Endpoint Data Collection - Administrator Guide - Cortex XDR - Cortex XSIAM - Cortex - Security Operations

Cortex XDR Pro Administrator Guide
Product
Cortex XDR
License
Pro
Creation date
2023-03-27
Last date published
2023-03-27

When the Cortex XDR agent raises an alert on endpoint activity, a minimum set of metadata about the endpoint is sent to the server as described in Metadata Collected for Cortex XDR Agent Alerts.

When you enable behavioral threat protection or EDR data collection in your endpoint security policy, the Cortex XDR agent can also continuously monitor endpoint activity for malicious event chains identified by Palo Alto Networks. The endpoint data that the Cortex XDR agent collects when you enable these capabilities vary by the platform type.

Metadata Collected for Cortex XDR Agent Alerts

When the Cortex XDR agent raises an alert on endpoint activity, the following metadata is sent to the server:

Field

Description

Absolute Timestamp

Kernel system time

Relative Timestamp

Uptime since the computer booted

Thread ID

ID of the originating thread

Process ID

ID of the originating process

Process Creation Time

Part of the process unique ID per boot session (PID + creation time)

Sequence ID

Unique integer per boot session

Primary User SID

Unique identifier of the user

Impersonating User SID

Unique identifier of the impersonating user, if applicable

EDR Data Collected for Windows Endpoints

Category

Events

Attributes

Executable metadata (Traps 6.1 and later)

Process start

  • File size

  • File access time

Files

  • Create

  • Write

  • Delete

  • Rename

  • Move

  • Modification (Traps 6.1 and later)

  • Symbolic links (Traps 6.1 and later)

  • Full path of the modified file before and after modification

  • SHA256 and MD5 hash for the file after modification

  • SetInformationFile for timestamps (Traps 6.1 and later)

  • File set security (DACL) information (Traps 6.1 and later)

  • Resolve hostnames on local network (Traps 6.1 and later)

  • Symbolic-link/hard-link and reparse point creation (Traps 6.1 and later)

Image (DLL)

Load

  • Full path

  • Base address

  • Target process-id/thread-id

  • Image size

  • Signature (Traps 6.1 and later)

  • SHA256 and MD5 hash for the DLL (Traps 6.1 and later)

  • File size (Traps 6.1 and later)

  • File access time (Traps 6.1 and later)

Process

  • Create

  • Terminate

  • Process ID (PID) of the parent process

  • PID of the process

  • Full path

  • Command line arguments

  • Integrity level to determine if the process is running with elevated privileges

  • Hash (SHA256 and MD5)

  • Signature or signing certificate details

Thread

Injection

  • Thread ID of the parent thread

  • Thread ID of the new or terminating thread

  • Process that initiated the thread if from another process

Network

  • Accept

  • Connect

  • Create

  • Listen

  • Close

  • Bind

  • Source IP address and port

  • Destination IP address and port

  • Failed connection

  • Protocol (TCP/UDP)

  • Resolve hostnames on local network

Network Protocols

  • DNS request and UDP response

  • HTTP connect

  • HTTP disconnect

  • HTTP proxy parsing

  • Origin country

  • Remote IP address and port

  • Local IP address and port

  • Destination IP address and port if proxy connection

  • Network connection ID

  • IPv6 connection status (true/false)

Network Statistics

  • On-close statistics

  • Periodic statistics

  • Upload volume on TCP link

  • Download volume on TCP link

Traps sends statistics on connection close and periodically while connection is open

Registry

  • Registry value:

    • Deletion

    • Set

  • Registry key:

    • Creation

    • Deletion

    • Rename

    • Addition

    • Modification (set information)

    • Restore

    • Save

  • Registry path of the modified value or key

  • Name of the modified value or key

  • Data of the modified value

Session

  • Log on

  • Log off

  • Connect

  • Disconnect

  • Interactive log-on to the computer

  • Session ID

  • Session State (equivalent to the event type)

  • Local (physically on the computer) or remote (connected using a terminal services session)

Host Status

  • Boot

  • Suspend

  • Resume

  • Host name

  • OS Version

  • Domain

  • Previous and current state

User Presence (Traps 6.1 and later)

User Detection

Detection when a user is present or idle per active user session on the computer.

