When the Cortex XDR agent raises an alert on endpoint activity, a minimum set of metadata about the endpoint is sent to the server as described in Metadata Collected for Cortex XDR Agent Alerts.
When you enable behavioral threat protection or EDR data collection in your endpoint security policy, the Cortex XDR agent can also continuously monitor endpoint activity for malicious event chains identified by Palo Alto Networks. The endpoint data that the Cortex XDR agent collects when you enable these capabilities vary by platform type.
Note
Agents with Cortex XDR Pro per Endpoint apply limits and filters on network, file, and registry logs. To expand these limits and filters, it is required to purchase the Extended Threat Hunting Data (XTH) add-on.
The tables below note whether specific logs require the XTH add-on.
Metadata Collected for Cortex XDR Agent Alerts
When the Cortex XDR agent raises an alert on endpoint activity, the following metadata is sent to the server:
Field | Description |
|---|---|
Absolute Timestamp | Kernel system time |
Relative Timestamp | Uptime since the computer booted |
Thread ID | ID of the originating thread |
Process ID | ID of the originating process |
Process Creation Time | Part of the process unique ID per boot session (PID + creation time) |
Sequence ID | Unique integer per boot session |
Primary User SID | Unique identifier of the user |
Impersonating User SID | Unique identifier of the impersonating user, if applicable |
EDR Data Collected for Windows Endpoints
Category | Events | Attributes |
|---|---|---|
Executable metadata (Traps 6.1 and later) | Process start |
|
Files |
|
|
Image (DLL) | Load |
|
Process |
|
|
Thread | Injection |
|
Network |
|
|
Network Protocols |
|
|
Network Statistics |
|
Traps sends statistics on connection close and periodically while connection is open |
Registry |
|
|
Session |
|
|
Host Status |
|
|
User Presence (Traps 6.1 and later) | User Detection | Detection when a user is present or idle per active user session on the computer. |
RPC Calls *Requires XTH add-on |
|
|
System Calls *Requires XTH add-on | Syscall types change frequently, and can be observed in each event's data. |
|
Event Log *Requires XTH add-on | See the table below for the list of Windows Event Logs that can be sent to the server. | |
Windows Event Logs
In Traps 6.1.3 and later releases, Cortex XDR and Traps agents can send the following Windows Event Logs to the server.
Path | Provider | Event IDs | Description |
|---|---|---|---|
Application | EMET | ||
Application | Windows Error Reporting | WER events for application crashes only | |
Application | Microsoft-Windows-User Profiles Service | 1511, 1518 | User logging on with temporary profile (1511), Cannot create profile using temporary profile (1518) |
Application | Application Error | 1000 | Application crash/hang events, similar to WER/1001. These include full path to faulting EXE/Module |
Application | Application Hang | 1002 | Application crash/hang events, similar to WER/1001. These include full path to faulting EXE/Module |
Microsoft-Windows-CAPI2/Operational | 11, 70, 90 | CAPI events Build Chain (11), Private Key accessed (70), X509 object (90) | |
Microsoft-Windows-DNS-Client/Operational | 3008 | DNS Query Completed (3008) without local machine na,e resolution events and without empty name resolution events | |
Microsoft-Windows-DriverFrameworks-UserMode/Operational | 2004 | Detect User-Mode drivers loaded - for potential BadUSB detection | |
Microsoft-Windows-PowerShell/Operational | 4103, 4104, 4105, 4106 | PowerShell executes block activity (4103), Remote Command (4104), Start Command (4105), Stop Command (4106) | |
Microsoft-Windows-TaskScheduler/Operational | Microsoft-Windows-TaskScheduler | 106, 129, 141, 142, 200, 201 | |
Microsoft-Windows-TerminalServices-RDPClient/Operational | 1024 | Log attempted TS connect to remote server | |
Microsoft-Windows-Windows Defender/Operational | 1006, 1009 | Modern Windows Defender event provider Detection events (1006 and 1009) | |
