Cortex XDR Analytics Log Format

Cortex XDR™ Analytics logs its alerts to the Cortex Data Lake as analytics alert logs. If you configure Cortex XDR to forward logs in legacy format, each log record has the following format:
Syslog format
:
sub_type,time_generated,id,version_info/document_version,version_info/magnifier_version,version_info/detection_version,alert/url,alert/category,alert/type,alert/name,alert/description/html,alert/description/text,alert/severity,alert/state,alert/is_whitelisted,alert/ports,alert/internal_destinations/single_destinations,alert/internal_destinations/ip_ranges,alert/external_destinations,alert/app_id,alert/schedule/activity_first_seen_at,alert/schedule/activity_last_seen_at,alert/schedule/first_detected_at,alert/schedule/last_detected_at,user/user_name,user/url,user/display_name,user/org_unit,device/id,device/url,device/mac,device/hostname,device/ip,device/ip_ranges,device/owner,device/org_unit,files
Email body format example:
When analytics alert logs are forwarded by email, each field is labeled, one line per field:
sub_type: Update time_generated: 1547717480 id: 4 version_info/document_version: 1 version_info/magnifier_version: 1.8 version_info/detection_version: 2019.2.0rc1 alert/url: https:\/\/ddc1... alert/category: Recon alert/type: Port Scan alert/name: Port Scan alert/description/html: \t<ul>\n\t\t<li>The device.... alert/description/text: The device ... alert/severity: Low alert/state: Reopened alert/is_whitelisted: false alert/ports: "[1,2,3,4,5,6,7,8,9,10,11...] alert/internal_destinations/single_destinations: [] alert/internal_destinations/ip_ranges: "[{""max_ip"":""..."",""name"":""..."",""min_ip"":""...""}]" alert/external_destinations: [] alert/app_id: alert/schedule/activity_first_seen_at: 1542178800 alert/schedule/activity_last_seen_at: 1542182400 alert/schedule/first_detected_at: 1542182400 alert/schedule/last_detected_at: 1542182400 user/user_name: user/url: user/display_name: user/org_unit: device/id: 2-85e40edd-b2d1-1f25-2c1e-a3dd576c8a7e device/url: https:\/\/ddc1 ... device/mac: 00-50-56-a5-db-b2 device/hostname: DC1ENV3APC42 device/ip: 10.201.102.17 device/ip_ranges: "[{""max_ip"":""..."",""name"":""..."",""min_ip"":""..."",""asset"":""""}]" device/owner: device/org_unit: files: []
The following table describes each field:
Field Name
Definition
sub_type
Alert log subtype. Values are:
  • New
    —First log record for the alert with this record
    id
    .
  • Update
    —Log record identifies an update to a previously logged alert.
  • StateOnlyUpdate
    —Alert state is updated. For internal use only.
time_generated
Time the log record was sent to the Cortex Data Lake. Value is a Unix Epoch timestamp.
id
Unique identifier for the alert. Any given alert can generate multiple log records—one when the alert is initially raised, and then additional records every time the alert status changes. This ID remains constant for all such alert records.
You can obtain the current status of the alert by looking for log records with this id and the most recent
alert/schedule/last_detected_at
timestamp.
version_info/document_version
Identifies the log schema version number used for this log record.
version_info/magnifier_version
The version number of the Cortex XDR – Analytics instance that wrote this log record.
version_info/detection_version
Identifies the version of the Cortex XDR – Analytics detection software used to raise the alert.
alert/url
Provides the full URL to the alert page in the Cortex XDR – Analytics user interface.
alert/category
Identifies the alert category, which is a reflection of the anomalous network activity location in the attack life cycle. Possible categories are:
  • C&C
    —The network activity is possibly the result of malware attempting to connect to its Command & Control server.
  • Exfiltration
    —A large amount of data is being transferred to an endpoint that is external to the network.
  • Lateral
    —The network activity is indicative of an attacker who is attempting to move from one endpoint to another on the network.
  • Malware
    —A file has been discovered on an endpoint that is probably malware or riskware. Malware alerts can also be raised based on network activity that is indicative of automated malicious traffic generation.
  • Recon
    —The network activity is indicative an attacker that is exploring the network for endpoints and other resources to attack.
alert/type
Identifies the categorization to which the alert belongs. For example
Tunneling Process
,
Sandbox Detection
,
Malware
, and so forth.
alert/name
The alert name as it appears in the Cortex XDR – Analytics user interface.
alert/description/html
The alert textual description in HTML formatting.
alert/description/text
The alert textual description in plain text.
alert/severity
Identifies the alert severity. These severities indicate the likelihood that the anomalous network activity is a real attack.
