Cortex XDR Log Format for IOC and BIOC Alerts

Cortex XDR™ supports Syslog and email formats for IOC and BIOC alerts.
Cortex XDR™ logs its IOC and BIOC alerts to the Cortex Data Lake. If you configure Cortex XDR to forward logs in legacy format, when alert logs are forwarded from Cortex Data Lake, each log record has the following format:
Syslog format:
"/edrData/action_country","/edrData/action_download","/edrData/action_external_hostname","/edrData/action_external_port","/edrData/action_file_extension","/edrData/action_file_md5","/edrData/action_file_name","/edrData/action_file_path","/edrData/action_file_previous_file_extension","/edrData/action_file_previous_file_name","/edrData/action_file_previous_file_path","/edrData/action_file_sha256","/edrData/action_file_size","/edrData/action_file_remote_ip","/edrData/action_file_remote_port","/edrData/action_is_injected_thread","/edrData/action_local_ip","/edrData/action_local_port","/edrData/action_module_base_address","/edrData/action_module_image_size","/edrData/action_module_is_remote","/edrData/action_module_is_replay","/edrData/action_module_path","/edrData/action_module_process_causality_id","/edrData/action_module_process_image_command_line","/edrData/action_module_process_image_extension","/edrData/action_module_process_image_md5","/edrData/action_module_process_image_name","/edrData/action_module_process_image_path","/edrData/action_module_process_image_sha256","/edrData/action_module_process_instance_id","/edrData/action_module_process_is_causality_root","/edrData/action_module_process_os_pid","/edrData/action_module_process_signature_product","/edrData/action_module_process_signature_status","/edrData/action_module_process_signature_vendor","/edrData/action_network_connection_id","/edrData/action_network_creation_time","/edrData/action_network_is_ipv6","/edrData/action_process_causality_id","/edrData/action_process_image_command_line","/edrData/action_process_image_extension","/edrData/action_process_image_md5","/edrData/action_process_image_name","/edrData/action_process_image_path","/edrData/action_process_image_sha256","/edrData/action_process_instance_id","/edrData/action_process_integrity_level","/edrData/action_process_is_causality_root","/edrData/action_process_is_replay","/edrData/action_process_is_special","/edrData/action_process_os_pid","/edrData/action_process_signature_product","/edrData/action_process_signature_status","/edrData/action_process_signature_vendor","/edrData/action_proxy","/edrData/action_registry_data","/edrData/action_registry_file_path","/edrData/action_registry_key_name","/edrData/action_registry_value_name","/edrData/action_registry_value_type","/edrData/action_remote_ip","/edrData/action_remote_port","/edrData/action_remote_process_causality_id","/edrData/action_remote_process_image_command_line","/edrData/action_remote_process_image_extension","/edrData/action_remote_process_image_md5","/edrData/action_remote_process_image_name","/edrData/action_remote_process_image_path","/edrData/action_remote_process_image_sha256","/edrData/action_remote_process_is_causality_root","/edrData/action_remote_process_os_pid","/edrData/action_remote_process_signature_product","/edrData/action_remote_process_signature_status","/edrData/action_remote_process_signature_vendor","/edrData/action_remote_process_thread_id","/edrData/action_remote_process_thread_start_address","/edrData/action_thread_thread_id","/edrData/action_total_download","/edrData/action_total_upload","/edrData/action_upload","/edrData/action_user_status","/edrData/action_username","/edrData/actor_causality_id","/edrData/actor_effective_user_sid","/edrData/actor_effective_username","/edrData/actor_is_injected_thread","/edrData/actor_primary_user_sid","/edrData/actor_primary_username","/edrData/actor_process_causality_id","/edrData/actor_process_command_line","/edrData/actor_process_execution_time","/edrData/actor_process_image_command_line","/edrData/actor_process_image_extension","/edrData/actor_process_image_md5","/edrData/actor_process_image_name","/edrData/actor_process_image_path","/edrData/actor_process_image_sha256","/edrData/actor_process_instance_id","/edrData/actor_process_integrity_level","/edrData/actor_process_is_special","/edrData/actor_process_os_pid","/edrData/actor_process_signature_product","/edrData/actor_process_signature_status","/edrData/actor_process_signature_vendor","/edrData/actor_thread_thread_id","/edrData/agent_content_version","/edrData/agent_host_boot_time","/edrData/agent_hostname","/edrData/agent_id","/edrData/agent_ip_addresses","/edrData/agent_is_vdi","/edrData/agent_os_sub_type","/edrData/agent_os_type","/edrData/agent_session_start_time","/edrData/agent_version","/edrData/causality_actor_causality_id","/edrData/causality_actor_effective_user_sid","/edrData/causality_actor_effective_username","/edrData/causality_actor_primary_user_sid","/edrData/causality_actor_primary_username","/edrData/causality_actor_process_causality_id","/edrData/causality_actor_process_command_line","/edrData/causality_actor_process_execution_time","/edrData/causality_actor_process_image_command_line","/edrData/causality_actor_process_image_extension","/edrData/causality_actor_process_image_md5","/edrData/causality_actor_process_image_name","/edrData/causality_actor_process_image_path","/edrData/causality_actor_process_image_sha256","/edrData/causality_actor_process_instance_id","/edrData/causality_actor_process_integrity_level","/edrData/causality_actor_process_is_special","/edrData/causality_actor_process_os_pid","/edrData/causality_actor_process_signature_product","/edrData/causality_actor_process_signature_status","/edrData/causality_actor_process_signature_vendor","/edrData/event_id","/edrData/event_is_simulated","/edrData/event_sub_type","/edrData/event_timestamp","/edrData/event_type","/edrData/event_utc_diff_minutes","/edrData/event_version","/edrData/host_metadata_hostname","/edrData/missing_action_remote_process_instance_id","/facility","/generatedTime","/recordType","/recsize","/trapsId","/uuid","/xdr_unique_id","/meta_internal_id","/external_id","/is_visible","/is_secdo_event","/severity","/alert_source","/internal_id","/matching_status","/local_insert_ts","/source_insert_ts","/alert_name","/alert_category","/alert_description","/bioc_indicator","/matching_service_rule_id","/external_url","/xdr_sub_type","/bioc_category_enum_key","/alert_action_status","/agent_data_collection_status","/attempt_counter","/case_id","/global_content_version_id","/global_rule_id","/is_whitelisted"
When alert logs are forwarded by email, each field is labeled, one line per field:
Email body format example:
edrData/action_country: edrData/action_download: edrData/action_external_hostname: edrData/action_external_port: edrData/action_file_extension: pdf edrData/action_file_md5: null edrData/action_file_name: XORXOR2614081980.pdf edrData/action_file_path: C:\ProgramData\Cyvera\Ransomware\16067987696371268494\XORXOR2614081980.pdf edrData/action_file_previous_file_extension: null edrData/action_file_previous_file_name: null edrData/action_file_previous_file_path: null edrData/action_file_sha256: null edrData/action_file_size: 0 edrData/action_file_remote_ip: null edrData/action_file_remote_port: null edrData/action_is_injected_thread: edrData/action_local_ip: edrData/action_local_port: edrData/action_module_base_address: edrData/action_module_image_size: edrData/action_module_is_remote: edrData/action_module_is_replay: edrData/action_module_path: edrData/action_module_process_causality_id: edrData/action_module_process_image_command_line: edrData/action_module_process_image_extension: edrData/action_module_process_image_md5: edrData/action_module_process_image_name: edrData/action_module_process_image_path: edrData/action_module_process_image_sha256: edrData/action_module_process_instance_id: edrData/action_module_process_is_causality_root: edrData/action_module_process_os_pid: edrData/action_module_process_signature_product: edrData/action_module_process_signature_status: edrData/action_module_process_signature_vendor: edrData/action_network_connection_id: edrData/action_network_creation_time: edrData/action_network_is_ipv6: edrData/action_process_causality_id: edrData/action_process_image_command_line: edrData/action_process_image_extension: edrData/action_process_image_md5: edrData/action_process_image_name: edrData/action_process_image_path: edrData/action_process_image_sha256: edrData/action_process_instance_id: edrData/action_process_integrity_level: edrData/action_process_is_causality_root: edrData/action_process_is_replay: edrData/action_process_is_special: edrData/action_process_os_pid: edrData/action_process_signature_product: edrData/action_process_signature_status: edrData/action_process_signature_vendor: edrData/action_proxy: edrData/action_registry_data: edrData/action_registry_file_path: edrData/action_registry_key_name: edrData/action_registry_value_name: edrData/action_registry_value_type: edrData/action_remote_ip: edrData/action_remote_port: edrData/action_remote_process_causality_id: edrData/action_remote_process_image_command_line: edrData/action_remote_process_image_extension: edrData/action_remote_process_image_md5: edrData/action_remote_process_image_name: edrData/action_remote_process_image_path: edrData/action_remote_process_image_sha256: edrData/action_remote_process_is_causality_root: edrData/action_remote_process_os_pid: edrData/action_remote_process_signature_product: edrData/action_remote_process_signature_status: edrData/action_remote_process_signature_vendor: edrData/action_remote_process_thread_id: