Learn about the different log formats that Cortex XDR can forward to an external server or email account.
The following lists the fields for each log type that Cortex XDR can forward to an external server or email destination.
Keep in mind the following:
When log forwarding to a syslog receiver, Cortex XDR sends logs in the IETF syslog message format defined in RFC 5425. To facilitate parsing, the delimiter is a comma and each field is a comma-separated value (CSV) string.
Note
The FUTURE_USE tag applies to fields that Cortex XDR does not currently implement.
When log forwarding to an email account, Cortex XDR sends an email with each field on a separate line in the email body.
Threat logs
The syslog format is as follows:
recordType, class, FUTURE_USE, eventType, generatedTime, serverTime, agentTime, tzOffset, FUTURE_USE, facility, customerId, trapsId, serverHost, serverComponentVersion, regionId, isEndpoint, agentId, osType, isVdi, osVersion, is64, agentIp, deviceName, deviceDomain, severity, trapsSeverity, agentVersion, contentVersion, protectionStatus, preventionKey, moduleId, profile, moduleStatusId, verdict, preventionMode, terminate, terminateTarget, quarantine, block, postDetected, eventParameters(Array), sourceProcessIdx(Array), targetProcessIdx(Array), fileIdx(Array), processes(Array), files(Array), users(Array), urls(Array), description(Array)
Field Name | Description |
---|---|
recordType | Record type associated with the event and that you can use when managing logging quotas. In this case, the record type is threat which includes logs related to security events that occur on the endpoints. |
class | Class of Cortex XDR agent log: config, policy, system, or agent_log. |
eventType | Subtype of event: AgentActionReport, AgentDeviceControlViolation, AgentGenericMessage, AgentSamReport, AgentScanReport, AgentSecurityEvent, AgentStatistics, AgentTimelineEvent, ServerLogPerAgent, ServerLogPerTenant, or ServerLogSystem. |
generatedTime | Coordinated Universal Time (UTC) equivalent of the time at which an event was logged. For agent events, this represents the time on the endpoint. For policy, configuration, and system events, this represents the time on Cortex XDR in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z). |
serverTime | Coordinated Universal Time (UTC) equivalent of the time at which the server generated the log. If the log was generated on an endpoint, this field identifies the time the server received the log in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z). |
agentTime | Coordinated Universal Time (UTC) equivalent of the time at which an agent logged an event in ISO-8601 string representation. |
tzOffset | Effective endpoint time zone offset from UTC, in minutes. |
facility | The Cortex XDR system component that initiated the event, for example: TrapsAgent, TrapsServiceCore, TrapsServiceManagement, and TrapsServiceBackend. |
customerId | The ID that uniquely identifies the Cortex XDR tenant instance which received this log record. |
trapsId | Tenant external ID. |
serverHost | Hostname of Cortex XDR. |
serverComponentVersion | Software version of Cortex XDR. |
regionId | ID of Cortex XDR region:
|
isEndpoint | Indicates whether the event occurred on an endpoint.
|
agentId | Unique identifier for the Cortex XDR agent. |
osType | Operating system of the endpoint:
|
isVdi | Indicates whether the endpoint is a virtual desktop infrastructure (VDI):
|
osVersion | Full version number of the operating system running on the endpoint. For example, 6.1.7601.19135. |
is64 | Indicates whether the endpoint is running a 64-bit version of Windows:
|
agentIp | IP address of the endpoint. |
deviceName | Hostname of the endpoint on which the event was logged. |
deviceDomain | Domain to which the endpoint belongs. |
severity | Syslog severity level associated with the event.
Each event also has an associated Cortex XDR severity. See the |
trapsSeverity | Severity level associated with the event defined for Cortex XDR. Each of these severities corresponds to a syslog severity level:
See also the |
agentVersion | Version of the Cortex XDR agent. |
contentVersion | Content version in the local security policy. |
protectionStatus | Cortex XDR agent protection status:
|
preventionKey | Unique identifier for security events. |
moduleId | Security module name. |
profile | Name of the security profile that triggered the event. |
moduleStatusId | Identifies the specific component of Cortex XDR modules.
|
verdict | Verdict for the file:
|
preventionMode | Action carried out by the Cortex XDR agent (block or notify). The prevention mode is specified in the rule configuration. |
terminate | Termination action taken on the file.
