Alert Notification Format - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-18
Category
Administrator Guide
Abstract

Cortex XDR Agent, BIOC, IOC, Analytics, Correlation, and third-party alerts are forwarded to external data resources according to the email, Slack, or syslog format.

Cortex XDR Agent, BIOC, IOC, Analytics, Correlation and third-party alerts are forwarded to external data resources according to the following formats.

Email Account

Alert notifications are sent to email accounts according to the settings you configured when you Configure Notification Forwarding. If only one alert exists in the queue, a single alert email format is sent. If more than one alert was grouped in the time frame, all the alerts in the queue are forwarded together in a grouped email format. Emails also include an alert code snippet of the fields of the alerts according to the columns in the Alert table.

Single Alert Email Example

Email Subject: Alert: <alert_name>
	Email Body:
	    Alert Name: Suspicious Process Creation
	    Severity: High
	    Source: XDR Agent
	    Category: Malware 
	    Action: Detected
	    Host: <host name>
	    Username:<user name>
	    Excluded: No
	    Starred: Yes 
	    Alert: <link to Cortex XDR app alert view>
	    Incident: <link to Cortex XDR app incident view>

Grouped Alert Email Example

Email Subject: Alerts: <first_highest_severity_alert> + x others
	Email Body:
	   Alert Name: Suspicious Process Creation
	   Severity: High
	   Source: XDR Agent
	   Category: MalwareAction: Detected
	   Host: <host name>
	   Username:<user name>
	   Excluded:No
	   Starred: Yes
	   Alert: <link to Cortex XDR app alert view>Incident: <link to Cortex XDR app incident view>
	   Alert Name: Behavioral Threat Protection
	   Alert ID: 2412
	   Description: A really cool detection
	   Severity: Medium
	   Source: XDR Agent
	   Category: Exploit
	   Action: Prevented
	   Host: <host name>
	   Starred: Yes
	   Alert: <link to Cortex XDR app alert view>
	   Incident: <link to Cortex XDR app incident view>
	   Notification Name: “My notification policy 2 ”
	   Notification Description: “Starred alerts with medium severity”

Body Email Example

{
    "original_alert_json":{
        "uuid":"<UUID Value>",
        "recordType":"threat",
        "customerId":"<Customer ID>",
        "severity":4,
        "generatedTime":"2020-11-03T07:46:03.166000Z",
        "originalAgentTime":"2020-11-03T07:46:01.372974700Z",
        "serverTime":"2020-11-03T07:46:03.312633",
        "isEndpoint":1,
        "agentId":"<agent ID>",
        "endPointHeader":{
            "osVersion":"<OS version>",
            "agentIp":"<Agent IP Address>",
            "deviceName":"<Device Name>",
            "agentVersion":"<Agent Version>",
            "contentVersion":"152-40565",
            "policyTag":"<Policy Tag Value>",
            "securityStatus":0,
            "protectionStatus":0,
            "dataCollectionStatus":1,
            "isolationStatus":0,
            "agentIpList":[
                "<IP Address>"
            ],
            "addresses":[
                {
                    "ip":[
                        "<IP Address>"
                    ],
                    "mac":"<Mac ID>"
                }
            ],
            "liveTerminalEnabled":true,
            "scriptExecutionEnabled":true,
            "fileRetrievalEnabled":true,
            "agentLocation":0,
            "fileSearchEnabled":false,
            "deviceDomain":"env21.local",
            "userName":"Aragorn",
            "userDomain":"env21.local",
            "userSid":"<User S ID>",
            "osType":1,
            "is64":1,
            "isVdi":0,
            "agentId":"<Agent ID>",
            "agentTime":"2020-11-03T07:46:03.166000Z",
            "tzOffset":120
        },
        "messageData":{
            "eventCategory":"prevention",
            "moduleId":"COMPONENT_WILDFIRE",
            "moduleStatusId":"CYSTATUS_MALICIOUS_EXE",
            "preventionKey":"<Prevention Key>",
            "processes":[
                {
                    "pid":111,
                    "parentId":<Parent ID>,
                    "exeFileIdx":0,
                    "userIdx":0,
                    "commandLine":"\"C:\\<file path>\\test.exe\" ",
                    "instanceId":"Instance ID",
                    "terminated":0
                }
            ],
            "files":[
                {
                    "rawFullPath":"C:\\<file path>\\test.exe",
                    "fileName":"test.exe",
                    "sha256":"<SHA256 Value>",
                    "fileSize":"12800",
                    "innerObjectSha256":"<SHA256 Value>"
                }
            ],
            "users":[
                {
                    "userName":"<User Name>",
                    "userDomain":"<Domain Name>",
                    "domainUser":"<Domain Name>\\<User Name>"
                }
            ],
            "urls":[