RPC Calls

  • RpcCall

  • RpcPreCall

  • action_rpc_interface_uuid

  • action_rpc_interface_version_major

  • action_rpc_interface_version_minor

  • action_rpc_func_opnum

  • action_rpc_func_str_call_fields (optional)

  • action_rpc_func_int_call_fields (optional)

  • action_rpc_interface_name

  • action_rpc_func_name

System Calls

Syscall types change frequently, and can be observed in each event's data.

  • action_syscall_string_params

  • action_syscall_int_params

  • action_syscall_target_instance_id

  • action_syscall_target_image_path

  • action_syscall_target_image_name

  • action_syscall_target_os_pid

  • action_syscall_target_thread_id

  • address_mapping

Event Log

See the table below for the list of Windows Event Logs that can be sent to the server.

Windows Event Logs

In Traps 6.1.3 and later releases, Cortex XDR and Traps agents can send the following Windows Event Logs to the server.

Path

Provider

Event IDs

Description

Application

EMET

Application

Windows Error Reporting

WER events for application crashes only

Application

Microsoft-Windows-User Profiles Service

1511, 1518

User logging on with temporary profile (1511), Cannot create profile using temporary profile (1518)

Application

Application Error

1000

Application crash/hang events, similar to WER/1001. These include full path to faulting EXE/Module

Application

Application Hang

1002

Application crash/hang events, similar to WER/1001. These include full path to faulting EXE/Module

Microsoft-Windows-CAPI2/Operational

11, 70, 90

CAPI events Build Chain (11), Private Key accessed (70), X509 object (90)

Microsoft-Windows-DNS-Client/Operational

3008

DNS Query Completed (3008) without local machine na,e resolution events and without empty name resolution events

Microsoft-Windows-DriverFrameworks-UserMode/Operational

2004

Detect User-Mode drivers loaded - for potential BadUSB detection

Microsoft-Windows-PowerShell/Operational

4103, 4104, 4105, 4106

PowerShell executes block activity (4103), Remote Command (4104), Start Command (4105), Stop Command (4106)

Microsoft-Windows-TaskScheduler/Operational

Microsoft-Windows-TaskScheduler

106, 129, 141, 142, 200, 201

Microsoft-Windows-TerminalServices-RDPClient/Operational

1024

Log attempted TS connect to remote server

Microsoft-Windows-Windows Defender/Operational

1006, 1009

Modern Windows Defender event provider Detection events (1006 and 1009)

Microsoft-Windows-Windows Defender/Operational

1116, 1119

Modern Windows Defender event provider Detection events (1116 and 1119)

Microsoft-Windows-Windows Firewall With Advanced Security/Firewall

Microsoft-Windows-Windows Firewall With Advanced Security

2004, 2005, 2006, 2009, 2033

Windows Firewall With Advanced Security Local Modifications (Levels 0, 2, 4)

Security

1102

Security Log cleared events (1102)

Security

Microsoft-Windows-Eventlog

Event log service events specific to Security channel

Security

4880, 4881, 4896, 4898

CA Service Stopped (4880), CA Service Started (4881), CA DB row(s) deleted (4896), CA Template loaded (4898)

Security

6272, 6280

RRAS events – only generated on Microsoft IAS server

Security

Microsoft-Windows-Security-Auditing

4624, 4625, 4634, 4647, 4648, 4649, 4672, 4768, 4769, 4770, 4771, 4776, 4778, 4800, 4801, 4802, 4803

