Endpoint Data Collection - To aid in endpoint detection and alert investigation, the Cortex XDR agent collects endpoint information when an alert is triggered. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide
Product
Cortex XDR
License
Pro
Creation date
2024-07-16
Last date published
2024-12-12
Category
Administrator Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation
Abstract

To aid in endpoint detection and alert investigation, the Cortex XDR agent collects endpoint information when an alert is triggered.

When the Cortex XDR agent raises an alert on endpoint activity, a minimum set of metadata about the endpoint is sent to the server as described in Metadata Collected for Cortex XDR Agent Alerts.

When you enable behavioral threat protection or EDR data collection in your endpoint security policy, the Cortex XDR agent can also continuously monitor endpoint activity for malicious event chains identified by Palo Alto Networks. The endpoint data that the Cortex XDR agent collects when you enable these capabilities vary by platform type.

Note

Agents with Cortex XDR Pro per Endpoint apply limits and filters on network, file, and registry logs. To expand these limits and filters, the Extended Threat Hunting Data (XTH) add-on must be purchased.

The tables below note whether specific logs require the XTH add-on.

Metadata Collected for Cortex XDR Agent Alerts

When the Cortex XDR agent raises an alert on endpoint activity, the following metadata is sent to the server:

Field

Description

Absolute Timestamp

Kernel system time

Relative Timestamp

Uptime since the computer started

Thread ID

ID of the originating thread

Process ID

ID of the originating process

Process Creation Time

Part of the process unique ID per boot session (PID + creation time)

Sequence ID

Unique integer per boot session

Primary User SID

Unique identifier of the user

Impersonating User SID

Unique identifier of the impersonating user, if applicable

EDR Data Collected for Windows Endpoints

Category

Events

Attributes

Mount a device (volume and hardware)

  • Mount

  • Unmount

  • Storage device name

  • Storage device class GUID

  • Storage device class name

  • Storage device bus type

  • Storage device volume GUID

  • Storage device mount point

  • Storage device drive type

  • Storage device vendor ID

  • Storage device product ID

  • Storage device serial number

  • Storage device virtual volume image

Executable metadata (Traps 6.1 and later)

Process start

  • File size

  • File access time

Files

  • Create

  • Write

  • Delete

  • Rename

  • Move

  • Modification (Traps 6.1 and later)

  • Symbolic links (Traps 6.1 and later)

  • Full path of the modified file before and after modification

  • SHA256 and MD5 hash for the file after modification

  • SetInformationFile for timestamps (Traps 6.1 and later)

  • File set security (DACL) information (Traps 6.1 and later)

  • Resolve hostnames on local network (Traps 6.1 and later)

  • Symbolic-link/hard-link and reparse point creation (Traps 6.1 and later)

Image (DLL)

Load

  • Full path

  • Base address

  • Target process-id/thread-id

  • Image size

  • Signature (Traps 6.1 and later)

  • SHA256 and MD5 hash for the DLL (Traps 6.1 and later)

  • File size (Traps 6.1 and later)

  • File access time (Traps 6.1 and later)

Process

  • Create

  • Terminate

  • Process ID (PID) of the parent process

  • PID of the process

  • Full path

  • Command line arguments

  • Integrity level to determine if the process is running with elevated privileges

  • Hash (SHA256 and MD5)

  • Signature or signing certificate details

Thread

Injection

  • Thread ID of the parent thread

  • Thread ID of the new or terminating thread

  • Process that initiated the thread if from another process

Network

  • Accept

  • Connect

  • Create

  • Listen

  • Close

  • Bind

  • Source IP address and port

  • Destination IP address and port

  • Failed connection

  • Protocol (TCP/UDP)

  • Resolve hostnames on local network

Network Protocols

  • DNS request and UDP response

  • HTTP connect

  • HTTP disconnect

  • HTTP proxy parsing

  • Origin country

  • Remote IP address and port

  • Local IP address and port

  • Destination IP address and port if proxy connection

  • Network connection ID

  • IPv6 connection status (true/false)

Network Statistics

  • On-close statistics

  • Periodic statistics

  • Upload volume on TCP link

  • Download volume on TCP link

Traps sends statistics both when a connection is closed, and at periodic intervals while the connection remains open.

