Learn about the syntax and different variables that are used in the analytics log format.
Cortex XDR Analytics logs its alerts to the Cortex XDR tenant as analytics alert logs. If you configure Cortex XDR to forward logs in legacy format, each log record has the following format:
Syslog format
sub_type,time_generated,id,version_info/document_version,version_info/magnifier_version,version_info/detection_version,alert/url,alert/category,alert/type,alert/name,alert/description/html,alert/description/text,alert/severity,alert/state,alert/is_whitelisted,alert/ports,alert/internal_destinations/single_destinations,alert/internal_destinations/ip_ranges,alert/external_destinations,alert/app_id,alert/schedule/activity_first_seen_at,alert/schedule/activity_last_seen_at,alert/schedule/first_detected_at,alert/schedule/last_detected_at,user/user_name,user/url,user/display_name,user/org_unit,device/id,device/url,device/mac,device/hostname,device/ip,device/ip_ranges,device/owner,device/org_unit,files
Email body format example.
When analytics alert logs are forwarded by email, each field is labeled, one line per field.
sub_type: Update time_generated: 1547717480 id: 4 version_info/document_version: 1 version_info/magnifier_version: 1.8 version_info/detection_version: 2019.2.0rc1 alert/url: https:\/\/ddc1... alert/category: Recon alert/type: Port Scan alert/name: Port Scan alert/description/html: \t<ul>\n\t\t<li>The device.... alert/description/text: The device ... alert/severity: Low alert/state: Reopened alert/is_whitelisted: false alert/ports: "[1,2,3,4,5,6,7,8,9,10,11...] alert/internal_destinations/single_destinations: [] alert/internal_destinations/ip_ranges: "[{""max_ip"":""..."",""name"":""..."",""min_ip"":""...""}]" alert/external_destinations: [] alert/app_id: alert/schedule/activity_first_seen_at: 1542178800 alert/schedule/activity_last_seen_at: 1542182400 alert/schedule/first_detected_at: 1542182400 alert/schedule/last_detected_at: 1542182400 user/user_name: user/url: user/display_name: user/org_unit: device/id: 2-85e40edd-b2d1-1f25-2c1e-a3dd576c8a7e device/url: https:\/\/ddc1 ... device/mac: 00-50-56-a5-db-b2 device/hostname: DC1ENV3APC42 device/ip: 10.201.102.17 device/ip_ranges: "[{""max_ip"":""..."",""name"":""..."",""min_ip"":""..."",""asset"":""""}]" device/owner: device/org_unit: files: []
The following table describes each field.
Field Name | Definition |
---|---|
| Alert log subtype. Values are:
|
| Time the log record was sent to the Cortex XDR tenant. Value is a Unix Epoch timestamp. |
| Unique identifier for the alert. Any given alert can generate multiple log records—one when the alert is initially raised, and then additional records every time the alert status changes. This ID remains constant for all such alert records. You can obtain the current status of the alert by looking for log records with this id and the most recent |
| Identifies the log schema version number used for this log record. |
| The version number of the Cortex XDR – Analytics instance that wrote this log record. |
| Identifies the version of the Cortex XDR – Analytics detection software used to raise the alert. |
| Provides the full URL to the alert page in the Cortex XDR – Analytics user interface. |
| Identifies the alert category, which is a reflection of the anomalous network activity location in the attack life cycle. Possible categories are:
|
| Identifies the categorization to which the alert belongs. For example Tunneling Process, Sandbox Detection, Malware, and so forth. |
| The alert name as it appears in the Cortex XDR – Analytics user interface. |
| The alert textual description in HTML formatting. |
| The alert textual description in plain text. |
| Identifies the alert severity. These severities indicate the likelihood that the anomalous network activity is a real attack.
|
| Identifies the alert state.
|
| Indicates whether the alert is whitelisted. Whitelisting indicates that anomalous-appearing network activity is legitimate. If an alert is whitelisted, then it is not visible in the Cortex XDR – Analytics user interface. Alerts can be dismissed or archived and still have a whitelist rule. |
| List of ports accessed by the network entity during its anomalous behavior. |
| Network destinations that the entity reached, or tried to reach, during the course of the network activity that caused Cortex XDR – Analytics to raise the alert. This field contains a sequence of JSON objects, each of which contains the following fields:
|
| IP address range subnets that the entity reached, or tried to reach, during the course of the network activity that caused Cortex XDR – Analytics to raise the alert. This field contains a sequence of JSON objects, each of which contains the following fields:
|
| Provides a list of destinations external to the monitored network that the entity tried to reach, or actually reached, during the activity that raised this alert. This list can contain IP addresses or fully qualified domain names. |
| The App-ID associated with this alert. |
| Time when Cortex XDR – Analytics first detected the network activity that caused it to raise the alert. Be aware that there is frequently a delay between this timestamp, and the time when Cortex XDR – Analytics raises an alert (see the |
| Time when Cortex XDR – Analytics last detected the network activity that caused it to raise the alert. |
| Time when Cortex XDR – Analytics first alerted on the network activity. |
| Time when Cortex XDR – Analytics last alerted on the network activity. |
| The name of the user associated with this alert. This name is obtained from Active Directory. |
| Provides the full URL to the user page in the Cortex XDR – Analytics user interface for the user who is associated with the alert. |
| The user name as retrieved from Active Directory. This is the user name displayed within the Cortex XDR – Analytics user interface for the user who is associated with this alert. |
| The organizational unit of the user associated with this alert, as identified using Active Directory. |
| A unique ID assigned by Cortex XDR – Analytics to the device. All alerts raised due to activity occurring on this endpoint will share this ID. |
| Provides the full URL to the device page in the Cortex XDR – Analytics user interface. |
| The MAC address of the network card in use on the device. |
| The device host name. |
| The device IP address. |
| Identifies the subnet or subnets that the device is on. This sequence can contain multiple inclusive subnets. Each element in this sequence is a JSON object with the following fields:
|
| The user name of the person who owns the device. |
| The organizational unit that owns the device, as identified by Active Directory. |
| Identifies the files associated with the alert. Each element in this sequence is a JSON object with the following fields:
|