Analytics Log Format - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2024-02-26
Last date published
2024-06-09
Category
Administrator Guide
Abstract

Learn about the syntax and different variables that are used in the analytics log format.

Cortex XDR Analytics logs its alerts to the Cortex XDR tenant as analytics alert logs. If you configure Cortex XDR to forward logs in legacy format, each log record has the following format:

Syslog format

sub_type,time_generated,id,version_info/document_version,version_info/magnifier_version,version_info/detection_version,alert/url,alert/category,alert/type,alert/name,alert/description/html,alert/description/text,alert/severity,alert/state,alert/is_whitelisted,alert/ports,alert/internal_destinations/single_destinations,alert/internal_destinations/ip_ranges,alert/external_destinations,alert/app_id,alert/schedule/activity_first_seen_at,alert/schedule/activity_last_seen_at,alert/schedule/first_detected_at,alert/schedule/last_detected_at,user/user_name,user/url,user/display_name,user/org_unit,device/id,device/url,device/mac,device/hostname,device/ip,device/ip_ranges,device/owner,device/org_unit,files

Email body format example.

When analytics alert logs are forwarded by email, each field is labeled, one line per field.

sub_type: Update
time_generated: 1547717480
id: 4
version_info/document_version: 1
version_info/magnifier_version: 1.8
version_info/detection_version: 2019.2.0rc1
alert/url: https:\/\/ddc1...
alert/category: Recon
alert/type: Port Scan
alert/name: Port Scan 
alert/description/html: \t<ul>\n\t\t<li>The device....
alert/description/text: The device ...
alert/severity: Low
alert/state: Reopened
alert/is_whitelisted: false
alert/ports: "[1,2,3,4,5,6,7,8,9,10,11...]
alert/internal_destinations/single_destinations: []
alert/internal_destinations/ip_ranges: "[{""max_ip"":""..."",""name"":""..."",""min_ip"":""...""}]"
alert/external_destinations: []
alert/app_id: 
alert/schedule/activity_first_seen_at: 1542178800
alert/schedule/activity_last_seen_at: 1542182400
alert/schedule/first_detected_at: 1542182400
alert/schedule/last_detected_at: 1542182400
user/user_name: 
user/url: 
user/display_name: 
user/org_unit: 
device/id: 2-85e40edd-b2d1-1f25-2c1e-a3dd576c8a7e
device/url: https:\/\/ddc1 ...
device/mac: 00-50-56-a5-db-b2
device/hostname: DC1ENV3APC42
device/ip: 10.201.102.17
device/ip_ranges: "[{""max_ip"":""..."",""name"":""..."",""min_ip"":""..."",""asset"":""""}]"
device/owner: 
device/org_unit: 
files: []

The following table describes each field.

Field Name

Definition

sub_type

Alert log subtype. Values are:

  • New—First log record for the alert with this record id.

  • Update—Log record identifies an update to a previously logged alert.

  • StateOnlyUpdate—Alert state is updated. For internal use only.

time_generated

Time the log record was sent to the Cortex XDR tenant. Value is a Unix Epoch timestamp.

id

Unique identifier for the alert. Any given alert can generate multiple log records—one when the alert is initially raised, and then additional records every time the alert status changes. This ID remains constant for all such alert records.

You can obtain the current status of the alert by looking for log records with this id and the most recent alert/schedule/last_detected_at timestamp.

version_info/document_version

Identifies the log schema version number used for this log record.

version_info/magnifier_version

The version number of the Cortex XDR – Analytics instance that wrote this log record.

version_info/detection_version

Identifies the version of the Cortex XDR – Analytics detection software used to raise the alert.

alert/url

Provides the full URL to the alert page in the Cortex XDR – Analytics user interface.

alert/category

Identifies the alert category, which is a reflection of the anomalous network activity location in the attack life cycle. Possible categories are:

  • C&C—The network activity is possibly the result of malware attempting to connect to its Command & Control server.

  • Exfiltration—A large amount of data is being transferred to an endpoint that is external to the network.

  • Lateral—The network activity is indicative of an attacker who is attempting to move from one endpoint to another on the network.

  • Malware—A file has been discovered on an endpoint that is probably malware or riskware. Malware alerts can also be raised based on network activity that is indicative of automated malicious traffic generation.