|
terminateTarget | Termination action taken on the target file (relevant for some child process execution events where we terminate the child process but not the parent process):
|
quarantine | Quarantine action taken on the file:
|
block | Block action taken on the file:
|
postDetected | Post detection status of the file:
|
eventParameters(Array) | Parameters associated with the type of event. For example, username, endpoint hostname, and filename. |
sourceProcessIdx(Array) | The prevention source process index in the processes array. |
targetProcessIdx(Array) | Target process index in the processes array. A missing or negative value means there is no target process. |
fileIdx(Array) | Index of target files for specific security events such as: Scanning, Malicious DLL, Malicious Macro events. |
processes(Array) | All related details for the process file that triggered an event:
|
files(Array) | File object includes:
|
users(Array) | Details about the active user on the endpoint when the event occurred:
|
urls(Array) | Additional details related to a URL:
|
description(Array) | (Mac only) Description of components related to Cortex XDR . For example, the description of the ROP, JIT, Dylib hijacking modules for Mac endpoints is Memory Corruption Exploit. |
Config logs
The syslog format is as follows:
recordType, class, FUTURE_USE, subClassId, eventType, eventCategory, generatedTime, serverTime, FUTURE_USE, facility, customerId, trapsId, serverHost, serverComponentVersion, regionId, isEndpoint, severity, trapsSeverity, messageCode, friendlyName, FUTURE_USE, msgTextEn, userFullName, userName, userRole, userDomain, additionalData(Array), messageCode, errorText, errorData, resultData
Field Name | Description |
---|---|
recordType | Record type associated with the event and that you can use when managing logging quotas. In this case, the record type is config which includes logs related to Cortex XDR administration and configuration changes. |
class | Class of Cortex XDR log. System logs have a value of system. |
subClass | Subclass of event. Used to categorize logs in Cortex XDR. |
subClassId | Numeric representation of the subClass field for easy sorting and filtering. |
eventType | Subtype of event. |
eventCategory | Category of event, used internally for processing the flow of logs. Event categories vary by class:
|
generatedTime | Coordinated Universal Time (UTC) equivalent of the time at which an event was logged. For agent events, this represents the time on the endpoint. For policy, configuration, and system events, this represents the time on Cortex XDR in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z). |
serverTime | Coordinated Universal Time (UTC) equivalent of the time at which the server generated the log. If the log was generated on an endpoint, this field identifies the time the server received the log in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z). |
facility | The Cortex XDR system component that initiated the event, for example: TrapsAgent, TrapsServiceCore, TrapsServiceManagement, and TrapsServiceBackend. |
customerId | The ID that uniquely identifies the Cortex XDR tenant instance which received this log record. |
trapsId | Tenant external ID. |
serverHost | Hostname of Cortex XDR. |
serverComponentVersion | Software version of Cortex XDR. |
regionId | ID of Cortex XDR region:
|
isEndpoint | Indicates whether the event occurred on an endpoint.
|
agentId | Unique identifier for the Cortex XDR agent. |
severity | Syslog severity level associated with the event.