  • High
    —The alert is confirmed to be a network attack.
  • Medium
    —The alert is suspicious enough to require additional investigation.
  • Low
    —The alert is unverified. Whether the alert is indicative of a network attack is unknown.
alert/state
Identifies the alert state.
  • Open
    —The alert is currently active and should be undergoing triage or investigation by the network security analysts.
  • Reopened
    —The alert was previously resolved or dismissed, but new network activity has caused Cortex XDR – Analytics to reopen the alert.
  • Archived
    —No action was taken on the alert in the Cortex XDR – Analytics user interface, and no further network activity has occurred that caused it to remain active.
  • Resolved
    —Network personnel have taken enough action to end the attack.
  • Dismissed
    —The anomaly has been examined and deemed to be normal, sanctioned, network activity.
alert/is_whitelisted
Indicates whether the alert is whitelisted.
Whitelisting
indicates that anomalous-appearing network activity is legitimate. If an alert is whitelisted, then it is not visible in the Cortex XDR Analytics user interface. Alerts can be dismissed or archived and still have a whitelist rule.
alert/ports
List of ports accessed by the network entity during its anomalous behavior.
alert/internal_destinations/single_destinations
Network destinations that the entity reached, or tried to reach, during the course of the network activity that caused Cortex XDR – Analytics to raise the alert. This field contains a sequence of JSON objects, each of which contains the following fields:
  • ip
    —The destination IP address.
  • name
    —The destination name (for example, a host name).
alert/internal_destinations/ip_ranges
IP address range subnets that the entity reached, or tried to reach, during the course of the network activity that caused Cortex XDR – Analytics to raise the alert. This field contains a sequence of JSON objects, each of which contains the following fields:
  • max_ip
    —Last IP address in the subnet.
  • min_ip
    —First IP address in the subnet.
  • name
    —Subnet name.
alert/external_destinations
Provides a list of destinations external to the monitored network that the entity tried to reach, or actually reached, during the activity that raised this alert. This list can contain IP addresses or fully qualified domain names.
alert/app_id
The App-ID associated with this alert.
alert/schedule/activity_first_seen_at
Time when Cortex XDR – Analytics first detected the network activity that caused it to raise the alert. Be aware that there is frequently a delay between this timestamp, and the time when Cortex XDR – Analytics raises an alert (see the
alert/schedule/first_detected_at
field).
alert/schedule/activity_last_seen_at
Time when Cortex XDR – Analytics last detected the network activity that caused it to raise the alert.
alert/schedule/first_detected_at
Time when Cortex XDR – Analytics first alerted on the network activity.
alert/schedule/last_detected_at
Time when Cortex XDR – Analytics last alerted on the network activity.
user/user_name
The name of the user associated with this alert. This name is obtained from Active Directory.
user/url
Provides the full URL to the user page in the Cortex XDR – Analytics user interface for the user who is associated with the alert.
user/display_name
The user name as retrieved from Active Directory. This is the user name displayed within the Cortex XDR – Analytics user interface for the user who is associated with this alert.
user/org_unit
The organizational unit of the user associated with this alert, as identified using Active Directory.
device/id
A unique ID assigned by Cortex XDR – Analytics to the device. All alerts raised due to activity occurring on this endpoint will share this ID.
device/url
Provides the full URL to the device page in the Cortex XDR – Analytics user interface.
device/mac
The MAC address of the network card in use on the device.
device/hostname
The device host name.
device/ip
The device IP address.
device/ip_ranges
Identifies the subnet or subnets that the device is on. This sequence can contain multiple inclusive subnets. Each element in this sequence is a JSON object with the following fields:
  • asset
    —The asset name assigned to the device from within the Cortex XDR Analytics user interface.
  • max_ip
    —Last IP address in the subnet.
  • min_ip
    —First IP address in the subnet.
  • name
    —Subnet name.
device/owner
The user name of the person who owns the device.
device/org_unit
The organizational unit that owns the device, as identified by Active Directory.
files
Identifies the files associated with the alert. Each element in this sequence is a JSON object with the following fields:
  • full_path
    —The file full path (including the file name).
  • md5
    —The file MD5 hash.

Recommended For You