Analytics log format - Learn about the syntax and different variables that are used in the analytics log format. - Administrator Guide

Analytics log format - Learn about the syntax and different variables that are used in the analytics log format. - Administrator Guide - Cortex CLOUD

Cortex Cloud Runtime Security Documentation

Product

Cortex Cloud Application Security > Cortex CLOUD

License

Cloud Runtime Security

Creation date

2024-12-24

Last date published

2026-06-04

Category

Administrator Guide

Abstract

Learn about the syntax and different variables that are used in the analytics log format.

Cortex Cloud Analytics logs issues as analytics issue logs. If you configure Cortex Cloud to forward logs in the legacy format, each log record has the following format:

Syslog format:

Example 19.

sub_type,time_generated,id,version_info/document_version,version_info/magnifier_version,version_info/detection_version,alert/url,alert/category,alert/type,alert/name,alert/description/html,alert/description/text,alert/severity,alert/state,alert/is_whitelisted,alert/ports,alert/internal_destinations/single_destinations,alert/internal_destinations/ip_ranges,alert/external_destinations,alert/app_id,alert/schedule/activity_first_seen_at,alert/schedule/activity_last_seen_at,alert/schedule/first_detected_at,alert/schedule/last_detected_at,user/user_name,user/url,user/display_name,user/org_unit,device/id,device/url,device/mac,device/hostname,device/ip,device/ip_ranges,device/owner,device/org_unit,files

Email account: Each field is labeled, one line per field.

Example 20.

sub_type: Update
time_generated: 1547717480
id: 4
version_info/document_version: 1
version_info/magnifier_version: 1.8
version_info/detection_version: 2019.2.0rc1
alert/url: https:\/\/ddc1...
alert/category: Recon
alert/type: Port Scan
alert/name: Port Scan 
alert/description/html: \t<ul>\n\t\t<li>The device....
alert/description/text: The device ...
...
device/id: 2-85e40edd-b2d1-1f25-2c1e-a3dd576c8a7e
device/url: https:\/\/ddc1 ...
device/mac: 00-50-56-a5-db-b2
device/hostname: DC1ENV3APC42
device/ip: 10.201.102.17
device/ip_ranges: "[{""max_ip"":""..."",""name"":""..."",""min_ip"":""..."",""asset"":""""}]"
device/owner: 
device/org_unit: 
files: []

