Find out which events are exported using Endpoint Event Forwarding in Cortex XDR.
Endpoints Event Forwarding exports ingested, parsed endpoint data for Cortex XDR pro EP and Cloud Endpoints. The exported logs are raw data, without any stories. Cortex XDR exports the data without filtering or configuration options. The tables below list the fields that are included and excluded for:
Types of events exported for the endpoints
Common fields for all event types
The table below lists the types of events exported for the endpoints and the fields that are included and excluded:
Exported event type | Included field | Excluded field |
---|---|---|
Network | action_socket_type | is_boot_replay |
action_remote_ip | action_proxy | |
action_remote_port | action_network_app_ids | |
action_local_ip | action_network_rule_ids | |
action_local_port | action_network_dpi_fields | |
action_network_connection_id | action_network_is_loopback | |
action_network_is_server | action_upload | |
action_network_creation_time | action_download | |
action_total_upload | action_network_stats_seq | |
action_total_download | action_network_is_ipv6 | |
action_network_protocol | ||
action_network_stats_is_last | ||
Process | uuid / _id | action_process_causality_id |
action_process_os_pid | action_process_is_causality_root | |
action_process_instance_id | action_process_is_replay | |
action_process_image_md5 | action_process_yara_file_scan_result | |
action_process_image_sha256 | action_process_wf_verdict | |
action_process_image_path | action_process_static_analysis_score | |
action_process_image_name | execution_actor_causality_id | |
action_process_image_extension | action_process_ns_pid | |
action_process_image_command_line | action_process_container_id | |
action_process_signature_product | action_process_is_container_root | |
action_process_signature_vendor | action_process_image_command_line_indices | |
action_process_signature_is_embedded | action_process_is_special | |
action_process_signature_status | action_process_ns_user_sid | |
action_process_integrity_level | action_process_ns_user_real_sid | |
action_process_username | action_process_file_size | |
action_process_user_sid | action_process_file_create_time | |
action_process_in_txn | action_process_file_mod_time | |
action_process_pe_load_info | action_process_remote_session_ip | |
action_process_peb | action_process_file_info | |
action_process_peb32 | action_process_device_info | |
action_process_last_writer_actor | execution_actor_instance_id | |
action_process_token | action_process_user_real_sid | |
action_process_privileges | action_process_requested_parent_pid | |
action_process_fds | action_process_requested_parent_iid | |
action_process_scheduled_task_name | ||
action_process_termination_date | ||
action_process_instance_execution_time | ||
action_process_termination_code | ||
File | action_file_path | action_file_wf_verdict |
action_file_name | action_file_yara_file_scan_result | |
action_file_previous_file_path | action_file_dir_query | |
action_file_previous_file_name | action_file_previous_device_info | |
action_file_md5 | action_file_device_info | |
action_file_sha256 | action_file_reparse_path | |
action_file_size | action_file_reparse_count | |
action_file_attributes | action_file_dirty_reason | |
action_file_create_time | action_file_remote_ip | |
action_file_mod_time | action_file_remote_port | |
action_file_access_time | action_file_remote_file_ip | |
action_file_type | action_file_remote_file_host | |
action_file_operation_flags | action_file_sec_desc | |
action_file_mode | action_file_previous_file_extension | |
action_file_owner | action_file_extension | |
action_file_owner_name | action_file_archive_list | |
action_file_group | action_file_contents | |
action_file_group_name | ||
action_file_device_type | ||
action_file_signature_product | ||
action_file_signature_vendor | ||
action_file_signature_is_embedded | ||
action_file_signature_status | ||
action_file_pe_info | ||
action_file_prev_type | ||
action_file_last_writer_actor | ||
action_file_is_anonymous | ||
Registry | action_registry_value_type | |
action_registry_key_name | ||
action_registry_data | ||
action_registry_value_name | ||
action_registry_old_key_name | ||
action_registry_file_path | ||
action_registry_return_val | ||
Injection | action_remote_process_thread_id | action_remote_process_causality_id |
action_remote_process_os_pid | action_remote_process_is_causality_root | |
action_remote_process_instance_id | action_remote_process_is_replay | |
action_remote_process_image_md5 | action_remote_process_image_extension | |