Each event also has an associated Cortex XDR severity. See the |
trapsSeverity | Severity level associated with the event defined for Cortex XDR. Each of these severities corresponds to a syslog severity level:
See also the |
messageCode | System-wide unique message code. |
friendlyName | Descriptive log message name. |
msgTextEn | Description of the event, in English. |
userFullName | Full username of Cortex XDR user. |
userName | Username associated with Cortex XDR user. |
userRole | Role assigned to Cortex XDR user. |
userDomain | Domain to which the user belongs. |
agentTime | Coordinated Universal Time (UTC) equivalent of the time at which an agent logged an event in ISO-8601 string representation. |
tzOffset | Effective endpoint time zone offset from UTC, in minutes. |
osType | Operating system of the endpoint:
|
isVdi | Indicates whether the endpoint is a virtual desktop infrastructure (VDI):
|
osVersion | Full version number of the operating system running on the endpoint. For example, 6.1.7601.19135. |
is64 | Indicates whether the endpoint is running a 64-bit version of Windows:
|
agentIp | IP address of the endpoint. |
deviceName | Hostname of the endpoint on which the event was logged. |
deviceDomain | Domain to which the endpoint belongs. |
agentVersion | Version of the Cortex XDR agent. |
contentVersion | Content version in the local security policy. |
protectionStatus | Cortex XDR agent protection status:
|
userFullName | Full name of Cortex XDR user. |
userName | Username associated with Cortex XDR user. |
userRole | Role assigned to Cortex XDR user. |
userDomain | Domain to which the user belongs. |
messageName | Name of the message. |
messageId | Unique numeric identifier of the message. |
processStatus | State of the process related to the event. |
errorText | If known, a description of the documented error. |
errorData | Parameters related to an event error. |
resultData | Parameters related to a successful event. |
parameters | Parameters supplied in the log message. |
additionalData(Array) | Additional information regarding event parameters. |
loggedInUser | User that is logged in to the Cortex XDR. |
Analytics logs
The syslog format is as follows:
recordType, class, FUTURE_USE, eventType, eventCategory, generatedTime, serverTime, agentTime, tzOffset, FUTURE_USE, facility, customerId, trapsId, serverHost, serverComponentVersion, regionId, isEndpoint, agentId, osType, isVdi, osVersion, is64, agentIp, deviceName, deviceDomain, severity, agentVersion, contentVersion, protectionStatus, sha256, type, parentSha256, lastSeen, fileName, filePath, fileSize, localAnalysisResult, reported, blocked, executionCount
Field Name | Description |
---|---|
recordType | Record type associated with the event and that you can use when managing logging quotas. In this case, the record type is analytics which includes hash execution reports from the agent. |
class | Class of Cortex XDR log: config, policy, system, and agent_log. |
eventType | Subtype of event. |
eventCategory | Category of event, used internally for processing the flow of logs. Event categories vary by class:
|
generatedTime | Coordinated Universal Time (UTC) equivalent of the time at which an event was logged. For agent events, this represents the time on the endpoint. For policy, configuration, and system events, this represents the time on Cortex XDR in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z). |
serverTime | Coordinated Universal Time (UTC) equivalent of the time at which the server generated the log. If the log was generated on an endpoint, this field identifies the time the server received the log in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z). |
agentTime | Coordinated Universal Time (UTC) equivalent of the time at which an agent logged an event in ISO-8601 string representation. |
tzOffset | Effective endpoint time zone offset from UTC, in minutes. |
facility | The Cortex XDR system component that initiated the event, for example: TrapsAgent, TrapsServiceCore, TrapsServiceManagement, and TrapsServiceBackend. |
customerId | The ID that uniquely identifies the Cortex XDR tenant instance which received this log record. |
trapsId | Tenant external ID. |
serverHost | Hostname of Cortex XDR. |
serverComponentVersion | Software version of Cortex XDR. |
regionId | ID of Cortex XDR region:
|
isEndpoint | Indicates whether the event occurred on an endpoint.
|
agentId | Unique identifier for the Cortex XDR agent. |
osType | Operating system of the endpoint:
|
isVdi | Indicates whether the endpoint is a virtual desktop infrastructure (VDI):
|
osVersion | Full version number of the operating system running on the endpoint. For example, 6.1.7601.19135. |
is64 | Indicates whether the endpoint is running a 64-bit version of Windows:
|
agentIp | IP address of the endpoint. |
deviceName | Hostname of the endpoint on which the event was logged. |
deviceDomain | Domain to which the endpoint belongs. |
severity | Syslog severity level associated with the event.