Registry

  • Registry value:

    • Deletion

    • Set

  • Registry key:

    • Creation

    • Deletion

    • Rename

    • Addition

    • Modification (set information)

    • Restore

    • Save

  • Registry path of the modified value or key

  • Name of the modified value or key

  • Data of the modified value

Session

  • Log on

  • Log off

  • Connect

  • Disconnect

  • Interactive log-on (log-on at a computer console using credentials such as a username and password)

  • Session ID

  • Session State (equivalent to the event type)

  • Local (physically on the computer) or remote (connected using a terminal services session)

Host Status

  • Boot

  • Suspend

  • Resume

  • Host name

  • OS Version

  • Domain

  • Previous and current state

User Presence (Traps 6.1 and later)

User Detection

Detection when a user is present or idle per active user session on the computer.

RPC Calls

*Requires XTH add-on

  • RpcCall

  • RpcPreCall

  • action_rpc_interface_uuid

  • action_rpc_interface_version_major

  • action_rpc_interface_version_minor

  • action_rpc_func_opnum

  • action_rpc_func_str_call_fields (optional)

  • action_rpc_func_int_call_fields (optional)

  • action_rpc_interface_name

  • action_rpc_func_name

System Calls

*Requires XTH add-on

Syscall types change frequently, and can be observed in each event's data.

  • action_syscall_string_params

  • action_syscall_int_params

  • action_syscall_target_instance_id

  • action_syscall_target_image_path

  • action_syscall_target_image_name

  • action_syscall_target_os_pid

  • action_syscall_target_thread_id

  • address_mapping

Event Log

*Requires XTH add-on

See the table below for the list of Windows Event Logs that can be sent to the server.

Windows Event Logs

In Traps 6.1.3 and later releases, Cortex XDR and Traps agents can send the following Windows Event Logs to the tenant.

Note

The XTH add-on is required for Windows event log collection.

Path

Provider

Event IDs and Description

Application

EMET

Application

Windows Error Reporting

Only for Windows Error Reporting (WER) events when an application stops unexpectedly

Application

Microsoft-Windows-User Profiles Service

  • 1511: A user logged on with a temporary profile because Windows could not find the user's local profile.

  • 1518: A profile could not be created using a temporary profile

Application

Application Error

1000: Application unexpected stop/hang events, similar to WER/1001. These events include the full path to the EXE file, or to the module with the fault.

Application

Application Hang

1002: Application unexpected stop/hang events, similar to WER/1001. These events include the full path to the EXE file, or to the module with the fault.

Microsoft-Windows-LDAP-client

30: Windows Event Collector (WEC) recommended event

Microsoft-Windows-CAPI2/Operational

Windows CAPI2 logging events:

  • 11: Build Chain

  • 70: A Private Key was accessed

  • 90: X509 object

Microsoft-Windows-DNS-Client/Operational

3008: A DNS query was completed without local machine name resolution events, and without empty name resolution events.

Microsoft-Windows-DriverFrameworks-UserMode/Operational

2004: Detection of User-Mode drivers loading, for potential BadUSB detection

Microsoft-Windows-PowerShell/Operational

  • 4103: Block an activity

  • 4104: Remote command

  • 4105: Start command

  • 4106: Stop command

Microsoft-Windows-PrintService

Microsoft-Windows-PrintService

Microsoft-Windows-TaskScheduler/Operational

Microsoft-Windows-TaskScheduler

106, 129, 141, 142, 200, 201

Microsoft-Windows-TerminalServices-RDPClient/Operational

1024: A terminal service (TS) attempted to connect to a remote server

Microsoft-Windows-Windows Defender/Operational

  • 1006: Microsoft Defender Antivirus detected suspicious behavior

  • 1009: Microsoft Defender Antivirus restored an item from quarantine

Microsoft-Antimalware-Scan-Interface

1101: Anti-Malware Scan Interface (AMSI) content scan event

Microsoft-Windows-Windows Defender/Operational

  • 1116: Microsoft Defender Antivirus detected malware or other potentially unwanted software

  • 1119: Microsoft Defender Antivirus encountered a critical error when taking action on malware or other potentially unwanted software

Microsoft-Windows-Windows Firewall With Advanced Security/Firewall

Microsoft-Windows-Windows Firewall With Advanced Security

2004, 2005, 2006, 2009, 2033: Windows Firewall With Advanced Security Local Modifications (Levels 0, 2, 4)

