Log Format for IOC and BIOC Alerts - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2024-02-26
Last date published
2024-05-15
Category
Administrator Guide
Abstract

Cortex XDR supports Syslog and email formats for IOC and BIOC alerts.

Cortex XDR logs its IOC and BIOC alerts to the Cortex XDR tenant. If you configure Cortex XDR to forward logs in legacy format, when alert logs are forwarded from the Cortex XDR tenant, each log record has the following format:

Syslog format:

"/edrData/action_country","/edrData/action_download","/edrData/action_external_hostname","/edrData/action_external_port","/edrData/action_file_extension","/edrData/action_file_md5","/edrData/action_file_name","/edrData/action_file_path","/edrData/action_file_previous_file_extension","/edrData/action_file_previous_file_name","/edrData/action_file_previous_file_path","/edrData/action_file_sha256","/edrData/action_file_size","/edrData/action_file_remote_ip","/edrData/action_file_remote_port","/edrData/action_is_injected_thread","/edrData/action_local_ip","/edrData/action_local_port","/edrData/action_module_base_address","/edrData/action_module_image_size","/edrData/action_module_is_remote","/edrData/action_module_is_replay","/edrData/action_module_path","/edrData/action_module_process_causality_id","/edrData/action_module_process_image_command_line","/edrData/action_module_process_image_extension","/edrData/action_module_process_image_md5","/edrData/action_module_process_image_name","/edrData/action_module_process_image_path","/edrData/action_module_process_image_sha256","/edrData/action_module_process_instance_id","/edrData/action_module_process_is_causality_root","/edrData/action_module_process_os_pid","/edrData/action_module_process_signature_product","/edrData/action_module_process_signature_status","/edrData/action_module_process_signature_vendor","/edrData/action_network_connection_id","/edrData/action_network_creation_time","/edrData/action_network_is_ipv6","/edrData/action_process_causality_id","/edrData/action_process_image_command_line","/edrData/action_process_image_extension","/edrData/action_process_image_md5","/edrData/action_process_image_name","/edrData/action_process_image_path","/edrData/action_process_image_sha256","/edrData/action_process_instance_id","/edrData/action_process_integrity_level","/edrData/action_process_is_causality_root","/edrData/action_process_is_replay","/edrData/action_process_is_special","/edrData/action_process_os_pid","/edrData/action_process_signature_product","/edrData/action_process_signature_status","/edrData/action_process_signature_vendor","/edrData/action_proxy","/edrData/action_registry_data","/edrData/action_registry_file_path","/edrData/action_registry_key_name","/edrData/action_registry_value_name","/edrData/action_registry_value_type","/edrData/action_remote_ip","/edrData/action_remote_port","/edrData/action_remote_process_causality_id","/edrData/action_remote_process_image_command_line","/edrData/action_remote_process_image_extension","/edrData/action_remote_process_image_md5","/edrData/action_remote_process_image_name","/edrData/action_remote_process_image_path","/edrData/action_remote_process_image_sha256","/edrData/action_remote_process_is_causality_root","/edrData/action_remote_process_os_pid","/edrData/action_remote_process_signature_product","/edrData