action_remote_process_image_sha256 | action_remote_process_image_command_line_indices | |
action_remote_process_image_path | action_remote_process_is_special | |
action_remote_process_image_name | action_remote_process_file_size | |
action_remote_process_image_command_line | action_remote_process_file_create_time | |
action_remote_process_signature_product | action_remote_process_file_mod_time | |
action_remote_process_signature_vendor | action_remote_process_file_info | |
action_remote_process_signature_is_embedded | ||
action_remote_process_signature_status | ||
action_remote_process_thread_start_address | ||
action_remote_process_integrity_level | ||
action_remote_process_username | ||
action_remote_process_user_sid | ||
address_mapping | ||
Load Image | action_module_path | action_module_is_replay |
action_module_md5 | action_module_yara_file_scan_result | |
action_module_sha256 | action_module_file_size | |
action_module_base_address | action_module_file_create_time | |
action_module_image_size | action_module_file_mod_time | |
action_module_signature_product | action_module_file_access_time | |
action_module_signature_vendor | action_module_device_info | |
action_module_signature_is_embedded | action_module_wf_verdict | |
action_module_signature_status | ||
action_module_file_info | ||
action_module_last_writer_actor | ||
action_module_other_load_location | ||
action_module_page_protection | ||
action_module_system_properties | ||
action_module_code_integrity | ||
action_module_boot_code_integrity | ||
User Status Change | action_user_status | |
action_username | ||
action_user_status_sid | ||
action_user_session_id | ||
action_user_is_local_session | ||
Host Status Change | action_boot_time | |
action_powered_off | ||
Agent Status Change | action_boot_instance_cleanup_required | |
agent_status_component | ||
Host Metadata Discovery/Change | host_metadata_interface_map | |
host_metadata_hostname | ||
host_metadata_domain |
The table below lists the common fields for all event types and the fields that are included and excluded.
Common fields for all event types | Included field | Excluded field |
---|---|---|
Agent | agent_content_version | agent_install_type |
agent_hostname | event_utc_diff_minutes | |
agent_interface_map | manifest_file_version | |
agent_os_sub_type | source_message_id | |
agent_os_type | zip_id | |
agent_version | agent_request_time | |
agent_id | server_request_time | |
agent_ip_addresses | agent_id_hash | |
agent_ip_addresses_v6 | agent_id_hash_bre | |
backtrace_identities | ||
_product | ||
_vendor | ||
actor_fields | ||
agent_is_vdi | ||
Common | event_version | event_is_impersonated |
event_type | event_is_replay | |
event_sub_type | event_impersonation_status | |
event_id | event_is_simulated | |
event_timestamp | event_user_presence | |
event_rpc_interface_uuid | agent_host_boot_time | |
event_rpc_func_opnum | agent_session_start_time | |
event_validity_enum | ||
event_invalidity_field | ||
event_rpc_inteface_version_major | ||
event_rpc_inteface_version_minor | ||
event_rpc_protocol | ||
event_address_mapped | ||
event_user_presence_status | ||
Actor | os_actor_local_ip | actor_ns_user_sid |
os_actor_local_port | actor_process_auth_id | |
os_actor_primary_user_sid | actor_process_causality_id | |
os_actor_primary_username | actor_process_ns_pid | |
os_actor_process_command_line | actor_process_session_id | |
os_actor_process_image_md5 | actor_process_signature_is_embedded | |
os_actor_process_image_name | actor_process_signature_product | |
os_actor_process_image_path | actor_process_signature_vendor | |
os_actor_process_image_sha256 | actor_remote_host | |
os_actor_process_signature_status | actor_remote_pipe_name | |
os_actor_process_logon_id | actor_remote_port | |
os_actor_process_os_pid | actor_rpc_interface_version_major | |
os_actor_remote_ip | actor_rpc_interface_version_minor | |
os_actor_process_instance_id | actor_rpc_protocol | |
os_actor_thread_thread_id | actor_type | |
actor_rpc_func_opnum | ||
actor_rpc_interface_uuid | ||
actor_process_device_info | ||
actor_process_execution_time | ||
actor_process_file_create_time | ||
actor_process_file_mod_time | ||
actor_process_file_size | ||
actor_process_image_extension | ||
actor_process_instance_id | ||
actor_process_command_line_indices | ||
actor_process_integrity_level | ||
actor_process_is_special | ||
actor_process_last_writer_actor | ||
actor_process_instance_id | ||
actor_thread_thread_id | ||
actor_is_injected_thread | ||
actor_causality_id | ||
actor_effective_username | ||
actor_effective_user_sid |