            ],
            "postDetected":0,
            "sockets":[

            ],
            "containers":[

            ],
            "techniqueId":[

            ],
            "tacticId":[

            ],
            "modules":[

            ],
            "javaStackTrace":[

            ],
            "terminate":0,
            "block":0,
            "eventParameters":[
                "C:\\<file path>\\test.exe",
                "B30--A56B9F",
                "B30--A56B9F",
                "1"
            ],
            "sourceProcessIdx":0,
            "fileIdx":0,
            "verdict":1,
            "canUpload":0,
            "preventionMode":"reported",
            "trapsSeverity":2,
            "profile":"Malware",
            "description":"WildFire Malware",
            "cystatusDescription":"Suspicious executable detected",
            "sourceProcess":{
                "user":{
                    "userName":"<User Name>",
                    "userDomain":"<Domain Name>",
                    "domainUser":"<Domain Name>"\\"<User Name>"
                },
                "pid":1111,
                "parentId":<Parent ID>,
                "exeFileIdx":0,
                "userIdx":0,
                "commandLine":"\"C:\\<file path>\\test.exe\" ",
                "instanceId":"<Instance ID>",
                "terminated":0,
                "rawFullPath":"C:\\<file path>\\Test.exe",
                "fileName":"test.exe",
                "sha256":"<SHA256 Value>",
                "fileSize":"12800",
                "innerObjectSha256":"<SHA256 Value>"
            },
            "policyId":"<Policy ID>"
        }
    },
    "internal_id":<Internal ID>,
    "external_id":"<External ID>",
    "severity":"SEV_030_MEDIUM",
    "matching_status":"MATCHED",
    "end_match_attempt_ts":1604389636437,
    "alert_source":"TRAPS",
    "local_insert_ts":1604570760,
    "source_insert_ts":160470366,
    "alert_name":"WildFire Malware",
    "alert_category":"Malware",
    "alert_description":"Suspicious executable detected",
    "bioc_indicator":null,
    "matching_service_rule_id":null,
    "attempt_counter":1,
    "bioc_category_enum_key":null,
    "alert_action_status":"REPORTED",
    "case_id":111,
    "is_whitelisted":false,
    "starred":false,
    "deduplicate_tokens":null,
    "filter_rule_id":null,
    "mitre_technique_id_and_name":[
        ""
    ],
    "mitre_tactic_id_and_name":[
        ""
    ],
    "agent_id":"80d2e314c92f6",
    "agent_version":"7.2.1.2718",
    "agent_ip_addresses":[
        "10.208.213.137"
    ],
    "agent_hostname":"<Agent Hostname>",
    "agent_device_domain":"<Device Domain>",
    "agent_fqdn":"<FQDN Value>",
    "agent_os_type":"AGENT_OS_WINDOWS",
    "agent_os_sub_type":"<Operating System Sub-Type> ",
    "agent_data_collection_status":true,
    "mac":"<Mac ID>",
    "agent_is_vdi":null,
    "agent_install_type":"STANDARD",
    "agent_host_boot_time":[
        1604446615
    ],
    "event_sub_type":null,
    "module_id":[
        "WildFire"
    ],
    "association_strength":null,
    "dst_association_strength":null,
    "story_id":null,
    "is_disintegrated":null,
    "event_id":null,
    "event_type":[
        1
    ],
    "event_timestamp":[
        1604389563166
    ],
    "actor_effective_username":[
        "<Domain Name>\\<User Name>"
    ],
    "actor_process_instance_id":[
        "<Actor>\/<Instance ID>"
    ],
    "actor_process_image_path":[
        "C:\\<file path>\\test.exe"
    ],
    "actor_process_image_name":[
        "test.exe"
    ],
    "actor_process_command_line":[
        "\"C:\\<file path>\\test.exe\" "
    ],
    "actor_process_signature_status":[