edrData/action_remote_process_thread_start_address: edrData/action_thread_thread_id: edrData/action_total_download: edrData/action_total_upload: edrData/action_upload: edrData/action_user_status: edrData/action_username: edrData/actor_causality_id: AdUcamNT99kAAAAEAAAAAA== edrData/actor_effective_user_sid: S-1-5-18 edrData/actor_effective_username: NT AUTHORITY\SYSTEM edrData/actor_is_injected_thread: false edrData/actor_primary_user_sid: S-1-5-18 edrData/actor_primary_username: NT AUTHORITY\SYSTEM edrData/actor_process_causality_id: AdUcamNT99kAAAAEAAAAAA== edrData/actor_process_command_line: edrData/actor_process_execution_time: 1559827133585 edrData/actor_process_image_command_line: edrData/actor_process_image_extension: edrData/actor_process_image_md5: edrData/actor_process_image_name: System edrData/actor_process_image_path: System edrData/actor_process_image_sha256: edrData/actor_process_instance_id: AdUcamNT99kAAAAEAAAAAA== edrData/actor_process_integrity_level: 16384 edrData/actor_process_is_special: 1 edrData/actor_process_os_pid: 4 edrData/actor_process_signature_product: Microsoft Windows edrData/actor_process_signature_status: 1 edrData/actor_process_signature_vendor: Microsoft Corporation edrData/actor_thread_thread_id: 64 edrData/agent_content_version: 58-9124 edrData/agent_host_boot_time: 1559827133585 edrData/agent_hostname: padme-7 edrData/agent_id: a832f35013f16a06fc2495843674a3e9 edrData/agent_ip_addresses: ["10.196.172.74"] edrData/agent_is_vdi: false edrData/agent_os_sub_type: Windows 7 [6.1 (Build 7601: Service Pack 1)] edrData/agent_os_type: 1 edrData/agent_session_start_time: 1559827592661 edrData/agent_version: 6.1.0.13895 edrData/causality_actor_causality_id: AdUcamNT99kAAAAEAAAAAA== edrData/causality_actor_effective_user_sid: edrData/causality_actor_effective_username: edrData/causality_actor_primary_user_sid: S-1-5-18 edrData/causality_actor_primary_username: NT AUTHORITY\SYSTEM edrData/causality_actor_process_causality_id: edrData/causality_actor_process_command_line: edrData/causality_actor_process_execution_time: 1559827133585 edrData/causality_actor_process_image_command_line: edrData/causality_actor_process_image_extension: edrData/causality_actor_process_image_md5: edrData/causality_actor_process_image_name: System edrData/causality_actor_process_image_path: System edrData/causality_actor_process_image_sha256: edrData/causality_actor_process_instance_id: AdUcamNT99kAAAAEAAAAAA== edrData/causality_actor_process_integrity_level: 16384 edrData/causality_actor_process_is_special: 1 edrData/causality_actor_process_os_pid: 4 edrData/causality_actor_process_signature_product: Microsoft Windows edrData/causality_actor_process_signature_status: 1 edrData/causality_actor_process_signature_vendor: Microsoft Corporation edrData/event_id: AAABa13u2PQsqXnCAB1qjw== edrData/event_is_simulated: false edrData/event_sub_type: 1 edrData/event_timestamp: 1560649063308 edrData/event_type: 3 edrData/event_utc_diff_minutes: 120 edrData/event_version: 20 edrData/host_metadata_hostname: edrData/missing_action_remote_process_instance_id: facility: generatedTime: 2019-06-16T01:37:43 recordType: alert recsize: trapsId: uuid: xdr_unique_id: ae65c92c6e704023df129c728eab3d3e meta_internal_id: None external_id: 318b7f91-ae74-4860-abd1-b463e8cd6deb is_visible: null is_secdo_event: null severity: SEV_010_INFO alert_source: BIOC internal_id: None matching_status: null local_insert_ts: null source_insert_ts: 1560649063308 alert_name: BIOC-16 alert_category: CREDENTIAL_ACCESS alert_description: File action type = all AND name = *.pdf bioc_indicator: "[{""pretty_name"":""File"",""data_type"":null,""render_type"":""entity"", ""entity_map"":null},{""pretty_name"":""action type"",""data_type"":null, ""render_type"":""attribute"",""entity_map"":null},{""pretty_name"":""="", ""data_type"":null,""render_type"":""operator"",""entity_map"":null}, {""pretty_name"":""all"",""data_type"":null,""render_type"":""value"", ""entity_map"":null},{""pretty_name"":""AND"",""data_type"":null, ""render_type"":""connector"",""entity_map"":null}, {""pretty_name"":""name"",""data_type"":""TEXT"", ""render_type"":""attribute"",""entity_map"":""attributes""}, {""pretty_name"":""="",""data_type"":null,""render_type"":""operator"", ""entity_map"":""attributes""},{""pretty_name"":""*.pdf"", ""data_type"":null,""render_type"":""value"", ""entity_map"":""attributes""}]" matching_service_rule_id: 200 external_url: null xdr_sub_type: BIOC - Credential Access bioc_category_enum_key: null alert_action_status: null agent_data_collection_status: null attempt_counter: null case_id: null global_content_version_id: global_rule_id: is_whitelisted: false
The following table summarizes the field prefixes and additional relevant fields available for BIOC and IOC alert logs.
