 (causality view)Incident: https://xdr20apac.xdr.eu.paloaltonetworks.com/incident-view/31 (if doesn’t exist - null)
Grouped Alert Email
Email Subject: Alerts: <first_highest_severity_alert> + x othersEmail Body:Alert Name: Suspicious Process CreationAlert ID: 2411Description: Suspicious process creation detectedSeverity: HighSource: XDR AgentCategory: MalwareAction: DetectedHost: WIN-RN4A1D7IM6LStarred: YesAlert: <link to Cortex XDR app alert view>Incident: <link to Cortex XDR app incident view>Alert Name: Behavioral Threat ProtectionAlert ID: 2412Description: A really cool detectionSeverity: MediumSource: XDR AgentCategory: ExploitAction: PreventedHost: WIN-RN4A1D7IM6LStarred: YesAlert: <link to Cortex XDR app alert view>Incident: <link to Cortex XDR app incident view>Notification Name: “My notification policy 2 ”Notification Description: “Starred alerts with medium severity”
alert-email-notification.png

Slack Channel

You can send alert notifications to a single Slack contact or a Slack channel. Notifications are similar to the email format.
slack-notification.png

Syslog Server

Alert notification forwarded to a Syslog server are sent in a CEF format RF 5425.
Section
Description
Syslog Header
<9>: PRI (considered a prioirty field)1: version number2020-03-22T07:55:07.964311Z: timestamp of when alert/log was sentcortexxdr: host name
CEF Header
HEADER/Vendor="Palo Alto Networks" (as a constant string)HEADER/Device Product="Cortex XDR" (as a constant string)HEADER/Product Version= Cortex XDR version (2.0/2.1....)HEADER/Severity=severity (informational/low/medium/high)HEADER/Device Event Class ID=alert sourceHEADER/name =alert name
CEF Body
end=timestampshost=hostsuser=usernamedeviceFacility=event typeact=actioncat=categorymsg=descriptionexternalId=alert idrequest=alert linkflexString1=starredflexString1Label="Starred" (as a constant string)flexString2=excludedflexString2Label="Excluded" (as a constant string)cs1=initiated bycs1Label="Initiated by" (as a constant string)cs2=initiator cmdcs2Label="Initiator CMD" (as a constant string)cs3=string.concat(initiator sig, initiator singer, "-")cs3Label="Signature" (as a constant string)cs4=CGO namecs4Label="CGO name" (as a constant string)cs5=cgo cmdcs5Label="CGO CMD" (as a constant string)cs6=string.concat(cgo sig, cgo singer, "-")cs6Label="CGO Signature" (as a constant string)dst=remote ipdpt=remote portdhost=remote hostsrc=local ipspt=local portapp=app idregistrydata = registrydataregistryfullkey = registryfullkeytargetprocessname = targetprocessnametargetprocesscmd = targetprocesscmdtargetprocesssignature= string.concat(target process sig, target process signer, "-")targetprocesssha256= targetprocesssha256tenantname = tenantnametenantCDLid = tenantCDLidCSPaccountname = CSPaccountnamefileHash=file sha256filePath=file path
Example
3/18/206:22:53.000 PMCEF:0|Palo Alto Networks|Cortex XDR|Cortex XDR x.x |XDR Agent|Example Cortex XDR Alert|5|end=1581471661000 shost=3D4WRQ2 suser=acme\\user deviceFacility=None cat=Restrictions externalId=11148 request=https://test.xdr.us.paloaltonetworks.com/alerts/11111 cs1=example.exe cs1Label=Initiated by cs2=example.exe cs2Label=Initiator CMD cs3=Microsoft CorporationSIGNATURE_SIGNED- cs3Label=Signature cs4=cmd.exe cs4Label=CGO name cs5=C:\\this\\is\\example.exe /c ""\\\\host1\\files\\example.bat" " cs5Label=CGO CMD cs6=Microsoft CorporationSIGNATURE_SIGNED- cs6Label=CGO Signature targetprocesssignature=N/ASIGNATURE_UNAVAILABLE- tenantname=E2ETest3 tenantCDLid=1399816473 CSPaccountname=Palo Alto Networks - PANW-XDR-BETA10 act=Detected (Reported)

Recommended For You