Agent Audit Log Notification Format - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-18
Category
Administrator Guide
Abstract

An email account or a syslog server are the notification channels through which the agent audit log is communicated.

Note

To forward agent audit logs, you must have either a Cortex XDR Prevent or Cortex XDR Pro per Endpoint license.

Cortex XDR forwards the agent audit log to external data resources according to the following formats.

Email Account

Cortex XDR can forward agent audit log notifications to email accounts.

agent-audit-log-email.png
Syslog Server

Agent audit logs forwarded to a Syslog server are sent in a CEF format RFC 5425 according to the following mapping.

Section

Description

Syslog Header

<9>: PRI (considered a prioirty field)1: version number2020-03-22T07:55:07.964311Z: timestamp of when alert/log was sentcortexxdr: host name

CEF Header

HEADER/Vendor="Palo Alto Networks" (as a constant string)HEADER/Device Product="Cortex XDR Agent" (as a constant string)HEADER/Device Version= Cortex XDR Agent version (7.0/7.1....)HEADER/Severity=(integer/0 - Unknown, 6 - Low, 8 - Medium, 9 - High)HEADER/Device Event Class ID="Agent Audit Logs" (as a constant string)HEADER/name = type

CEF Body

dvchost=domain shost=endpoint_name cat=category end=timestamp rt=received_time cs1Label=agentversion (constant string) cs1=agent_version cs2Label=subtype (constant string) cs2=subtype cs3Label=result (constant string) cs3=result cs4Label=reason (constant string) cs4=reason msg=event_description tenantname=tenant_name tenantCDLid=tenant_id CSPaccountname=csp_id

Example:

<182>1 2020-10-04T10:41:14.608731Z cortexxdr - - - - CEF:0|Palo Alto Networks|Cortex XDR Agent|Cortex XDR Agent 7.2.0.63060|Agent Audit Logs|Agent Service|9|dvchost=WORKGROUP shost=Test-Agent cat=Monitoring end=1601808073102 rt=1601808074596 cs1Label=agentversion cs1=7.2.0.63060 cs2Label=subtype cs2=Stop cs3Label=result cs3=N\/A cs4Label=reason cs4=None msg=XDR service cyserver was stopped on Test-Agent tenantname=Test tenantCDLid=123456 CSPaccountname=1234