/action_remote_process_signature_status","/edrData/action_remote_process_signature_vendor","/edrData/action_remote_process_thread_id","/edrData/action_remote_process_thread_start_address","/edrData/action_thread_thread_id","/edrData/action_total_download","/edrData/action_total_upload","/edrData/action_upload","/edrData/action_user_status","/edrData/action_username","/edrData/actor_causality_id","/edrData/actor_effective_user_sid","/edrData/actor_effective_username","/edrData/actor_is_injected_thread","/edrData/actor_primary_user_sid","/edrData/actor_primary_username","/edrData/actor_process_causality_id","/edrData/actor_process_command_line","/edrData/actor_process_execution_time","/edrData/actor_process_image_command_line","/edrData/actor_process_image_extension","/edrData/actor_process_image_md5","/edrData/actor_process_image_name","/edrData/actor_process_image_path","/edrData/actor_process_image_sha256","/edrData/actor_process_instance_id","/edrData/actor_process_integrity_level","/edrData/actor_process_is_special","/edrData/actor_process_os_pid","/edrData/actor_process_signature_product","/edrData/actor_process_signature_status","/edrData/actor_process_signature_vendor","/edrData/actor_thread_thread_id","/edrData/agent_content_version","/edrData/agent_host_boot_time","/edrData/agent_hostname","/edrData/agent_id","/edrData/agent_ip_addresses","/edrData/agent_is_vdi","/edrData/agent_os_sub_type","/edrData/agent_os_type","/edrData/agent_session_start_time","/edrData/agent_version","/edrData/causality_actor_causality_id","/edrData/causality_actor_effective_user_sid","/edrData/causality_actor_effective_username","/edrData/causality_actor_primary_user_sid","/edrData/causality_actor_primary_username","/edrData/causality_actor_process_causality_id","/edrData/causality_actor_process_command_line","/edrData/causality_actor_process_execution_time","/edrData/causality_actor_process_image_command_line","/edrData/causality_actor_process_image_extension","/edrData/causality_actor_process_image_md5","/edrData/causality_actor_process_image_name","/edrData/causality_actor_process_image_path","/edrData/causality_actor_process_image_sha256","/edrData/causality_actor_process_instance_id","/edrData/causality_actor_process_integrity_level","/edrData/causality_actor_process_is_special","/edrData/causality_actor_process_os_pid","/edrData/causality_actor_process_signature_product","/edrData/causality_actor_process_signature_status","/edrData/causality_actor_process_signature_vendor","/edrData/event_id","/edrData/event_is_simulated","/edrData/event_sub_type","/edrData/event_timestamp","/edrData/event_type","/edrData/event_utc_diff_minutes","/edrData/event_version","/edrData/host_metadata_hostname","/edrData/missing_action_remote_process_instance_id","/facility","/generatedTime","/recordType","/recsize","/trapsId","/uuid","/xdr_unique_id","/meta_internal_id","/external_id","/is_visible","/is_secdo_event","/severity","/alert_source","/internal_id","/matching_status","/local_insert_ts","/source_insert_ts","/alert_name","/alert_category","/alert_description","/bioc_indicator","/matching_service_rule_id","/external_url","/xdr_sub_type","/bioc_category_enum_key","/alert_action_status","/agent_data_collection_status","/attempt_counter","/case_id","/global_content_version_id","/global_rule_id","/is_whitelisted"