        "SIGNATURE_UNSIGNED"
    ],
    "actor_process_signature_vendor":null,
    "actor_process_image_sha256":[
        "SHA256 Value>"
    ],
    "actor_process_image_md5":[
        "MD5 Value>"
    ],
    "actor_process_causality_id":[
        "<Actor>\/<Causality ID>"
    ],
    "actor_causality_id":null,
    "actor_process_os_pid":[
        1111
    ],
    "actor_thread_thread_id":[
        1222
    ],
    "causality_actor_process_image_name":[
        "test1.exe"
    ],
    "causality_actor_process_command_line":[
        "C:\\<file path>\\test1.EXE"
    ],
    "causality_actor_process_image_path":[
        "C:\\<file path>\\test1.exe"
    ],
    "causality_actor_process_signature_vendor":[
        "Microsoft Corporation"
    ],
    "causality_actor_process_signature_status":[
        "SIGNATURE_SIGNED"
    ],
    "causality_actor_causality_id":[
        "AdaxtV\/iNIMAAAc8AAAAAA=="
    ],
    "causality_actor_process_execution_time":[
        1604389557724
    ],
    "causality_actor_process_image_md5":null,
    "causality_actor_process_image_sha256":[
        "SHA256 value>"
    ],
    "action_file_path":null,
    "action_file_name":null,
    "action_file_md5":null,
    "action_file_sha256":null,
    "action_file_macro_sha256":null,
    "action_registry_data":null,
    "action_registry_key_name":null,
    "action_registry_value_name":null,
    "action_registry_full_key":null,
    "action_local_ip":null,
    "action_local_port":null,
    "action_remote_ip":null,
    "action_remote_port":null,
    "action_external_hostname":null,
    "action_country":[
        "UNKNOWN"
    ],
    "action_process_instance_id":null,
    "action_process_causality_id":null,
    "action_process_image_name":null,
    "action_process_image_sha256":null,
    "action_process_image_command_line":null,
    "action_process_signature_status":[
        "SIGNATURE_UNAVAILABLE"
    ],
    "action_process_signature_vendor":null,
    "os_actor_effective_username":null,
    "os_actor_process_instance_id":null,
    "os_actor_process_image_path":null,
    "os_actor_process_image_name":null,
    "os_actor_process_command_line":null,
    "os_actor_process_signature_status":[
        "SIGNATURE_UNAVAILABLE"
    ],
    "os_actor_process_signature_vendor":null,
    "os_actor_process_image_sha256":null,
    "os_actor_process_causality_id":null,
    "os_actor_causality_id":null,
    "os_actor_process_os_pid":null,
    "os_actor_thread_thread_id":[
        1396
    ],
    "fw_app_id":null,
    "fw_interface_from":null,
    "fw_interface_to":null,
    "fw_rule":null,
    "fw_rule_id":null,
    "fw_device_name":null,
    "fw_serial_number":null,
    "fw_url_domain":null,
    "fw_email_subject":null,
    "fw_email_sender":null,
    "fw_email_recipient":null,
    "fw_app_subcategory":null,
    "fw_app_category":null,
    "fw_app_technology":null,
    "fw_vsys":null,
    "fw_xff":null,
    "fw_misc":null,
    "fw_is_phishing":[
        "NOT_AVAILABLE"
    ],
    "dst_agent_id":null,
    "dst_causality_actor_process_execution_time":null,
    "dns_query_name":null,
    "dst_action_external_hostname":null,
    "dst_action_country":null,
    "dst_action_external_port":null,
    "is_pcap":null,
    "contains_featured_host":[
        "NO"
    ],
    "contains_featured_user":[
        "YES"
    ],
    "contains_featured_ip":[
        "YES"
    ],
    "events_length":1,
    "is_excluded":false
    
}
alert-email-notification.png
Slack Channel

You can send alert notifications to a single Slack contact or a Slack channel. Notifications are similar to the email format.

slack-notification.png
Syslog Server

Alert notification forwarded to a Syslog server are sent in a CEF format RF 5425.