Field Name	Definition
sub_type	Issue log subtype. Values are: `New:` First log record for the issue with this record `id`. `Update:` Log record identifies an update to a previously logged issue. `StateOnlyUpdate:` Issue state is updated. For internal use only.
time_generated	Time the log record was sent to the Cortex Cloud tenant. Value is a Unix Epoch timestamp.
id	Unique identifier for the issue. Any given issue can generate multiple log records—one when the issue is initially generated, and then additional records every time the issue status changes. This ID remains constant for all such issue records. You can obtain the current status of the issue by looking for log records with this id and the most recent `alert/schedule/last_detected_at` timestamp.
version_info/document_version	Identifies the log schema version number used for this log record.
version_info/magnifier_version	The version number of the Cortex Cloud – Analytics instance that wrote this log record.
version_info/detection_version	Identifies the version of the Cortex Cloud – Analytics detection software used to generate the issue.
alert/url	Provides the full URL to the issue page in the Cortex Cloud – Analytics user interface.
alert/category	Identifies the issue category, which is a reflection of the anomalous network activity location in the attack life cycle. Possible categories are: `C&C:` The network activity is possibly the result of malware attempting to connect to its Command & Control server. `Exfiltration:` A large amount of data is being transferred to an endpoint that is external to the network. `Lateral:` The network activity is indicative of an attacker who is attempting to move from one endpoint to another on the network. `Malware:` A file has been discovered on an endpoint that is probably malware or riskware. Malware issues can also be generated based on network activity that is indicative of automated malicious traffic generation. `Recon:` The network activity is indicative an attacker that is exploring the network for endpoints and other resources to attack.
alert/type	Identifies the categorization to which the issue belongs. For example Tunneling Process, Sandbox Detection, Malware, and so forth.
alert/name	The issue name as it appears in the Cortex Cloud – Analytics user interface.
alert/description/html	The issue textual description in HTML formatting.
alert/description/text	The issue textual description in plain text.
alert/severity	Identifies the issue severity. These severities indicate the likelihood that the anomalous network activity is a real attack. `High:` The issue is confirmed to be a network attack. `Medium:` The issue is suspicious enough to require additional investigation. `Low:` The issue is unverified. Whether the issue is indicative of a network attack is unknown.
alert/state	Identifies the issue state. `Open:` The issue is currently active and should be undergoing triage or investigation by the network security analysts. `Reopened:` The issue was previously resolved or dismissed, but new network activity has caused Cortex Cloud – Analytics to reopen the issue. `Archived:` No action was taken on the issue in the Cortex Cloud – Analytics user interface, and no further network activity has occurred that caused it to remain active. `Resolved:` Network personnel have taken enough action to end the attack. `Dismissed:` The anomaly has been examined and deemed to be normal, sanctioned, network activity.
alert/is_whitelisted	Indicates whether the issue is whitelisted. Whitelisting indicates that anomalous-appearing network activity is legitimate. If an issue is whitelisted, then it is not visible in the Cortex Cloud – Analytics user interface. Issues can be dismissed or archived and still have a whitelist rule.
alert/ports	List of ports accessed by the network entity during its anomalous behavior.
alert/internal_destinations/single_destinations	Network destinations that the entity reached, or tried to reach, during the course of the network activity that caused Cortex Cloud – Analytics to generate the issue. This field contains a sequence of JSON objects, each of which contains the following fields: `ip:` The destination IP address. `name:` The destination name (for example, a host name).
alert/internal_destinations/ip_ranges	IP address range subnets that the entity reached, or tried to reach, during the course of the network activity that caused Cortex Cloud – Analytics to generate the issue. This field contains a sequence of JSON objects, each of which contains the following fields: `max_ip:` Last IP address in the subnet. `min_ip:` First IP address in the subnet. `name:` Subnet name.
alert/external_destinations	Provides a list of destinations external to the monitored network that the entity tried to reach, or actually reached, during the activity that generated this issue. This list can contain IP addresses or fully qualified domain names.
alert/app_id	The App-ID associated with this issue.
alert/schedule/activity_first_seen_at	Time when Cortex Cloud – Analytics first detected the network activity that caused it to generate the issue. Be aware that there is frequently a delay between this timestamp, and the time when Cortex Cloud – Analytics generates an issue (see the `alert/schedule/first_detected_at` field).
alert/schedule/activity_last_seen_at	Time when Cortex Cloud – Analytics last detected the network activity that caused it to generate the issue.
alert/schedule/first_detected_at	Time when Cortex Cloud – Analytics first alerted on the network activity.
alert/schedule/last_detected_at	Time when Cortex Cloud – Analytics last alerted on the network activity.
user/user_name	The name of the user associated with this issue. This name is obtained from Active Directory.
user/url	Provides the full URL to the user page in the Cortex Cloud – Analytics user interface for the user who is associated with the issue.
user/display_name	The user name as retrieved from Active Directory. This is the user name displayed within the Cortex Cloud – Analytics user interface for the user who is associated with this issue.
user/org_unit	The organizational unit of the user associated with this issue, as identified using Active Directory.
device/id	A unique ID assigned by Cortex Cloud – Analytics to the device. All issues generated due to activity occurring on this endpoint will share this ID.
device/url	Provides the full URL to the device page in the Cortex Cloud – Analytics user interface.
device/mac	The MAC address of the network card in use on the device.
device/hostname	The device host name.
device/ip	The device IP address.
device/ip_ranges	Identifies the subnet or subnets that the device is on. This sequence can contain multiple inclusive subnets. Each element in this sequence is a JSON object with the following fields: `asset:` The asset name assigned to the device from within the Cortex Cloud – Analytics user interface. `max_ip:` Last IP address in the subnet. `min_ip:` First IP address in the subnet. `name:` Subnet name.
device/owner	The user name of the person who owns the device.
device/org_unit	The organizational unit that owns the device, as identified by Active Directory.
files	Identifies the files associated with the issue. Each element in this sequence is a JSON object with the following fields: `full_path:` The file full path (including the file name). `md5:` The file MD5 hash.