Management Audit Log Notification Format

Cortex XDR forwards the management audit log to external data sources according to the following formats.

Email Account

Management audit log notifications are forward to email accounts.
management-audit-email.png

Syslog Server

Management Audit logs forwarded to a Syslog server are sent in a CEF format RF 5425 according to the following mapping:
Section
Description
Syslog Header
<9>: PRI (considered a prioirty field)1: version number2020-03-22T07:55:07.964311Z: timestamp of when alert/log was sentcortexxdr: host name
CEF Header
HEADER/Vendor="Palo Alto Networks" (as a constant string)HEADER/Device Product="Cortex XDR" (as a constant string)HEADER/Device Version= Cortex XDR version (2.0/2.1....)HEADER/Severity=informationalHEADER/Device Event Class ID="Management Audit Logs" (as a constant string)HEADER/name = type
CEF Body
end=timestampsuser=user namecat=categorymsg=descriptiondeviceHostName = host nameexternalId = idcs1=emailcs1Label="email" (as a constant string)cs2=subtypecs2Label="subtype" (as a constant string)cs3=resultcs3Label="result" (as a constant string)cs4=reasoncs4Label="reason" (as a constant string)
Example
3/18/2012:05:17.567 PM<14>1 2020-03-18T12:05:17.567590Z cortexxdr - - - CEF:0|Palo Alto Networks|Cortex XDR|Cortex XDR x.x |Management Audit Logs|REPORTING|5|suser=test end=1584533117501 externalId=5820 cs1Label=email cs1=test@paloaltonetworks.com cs2Label=subtype cs2=Slack Report cs3Label=result cs3=SUCCESS cs4Label=reason cs4=None msg=Slack report 'scheduled_1584533112442' ID 00 to ['CUXM741BK', 'C01022YU00L', 'CV51Y1E2X', 'CRK3VASN9'] tenantname=test tenantCDLid=11111 CSPaccountname=00000

Recommended For You