When alert logs are forwarded by email, each field is labeled, one line per field.

Email body format example.

edrData/action_country: 
edrData/action_download: 
edrData/action_external_hostname: 
edrData/action_external_port: 
edrData/action_file_extension: pdf
edrData/action_file_md5: null
edrData/action_file_name: XORXOR2614081980.pdf
edrData/action_file_path: C:\ProgramData\Cyvera\Ransomware\16067987696371268494\XORXOR2614081980.pdf
edrData/action_file_previous_file_extension: null
edrData/action_file_previous_file_name: null
edrData/action_file_previous_file_path: null
edrData/action_file_sha256: null
edrData/action_file_size: 0
edrData/action_file_remote_ip: null
edrData/action_file_remote_port: null
edrData/action_is_injected_thread: 
edrData/action_local_ip: 
edrData/action_local_port: 
edrData/action_module_base_address: 
edrData/action_module_image_size: 
edrData/action_module_is_remote: 
edrData/action_module_is_replay: 
edrData/action_module_path: 
edrData/action_module_process_causality_id: 
edrData/action_module_process_image_command_line: 
edrData/action_module_process_image_extension: 
edrData/action_module_process_image_md5: 
edrData/action_module_process_image_name: 
edrData/action_module_process_image_path: 
edrData/action_module_process_image_sha256: 
edrData/action_module_process_instance_id: 
edrData/action_module_process_is_causality_root: 
edrData/action_module_process_os_pid: 
edrData/action_module_process_signature_product: 
edrData/action_module_process_signature_status: 
edrData/action_module_process_signature_vendor: 
edrData/action_network_connection_id: 
edrData/action_network_creation_time: 
edrData/action_network_is_ipv6: 
edrData/action_process_causality_id: 
edrData/action_process_image_command_line: 
edrData/action_process_image_extension: 
edrData/action_process_image_md5: 
edrData/action_process_image_name: 
edrData/action_process_image_path: 
edrData/action_process_image_sha256: 
edrData/action_process_instance_id: 
edrData/action_process_integrity_level: 
edrData/action_process_is_causality_root: 
edrData/action_process_is_replay: 
edrData/action_process_is_special: 
edrData/action_process_os_pid: 
edrData/action_process_signature_product: 
edrData/action_process_signature_status: 
edrData/action_process_signature_vendor: 
edrData/action_proxy: 
edrData/action_registry_data: 
edrData/action_registry_file_path: 
edrData/action_registry_key_name: 
edrData/action_registry_value_name: 
edrData/action_registry_value_type: 
edrData/action_remote_ip: 
edrData/action_remote_port: 
edrData/action_remote_process_causality_id: 
edrData/action_remote_process_image_command_line: 
edrData/action_remote_process_image_extension: 
edrData/action_remote_process_image_md5: 
edrData/action_remote_process_image_name: 
edrData/action_remote_process_image_path: 
edrData/action_remote_process_image_sha256: 
edrData/action_remote_process_is_causality_root: 
edrData/action_remote_process_os_pid: 
edrData/action_remote_process_signature_product: 
edrData/action_remote_process_signature_status: 
edrData/action_remote_process_signature_vendor: 
edrData/action_remote_process_thread_id: 
edrData/action_remote_process_thread_start_address: 
edrData/action_thread_thread_id: 
edrData/action_total_download: 
edrData/action_total_upload: 
edrData/action_upload: 
edrData/action_user_status: 
edrData/action_username: 
edrData/actor_causality_id: AdUcamNT99kAAAAEAAAAAA==
edrData/actor_effective_user_sid: S-1-5-18
edrData/actor_effective_username: NT AUTHORITY\SYSTEM
edrData/actor_is_injected_thread: false
edrData/actor_primary_user_sid: S-1-5-18
edrData/actor_primary_username: NT AUTHORITY\SYSTEM
edrData/actor_process_causality_id: AdUcamNT99kAAAAEAAAAAA==
edrData/actor_process_command_line: 
edrData/actor_process_execution_time: 1559827133585
edrData/actor_process_image_command_line: 
edrData/actor_process_image_extension: 
edrData/actor_process_image_md5: 
edrData/actor_process_image_name: System
edrData/actor_process_image_path: System
edrData/actor_process_image_sha256: 
edrData/actor_process_instance_id: AdUcamNT99kAAAAEAAAAAA==
edrData/actor_process_integrity_level: 16384
edrData/actor_process_is_special: 1
edrData/actor_process_os_pid: 4
edrData/actor_process_signature_product: Microsoft Windows
edrData/actor_process_signature_status: 1