Successful logon (4624), Failed logon (4625), Logoff (4634), User initiated logoff (4647), Logon attempted, explicit credentials (4648), Replay attack (4649), Special privileges attempted login (4672), Kerberos TGT request (4768), Kerberos service ticket requested (4769), Kerberos service ticket renewal (4770), Kerberos pre-authentication failed (4771), Domain controller validation attempt (4776), Session was reconnected to a Windows station (4778), Workstation locked (4800), Workstation unlocked (4801), Screensaver was invoked (4802), Screensaver was dismissed (4803)

Security

Microsoft-Windows-Security-Auditing

4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4731, 4732, 4733, 4735, 4737, 4738, 4740, 4741, 4742, 4743, 4754, 4755, 4756, 4757, 4764, 4765, 4766, 4767, 4780, 4799

A user account was created (4720), A user account was enabled (4722), An attempt was made to change an account's password (4723), An attempt was made to reset an account’s password (4724), A user account was disabled (4725), A user account was deleted (4726), Group creations (4727, 4731, 4754), Group member additions (4728, 4732, 4756), Group member removals (4729, 4733, 4757), Group changes (4735, 4737, 4755, 4764), A user account was changed (4738), A user account was locked out (4740), A computer account was created (4741), A computer account was changed (4742), A computer account was deleted (4743), SID history (4765, 4766), A user account was unlocked (4767), ACL set on accounts (4780), Group membership enumeration (4799)

Security

Microsoft-Windows-Security-Auditing

4616, 4821, 4822, 4823, 4824

System time was changed (4616), Kerberos service ticket was denied (4821), NTLM authentication failed (4822, 4823), Kerberos pre-authentication failed (4824), User denied access to Remote Desktop (4825), Key file operation (5058), Key migration operation (5059)

Security

Microsoft-Windows-Security-Auditing

4698, 4702, 4886, 4887, 4899, 4900, 5140

A scheduled task was created (4698), A scheduled task was updated (4702), Certificate Services received a certificate request (4886), Certificate Services approved a certificate request (4887), A Certificate Services template was updated (4899), Certificate Services template security was updated (4900), A network share object was accessed (5140)

Security

Microsoft-Windows-Security-Auditing

4713

Kerberos policy was changed

Security

Microsoft-Windows-Security-Auditing

4662

An operation was performed on an object

EDR Data Collected for Mac Endpoints

Category

Events

Attributes

Files

  • Create

  • Write

  • Delete

  • Rename

  • Move

  • Open

  • Full path of the modified file before and after modification

  • SHA256 and MD5 hash for the file after modification

Process

  • Start

  • Stop

  • Process ID (PID) of the parent process

  • PID of the process

  • Full path

  • Command line arguments

  • Integrity level to determine if the process is running with elevated privileges

  • Hash (SHA256 and MD5)

  • Signature or signing certificate details

Network

  • Accept

  • Connect

  • Connect Failure

  • Disconnect

  • Listen

  • Statistics

  • Source IP address and port

  • Destination IP address and port

  • Failed connection

  • Protocol (TCP/UDP)

  • Aggregated send/receive statistics for the connection

Event Log

  • Authentication

  • Provider Name

  • Data fields

  • Message

EDR Data Collected for Linux Endpoints

Category

Events

Attributes

Files

  • Create

  • Open

  • Write

  • Delete

  • Full path of the file

  • Hash of the file

Note

For specific files only and only if the file was written.

  • Copy

  • Move (rename)

  • Full paths of both the original and the modified files

  • Change owner (chown)

  • Change mode (chmod)

  • Full path of the file

  • Newly set owner/attributes

Network

  • Listen

  • Accept

  • Connect

  • Connect failure

  • Disconnect

  • Source IP address and port for explicit binds

  • Destination IP address and port

  • Failed TCP connections

  • Protocol (TCP/UDP)

Process

  • Start

  • PID of the child process

  • PID of the parent process

  • Full image path of the process

  • Command line of the process

  • Hash of the image (SHA256 & MD5)

  • Stop

  • PID of the stopped process

Event Log

  • Authentication

  • Provider Name

  • Data fields

  • Message