Each event also has an associated Cortex XDR severity. See the |
agentVersion | Version of the Cortex XDR agent. |
contentVersion | Content version in the local security policy. |
protectionStatus | Cortex XDR agent protection status:
|
sha256 | Hash of the file using SHA256 encoding. |
type | Type of file:
|
parentSha256 | Hash of the parent file using SHA256 encoding. |
lastSeen | Coordinated Universal Time (UTC) equivalent of the time when the file last ran on an endpoint in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z). |
fileName | File name, without the path or the file type extension. |
filePath | Full path, aligned to the OS format. |
fileSize | Size of the file in bytes. |
localAnalysisResult | This object includes the content version, local analysis module version, verdict result, file signer, and trusted signer result. The trusted signer result is an integer value:
|
reported | Reporting status of the file, in integer value:
|
blocked | Blocking status of the file, in integer value:
|
executionCount | The total number of times a file identified by a specific hash was executed. |
System logs
The syslog format is as follows:
recordType, class, FUTURE_USE, subClassId, eventType, eventCategory, generatedTime, serverTime, FUTURE_USE, facility, customerId, trapsId, serverHost, serverComponentVersion, regionId, isEndpoint, agentId, severity, trapsSeverity, messageCode, friendlyName, FUTURE_USE, msgTextEn, userFullName, username, userRole, userDomain, agentTime, tzOffset, osType, isVdi, osVersion, is64, agentIp, deviceName, deviceDomain, agentVersion, contentVersion, protectionStatus, userFullName, username, userRole, userDomain, messageName, messageId, processStatus, errorText, errorData, resultData, parameters, additionalData(Array)
Field Name | Description |
---|---|
recordType | Record type associated with the event and that you can use when managing logging quotas. In this case, the record type is system which includes logs related to automated system management and agent reporting events. |
class | Class of Cortex XDR log. System logs have a value of system. |
subClass | Subclass of event. Used to categorize logs in Cortex XDR user interface. |
subClassId | Numeric representation of the subClass field for easy sorting and filtering. |
eventType | Subtype of event. |
eventCategory | Category of event, used internally for processing the flow of logs. Event categories vary by class:
|
generatedTime | Coordinated Universal Time (UTC) equivalent of the time at which an event was logged. For agent events, this represents the time on the endpoint. For policy, configuration, and system events, this represents the time on Cortex XDR in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z). |
serverTime | Coordinated Universal Time (UTC) equivalent of the time at which the server generated the log. If the log was generated on an endpoint, this field identifies the time the server received the log in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z). |
facility | The Cortex XDR system component that initiated the event, for example: TrapsAgent, TrapsServiceCore, TrapsServiceManagement, and TrapsServiceBackend. |
customerId | The ID that uniquely identifies the Cortex XDR tenant instance which received this log record. |
trapsId | Tenant external ID. |
serverHost | Hostname of Cortex XDR. |
serverComponentVersion | Software version of Cortex XDR. |
regionId | ID of Cortex XDR region:
|
isEndpoint | Indicates whether the event occurred on an endpoint.
|
agentId | Unique identifier for the Cortex XDR agent. |
severity | Syslog severity level associated with the event.
Each event also has an associated Cortex XDR severity. See the |
trapsSeverity | Severity level associated with the event defined for Cortex XDR. Each of these severities corresponds to a syslog severity level:
See also the |
messageCode | System-wide unique message code. |
friendlyName | Descriptive log message name. |
msgTextEn | Description of the event, in English. |
userFullName | Full username of Cortex XDR user. |
userName | Username associated with Cortex XDR user. |
userRole | Role assigned to Cortex XDR user. |
userDomain | Domain to which the user belongs. |
agentTime | Coordinated Universal Time (UTC) equivalent of the time at which an agent logged an event in ISO-8601 string representation. |
tzOffset | Effective endpoint time zone offset from UTC, in minutes. |
osType | Operating system of the endpoint:
|
isVdi | Indicates whether the endpoint is a virtual desktop infrastructure (VDI):
|
osVersion | Full version number of the operating system running on the endpoint. For example, 6.1.7601.19135. |
is64 | Indicates whether the endpoint is running a 64-bit version of Windows:
|
agentIp | IP address of the endpoint. |
deviceName | Hostname of the endpoint on which the event was logged. |
deviceDomain | Domain to which the endpoint belongs. |
agentVersion | Version of the Cortex XDR agent. |
contentVersion | Content version in the local security policy. |
protectionStatus | Cortex XDR agent protection status:
|
userFullName | Full name of Cortex XDR user. |
userName | Username associated with Cortex XDR user. |
userRole | Role assigned to Cortex XDR user. |
userDomain | Domain to which the user belongs. |
messageName | Name of the message. |
messageId | Unique numeric identifier of the message. |
processStatus | State of the process related to the event. |
errorText | If known, a description of the documented error. |
errorData | Parameters related to an event error. |
resultData | Parameters related to a successful event. |
parameters | Parameters supplied in the log message. |
additionalData(Array) | Additional information regarding event parameters. |
loggedInUser | User that is logged in to the Cortex XDR. |