  • Recon—The network activity is indicative an attacker that is exploring the network for endpoints and other resources to attack.

alert/type

Identifies the categorization to which the alert belongs. For example Tunneling Process, Sandbox Detection, Malware, and so forth.

alert/name

The alert name as it appears in the Cortex XDR – Analytics user interface.

alert/description/html

The alert textual description in HTML formatting.

alert/description/text

The alert textual description in plain text.

alert/severity

Identifies the alert severity. These severities indicate the likelihood that the anomalous network activity is a real attack.

  • High—The alert is confirmed to be a network attack.

  • Medium—The alert is suspicious enough to require additional investigation.

  • Low—The alert is unverified. Whether the alert is indicative of a network attack is unknown.

alert/state

Identifies the alert state.

  • Open—The alert is currently active and should be undergoing triage or investigation by the network security analysts.

  • Reopened—The alert was previously resolved or dismissed, but new network activity has caused Cortex XDR – Analytics to reopen the alert.

  • Archived—No action was taken on the alert in the Cortex XDR – Analytics user interface, and no further network activity has occurred that caused it to remain active.

  • Resolved—Network personnel have taken enough action to end the attack.

  • Dismissed—The anomaly has been examined and deemed to be normal, sanctioned, network activity.

alert/is_whitelisted

Indicates whether the alert is whitelisted. Whitelisting indicates that anomalous-appearing network activity is legitimate. If an alert is whitelisted, then it is not visible in the Cortex XDR – Analytics user interface. Alerts can be dismissed or archived and still have a whitelist rule.

alert/ports

List of ports accessed by the network entity during its anomalous behavior.

alert/internal_destinations/single_destinations

Network destinations that the entity reached, or tried to reach, during the course of the network activity that caused Cortex XDR – Analytics to raise the alert. This field contains a sequence of JSON objects, each of which contains the following fields:

  • ip—The destination IP address.

  • name—The destination name (for example, a host name).

alert/internal_destinations/ip_ranges

IP address range subnets that the entity reached, or tried to reach, during the course of the network activity that caused Cortex XDR – Analytics to raise the alert. This field contains a sequence of JSON objects, each of which contains the following fields:

  • max_ip—Last IP address in the subnet.

  • min_ip—First IP address in the subnet.

  • name—Subnet name.

alert/external_destinations

Provides a list of destinations external to the monitored network that the entity tried to reach, or actually reached, during the activity that raised this alert. This list can contain IP addresses or fully qualified domain names.

alert/app_id

The App-ID associated with this alert.

alert/schedule/activity_first_seen_at

Time when Cortex XDR – Analytics first detected the network activity that caused it to raise the alert. Be aware that there is frequently a delay between this timestamp, and the time when Cortex XDR – Analytics raises an alert (see the alert/schedule/first_detected_at field).

alert/schedule/activity_last_seen_at

Time when Cortex XDR – Analytics last detected the network activity that caused it to raise the alert.

alert/schedule/first_detected_at

Time when Cortex XDR – Analytics first alerted on the network activity.

alert/schedule/last_detected_at

Time when Cortex XDR – Analytics last alerted on the network activity.

user/user_name

The name of the user associated with this alert. This name is obtained from Active Directory.

user/url

Provides the full URL to the user page in the Cortex XDR – Analytics user interface for the user who is associated with the alert.

user/display_name

The user name as retrieved from Active Directory. This is the user name displayed within the Cortex XDR – Analytics user interface for the user who is associated with this alert.

user/org_unit

The organizational unit of the user associated with this alert, as identified using Active Directory.

device/id

A unique ID assigned by Cortex XDR – Analytics to the device. All alerts raised due to activity occurring on this endpoint will share this ID.

device/url

Provides the full URL to the device page in the Cortex XDR – Analytics user interface.

device/mac

The MAC address of the network card in use on the device.

device/hostname

The device host name.

device/ip

The device IP address.

device/ip_ranges

Identifies the subnet or subnets that the device is on. This sequence can contain multiple inclusive subnets. Each element in this sequence is a JSON object with the following fields:

  • asset—The asset name assigned to the device from within the Cortex XDR – Analytics user interface.

  • max_ip—Last IP address in the subnet.

  • min_ip—First IP address in the subnet.

  • name—Subnet name.

device/owner

The user name of the person who owns the device.

device/org_unit

The organizational unit that owns the device, as identified by Active Directory.

files

Identifies the files associated with the alert. Each element in this sequence is a JSON object with the following fields:

  • full_path—The file full path (including the file name).

  • md5—The file MD5 hash.