Field Name
Definition
/edrData/action_file*
Fields that begin with this prefix describe attributes of a file for which Traps reported activity.
edrData/action_module*
Fields that begin with this prefix describe attributes of a module for which Traps reported module loading activity.
edrData/action_module_process*
Fields that begin with this prefix describe attributes and activity related to processes reported by Traps that load modules such as DLLs on the endpoint.
edrData/action_process_image*
Fields that begin with this prefix describe attributes of a process image for which Traps reported activity.
edrData/action_registry*
Fields that begin with this prefix describe registry activity and attributes such as key name, data, and previous value for which Traps reported activity.
edrData/action_network
Fields that begin with this prefix describe network attributes for which Traps reported activity.
edrData/action_remote_process*
Fields that begin with this prefix describe attributes of remote processes for which Traps reported activity.
edrData/actor*
Fields that begin with this prefix describe attributes about the acting user that initiated the activity on the endpoint.
edrData/agent*
Fields that begin with this prefix describe attributes about the Traps agent deployed on the endpoint.
edrData/causality_actor*
Fields that begin with this prefix describe attributes about the causality group owner.
Additional useful fields:
/severity
Severity assigned to the alert:
  • SEV_010_INFO
  • SEV_020_LOW
  • SEV_030_MEDIUM
  • SEV_040_HIGH
  • SEV_090_UNKNOWN
/alert_source
Source of the alert: BIOC or IOC
/local_insert_ts
Date and time when Cortex XDR – Investigation and Response ingested the app.
/source_insert_ts
Date and time the alert was reported by the alert source.
/alert_name
If the alert was generated by Cortex XDR – Investigation and Response, the alert name will be the specific Cortex XDR rule that created the alert (BIOC or IOC rule name). If from an external system, it will carry the name assigned to it by Cortex XDR .
/alert_category
Alert category based on the alert source.
  • BIOC alert categories:
    • OTHER
    • PERSISTENCE
    • EVASION
    • TAMPERING
    • FILE_TYPE_OBFUSCATION
    • PRIVILEGE_ESCALATION
    • CREDENTIAL_ACCESS
    • LATERAL_MOVEMENT
    • EXECUTION
    • COLLECTION
    • EXFILTRATION
    • INFILTRATION
    • DROPPER
    • FILE_PRIVILEGE_MANIPULATION
    • RECONNAISSANCE
  • IOC alert categories:
    • HASH
    • IP
    • PATH
    • DOMAIN_NAME
    • FILENAME
    • MIXED
/alert_description
Text summary of the event including the alert source, alert name, severity, and file path. For alerts triggered by BIOC and IOC rules, Cortex XDR displays detailed information about the rule.
/bioc_indicator
A JSON representation of the rule characteristics. For example:
[{""pretty_name"":""File"",""data_type"":null, ""render_type"":""entity"",""entity_map"":null}, {""pretty_name"":""action type"", ""data_type"":null,""render_type"":""attribute"", ""entity_map"":null},{""pretty_name"":""="", ""data_type"":null,""render_type"":""operator"", ""entity_map"":null},{""pretty_name"":""all"", ""data_type"":null,""render_type"":""value"", ""entity_map"":null},{""pretty_name"":""AND"", ""data_type"":null,""render_type"":""connector"", ""entity_map"":null},{""pretty_name"":""name"", ""data_type"":""TEXT"", ""render_type"":""attribute"", ""entity_map"":""attributes""}, {""pretty_name"":""="",""data_type"":null, ""render_type"":""operator"", ""entity_map"":""attributes""}, {""pretty_name"":""*.pdf"",""data_type"":null, ""render_type"":""value"", ""entity_map"":""attributes""}]"
/bioc_category_enum_key
Alert category based on the alert source. An example of a BIOC alert category is Evasion. An example of a Traps alert category is Exploit Modules.
/alert_action_status
Action taken by the alert sensor with action status displayed in parenthesis:
  • Detected
  • Detected (Download)
  • Detected (Post Detected)
  • Detected (Prompt Allow)
  • Detected (Reported)
  • Detected (Scanned)
  • Prevented (Blocked)
  • Prevented (Prompt Block)
/case_id
Unique identifier for the incident.
/global_content_version_id
Unique identifier for the content version in which a Palo Alto Networks global BIOC rule was released.
/global_rule_id
Unique identifier for an alert triggered by a Palo Alto Networks global BIOC rule.
/is_whitelisted
Boolean indicating whether the alert is excluded or not.

Recommended For You