Agent Audit Log Notification Format

To forward agent audit logs, you must have either a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license.
Cortex XDR forwards the agent audit log to external data resources according to the following formats.

Email Account

Cortex XDR can forward agent audit log notifications to email accounts.
agent-audit-log-email.png

Syslog Server

Agent audit logs forwarded to a Syslog server are sent in a CEF format RFC 5425 according to the following mapping.
Section
Description
Syslog Header
<9>: PRI (considered a prioirty field)1: version number2020-03-22T07:55:07.964311Z: timestamp of when alert/log was sentcortexxdr: host name
CEF Header
HEADER/Vendor="Palo Alto Networks" (as a constant string)HEADER/Device Product="Cortex XDR Agent" (as a constant string)HEADER/Device Version= Cortex XDR Agent version (7.0/7.1....)HEADER/Severity=informationalHEADER/Device Event Class ID="Agent Audit Logs" (as a constant string)HEADER/name = type
CEF Body
end=timestamprt=recieved timecat=categorymsg=descriptiondeviceHostName = domainexternalId = endpoint idshost = endpoint namecs1=xdr agent versioncs1Label="agentversion" (as a constant string)cs2=subtypecs2Label="subtype" (as a constant string)cs3=resultcs3Label="result" (as a constant string)cs4=reasoncs4Label="reason" (as a constant string)
Example:
3/18/2012:05:17.567 PM<14>1 2020-03-18T12:05:17.567590Z cortexxdr - - - CEF:0|Palo Alto Networks|Cortex XDR|Cortex XDR x.x|Management Audit Logs|REPORTING|5|suser=test end=1584533117501 externalId=0000 cs1Label=email cs1=test@paloaltonetworks.com cs2Label=subtype cs2=Slack Report cs3Label=result cs3=SUCCESS cs4Label=reason cs4=None msg=Slack report 'scheduled_1584533112442' ID 00 to ['CUXM741BK', 'C01022YU00L', 'CV51Y1E2X', 'CRK3VASN9'] tenantname=test CSPaccountname=00000

Recommended For You