Security

1102: The Security log cleared events

Security

Microsoft-Windows-Eventlog

Event log service events specific to the Security channel

Security

  • 4880: Certificate Authority Service stopped

  • 4881: Certificate Authority Service started

  • 4896: Certificate Authority database rows were deleted

  • 4898: A Certificate Authority template was loaded

Security

Microsoft-Windows-Security-Auditing

  • 4624: Successful logon

  • 4625: Failed logon

  • 4627: Group membership information

  • 4634: Logoff

  • 4647: User initiated logoff

  • 4648: Logon attempted, explicit credentials

  • 4649: Replay attack

  • 4672: Special privileges attempted login

  • 4768: Kerberos TGT request

  • 4769: Kerberos service ticket requested

  • 4770: Kerberos service ticket renewal

  • 4771: Kerberos pre-authentication failed

  • 4776: Domain controller validation attempt

  • 4778: Session was reconnected to a Windows station

  • 4800: Workstation locked

  • 4801: Workstation unlocked

  • 4802: Screensaver was invoked

  • 4803: Screensaver was dismissed

Security

Microsoft-Windows-Security-Auditing

  • 4720: A user account was created

  • 4722: A user account was enabled

  • 4723: An attempt was made to change an account's password

  • 4724: An attempt was made to reset an account’s password

  • 4725: A user account was disabled

  • 4726: A user account was deleted

  • 4727, 4731, 4754: Creation of Groups

  • 4728, 4732, 4756: Group member additions

  • 4729, 4733, 4757: Group member removals

  • 4735, 4737, 4755, 4764: Group changes

  • 4738: A user account was changed

  • 4740: A user account was locked out

  • 4741: A computer account was created

  • 4742: A computer account was changed

  • 4743: A computer account was deleted

  • 4765, 4766: SID history

  • 4767: A user account was unlocked

  • 4780: ACL set on accounts

  • 4781: The name of an account was changed

  • 4799: Group membership enumeration

Security

Microsoft-Windows-Security-Auditing

  • 4616: System time was changed

  • 4821: Kerberos service ticket was denied

  • 4822, 4823: New Technology LAN Manager (NTLM) authentication failed

  • 4824: Kerberos pre-authentication failed

  • 4825: A user was denied access to Remote Desktop

  • 5058: Key file operation

  • 5059: Key migration operation

Security

Microsoft-Windows-Security-Auditing

  • 4698: A scheduled task was created

  • 4702: A scheduled task was updated

  • 4886: Certificate Services received a certificate request

  • 4887: Certificate Services approved a certificate request

  • 4899: A Certificate Services template was updated

  • 4900: Certificate Services template security was updated

  • 5140: A network share object was accessed

Security

Microsoft-Windows-Security-Auditing

4713: Kerberos policy was changed on a domain controller

Security

Microsoft-Windows-Security-Auditing

4662: An operation was performed on an Active Directory object

EDR Data Collected for Mac Endpoints

Category

Events

Attributes

Files

*Requires XTH add-on

  • Create

  • Write

  • Delete

  • Rename

  • Move

  • Open

  • Full path of the modified file before and after modification

  • SHA256 and MD5 hash for the file after modification

Process

  • Start

  • Stop

  • Process ID (PID) of the parent process

  • PID of the process

  • Full path

  • Command line arguments

  • Integrity level to determine if the process is running with elevated privileges

  • Hash (SHA256 and MD5)

  • Signature or signing certificate details

Network

  • Accept

  • Connect

  • Connect Failure

  • Disconnect

  • Listen

  • Statistics

  • Source IP address and port

  • Destination IP address and port

  • Failed connection

  • Protocol (TCP/UDP)

  • Aggregated send/receive statistics for the connection

Event Log

*Requires XTH add-on

  • Authentication

  • Provider Name

  • Data fields

  • Message

EDR Data Collected for Linux Endpoints

Category

Events

Attributes

Files

*Requires XTH add-on

  • Create

  • Open

  • Write

  • Delete

  • Full path of the file

  • Hash of the file

Note

For specific files only and only if the file was written.

  • Copy

  • Move (rename)

  • Full paths of both the original and the modified files

  • Change owner (chown)

  • Change mode (chmod)

  • Full path of the file

  • Newly set owner/attributes

Network

  • Listen

  • Accept

  • Connect

  • Connect failure

  • Disconnect

  • Source IP address and port for explicit binds

  • Destination IP address and port

  • Failed TCP connections

  • Protocol (TCP/UDP)

Process

  • Start

  • PID of the child process

  • PID of the parent process

  • Full image path of the process

  • Command line of the process

  • Hash of the image (SHA256 & MD5)

  • Stop

  • PID of the stopped process

Event Log

*Requires XTH add-on

  • Authentication

  • Provider Name

  • Data fields

  • Message