Microsoft-Antimalware-Scan-Interface | 1101 | Amsi content scan event | |
Microsoft-Windows-Windows Defender/Operational | 1116, 1119 | Modern Windows Defender event provider Detection events (1116 and 1119) | |
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall | Microsoft-Windows-Windows Firewall With Advanced Security | 2004, 2005, 2006, 2009, 2033 | Windows Firewall With Advanced Security Local Modifications (Levels 0, 2, 4) |
Security | 1102 | Security Log cleared events (1102) | |
Security | Microsoft-Windows-Eventlog | Event log service events specific to Security channel | |
Security | 4880, 4881, 4896, 4898 | CA Service Stopped (4880), CA Service Started (4881), CA DB row(s) deleted (4896), CA Template loaded (4898) | |
Security | 6272, 6280 | RRAS events – only generated on Microsoft IAS server | |
Security | Microsoft-Windows-Security-Auditing | 4624, 4625, 4634, 4647, 4648, 4649, 4672, 4768, 4769, 4770, 4771, 4776, 4778, 4800, 4801, 4802, 4803 | Successful logon (4624), Failed logon (4625), Logoff (4634), User initiated logoff (4647), Logon attempted, explicit credentials (4648), Replay attack (4649), Special privileges attempted login (4672), Kerberos TGT request (4768), Kerberos service ticket requested (4769), Kerberos service ticket renewal (4770), Kerberos pre-authentication failed (4771), Domain controller validation attempt (4776), Session was reconnected to a Windows station (4778), Workstation locked (4800), Workstation unlocked (4801), Screensaver was invoked (4802), Screensaver was dismissed (4803) |
Security | Microsoft-Windows-Security-Auditing | 4720, 4722, 4723, 4724, 4725, 4726, 4727, 4728, 4729, 4731, 4732, 4733, 4735, 4737, 4738, 4740, 4741, 4742, 4743, 4754, 4755, 4756, 4757, 4764, 4765, 4766, 4767, 4780, 4799 | A user account was created (4720), A user account was enabled (4722), An attempt was made to change an account's password (4723), An attempt was made to reset an account’s password (4724), A user account was disabled (4725), A user account was deleted (4726), Group creations (4727, 4731, 4754), Group member additions (4728, 4732, 4756), Group member removals (4729, 4733, 4757), Group changes (4735, 4737, 4755, 4764), A user account was changed (4738), A user account was locked out (4740), A computer account was created (4741), A computer account was changed (4742), A computer account was deleted (4743), SID history (4765, 4766), A user account was unlocked (4767), ACL set on accounts (4780), Group membership enumeration (4799) |
Security | Microsoft-Windows-Security-Auditing | 4616, 4821, 4822, 4823, 4824 | System time was changed (4616), Kerberos service ticket was denied (4821), NTLM authentication failed (4822, 4823), Kerberos pre-authentication failed (4824), User denied access to Remote Desktop (4825), Key file operation (5058), Key migration operation (5059) |
Security | Microsoft-Windows-Security-Auditing | 4698, 4702, 4886, 4887, 4899, 4900, 5140 | A scheduled task was created (4698), A scheduled task was updated (4702), Certificate Services received a certificate request (4886), Certificate Services approved a certificate request (4887), A Certificate Services template was updated (4899), Certificate Services template security was updated (4900), A network share object was accessed (5140) |
Security | Microsoft-Windows-Security-Auditing | 4713 | Kerberos policy was changed |
Security | Microsoft-Windows-Security-Auditing | 4662 | An operation was performed on an object |
EDR Data Collected for Mac Endpoints
Category | Events | Attributes |
|---|---|---|
Files *Requires XTH add-on |
|
|
Process |
|
|
Network |
|
|
Event Log *Requires XTH add-on |
|
|
EDR Data Collected for Linux Endpoints
Category | Events | Attributes |
|---|---|---|
Files *Requires XTH add-on |
|
NoteFor specific files only and only if the file was written. |
|
| |
|
| |
Network |
|
|
Process |
|
|
|
| |
Event Log *Requires XTH add-on |
|
|