Section

Description

Syslog Header

<9>: PRI (considered a prioirty field)1: version number2020-03-22T07:55:07.964311Z: timestamp of when alert/log was sentcortexxdr: host name

CEF Header

HEADER/Vendor="Palo Alto Networks" (as a constant string)HEADER/Device Product="Cortex XDR" (as a constant string)HEADER/Product Version= Cortex XDR version (2.0/2.1....)HEADER/Severity=(integer/0 - Unknown, 6 - Low, 8 - Medium, 9 - High)HEADER/Device Event Class ID=alert sourceHEADER/name =alert name

CEF Body

end=timestamp shost=endpoint_name deviceFacility=facility cat=category externalId=external_id request=request cs1=initiated_by_process cs1Label=Initiated by (constant string) cs2=initiator_commande cs2Label=Initiator CMD (constant string) cs3=signature cs3Label=Signature (constant string) cs4=cgo_name cs4Label=CGO name (constant string) cs5=cgo_command cs5Label=CGO CMD (constant string) cs6=cgo_signature cs6Label=CGO Signature (constant string) dst=destination_ip dpt=destination_port src=source_ip spt=source_port fileHash=file_hash filePath=file_path targetprocesssignature=target_process_signature tenantname=tenant_name tenantCDLid=tenant_id CSPaccountname=account_name initiatorSha256=initiator_hash initiatorPath=initiator_path osParentName=parent_name osParentCmd=parent_command osParentSha256=parent_hash osParentSignature=parent_signature osParentSigner=parent_signer incident=incident_id act=action suser=actor_effective_username

Example

<177>1 2020-10-04T10:06:55.192016Z cortexxdr - - - - CEF:0|Palo Alto Networks|Cortex XDR|Cortex XDR 2.4|XDR Analytics|High Connection Rate|6|end=1601792870694 shost=WGHRAMG deviceFacility=None cat=Discovery externalId=98106342 request=https:\/\/iga-bh.xdr.eu.paloaltonetworks.com\/alerts\/98106342 cs1=iexplore.exe cs1Label=Initiated by cs2=\“C:\\\\Program Files (x86)\\\\Internet Explorer\\\\IEXPLORE.EXE\” SCODEF:11844 CREDAT:82946 \/prefetch:2 cs2Label=Initiator CMD cs3=Microsoft CorporationSIGNATURE_SIGNED- cs3Label=Signature cs4=iexplore.exe cs4Label=CGO name cs5=\“C:\\\\Program Files (x86)\\\\Internet Explorer\\\\IEXPLORE.EXE\” SCODEF:11844 CREDAT:82946 \/prefetch:2 cs5Label=CGO CMD cs6=Microsoft CorporationSIGNATURE_SIGNED- cs6Label=CGO Signature dst=10.12.4.37 dpt=8000 src=10.10.28.140 spt=58003 fileHash=e582676ec900249b408ab4e37976ae8c443635a7da77755daf6f896a172856a3 filePath=C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe targetprocesssignature=NoneSIGNATURE_UNAVAILABLE- tenantname=iGA tenantCDLid=1021319191 CSPaccountname=Information & eGovernment Authority initiatorSha256=e582676ec900249b408ab4e37976ae8c443635a7da77755daf6f896a172856a3 initiatorPath=C:\\\\Program Files (x86)\\\\Internet Explorer\\\\iexplore.exe cgoSha256=e582676ec900249b408ab4e37976ae8c443635a7da77755daf6f896a172856a3 osParentName=iexplore.exe osParentCmd=\“C:\\\\Program Files (x86)\\\\Internet Explorer\\\\IEXPLORE.EXE\” SCODEF:11844 CREDAT:82946 \/prefetch:2 osParentSha256=e582676ec900249b408ab4e37976ae8c443635a7da77755daf6f896a172856a3 osParentSignature=SIGNATURE_SIGNED osParentSigner=Microsoft Corporation incident=118719 act=Detected suser=['root']