edrData/actor_process_signature_vendor: Microsoft Corporation
edrData/actor_thread_thread_id: 64
edrData/agent_content_version: 58-9124
edrData/agent_host_boot_time: 1559827133585
edrData/agent_hostname: padme-7
edrData/agent_id: a832f35013f16a06fc2495843674a3e9
edrData/agent_ip_addresses: ["10.196.172.74"]
edrData/agent_is_vdi: false
edrData/agent_os_sub_type: Windows 7 [6.1 (Build 7601: Service Pack 1)]
edrData/agent_os_type: 1
edrData/agent_session_start_time: 1559827592661
edrData/agent_version: 6.1.0.13895
edrData/causality_actor_causality_id: AdUcamNT99kAAAAEAAAAAA==
edrData/causality_actor_effective_user_sid: 
edrData/causality_actor_effective_username: 
edrData/causality_actor_primary_user_sid: S-1-5-18
edrData/causality_actor_primary_username: NT AUTHORITY\SYSTEM
edrData/causality_actor_process_causality_id: 
edrData/causality_actor_process_command_line: 
edrData/causality_actor_process_execution_time: 1559827133585
edrData/causality_actor_process_image_command_line: 
edrData/causality_actor_process_image_extension: 
edrData/causality_actor_process_image_md5: 
edrData/causality_actor_process_image_name: System
edrData/causality_actor_process_image_path: System
edrData/causality_actor_process_image_sha256: 
edrData/causality_actor_process_instance_id: AdUcamNT99kAAAAEAAAAAA==
edrData/causality_actor_process_integrity_level: 16384
edrData/causality_actor_process_is_special: 1
edrData/causality_actor_process_os_pid: 4
edrData/causality_actor_process_signature_product: Microsoft Windows
edrData/causality_actor_process_signature_status: 1
edrData/causality_actor_process_signature_vendor: Microsoft Corporation
edrData/event_id: AAABa13u2PQsqXnCAB1qjw==
edrData/event_is_simulated: false
edrData/event_sub_type: 1
edrData/event_timestamp: 1560649063308
edrData/event_type: 3
edrData/event_utc_diff_minutes: 120
edrData/event_version: 20
edrData/host_metadata_hostname: 
edrData/missing_action_remote_process_instance_id: 
facility: 
generatedTime: 2019-06-16T01:37:43
recordType: alert
recsize: 
trapsId: 
uuid: 
xdr_unique_id: ae65c92c6e704023df129c728eab3d3e
meta_internal_id: None
external_id: 318b7f91-ae74-4860-abd1-b463e8cd6deb
is_visible: null
is_secdo_event: null
severity: SEV_010_INFO
alert_source: BIOC
internal_id: None
matching_status: null
local_insert_ts: null
source_insert_ts: 1560649063308
alert_name: BIOC-16
alert_category: CREDENTIAL_ACCESS
alert_description: File action type = all AND name = *.pdf
bioc_indicator: "[{""pretty_name"":""File"",""data_type"":null,""render_type"":""entity"",
""entity_map"":null},{""pretty_name"":""action type"",""data_type"":null,
""render_type"":""attribute"",""entity_map"":null},{""pretty_name"":""="",
""data_type"":null,""render_type"":""operator"",""entity_map"":null},
{""pretty_name"":""all"",""data_type"":null,""render_type"":""value"",
""entity_map"":null},{""pretty_name"":""AND"",""data_type"":null,
""render_type"":""connector"",""entity_map"":null},
{""pretty_name"":""name"",""data_type"":""TEXT"",
""render_type"":""attribute"",""entity_map"":""attributes""},
{""pretty_name"":""="",""data_type"":null,""render_type"":""operator"",
""entity_map"":""attributes""},{""pretty_name"":""*.pdf"",
""data_type"":null,""render_type"":""value"",
""entity_map"":""attributes""}]"
matching_service_rule_id: 200
external_url: null
xdr_sub_type: BIOC - Credential Access
bioc_category_enum_key: null
alert_action_status: null
agent_data_collection_status: null
attempt_counter: null
case_id: null
global_content_version_id: 
global_rule_id: 
is_whitelisted: false 

The following table summarizes the field prefixes and additional relevant fields available for BIOC and IOC alert logs.

Field Name

Definition

/edrData/action_file*

Fields that begin with this prefix describe attributes of a file for which Traps reported activity.

edrData/action_module*

Fields that begin with this prefix describe attributes of a module for which Traps reported module loading activity.

edrData/action_module_process*

Fields that begin with this prefix describe attributes and activity related to processes reported by Traps that load modules such as DLLs on the endpoint.

edrData/action_process_image*

Fields that begin with this prefix describe attributes of a process image for which Traps reported activity.

edrData/action_registry*

Fields that begin with this prefix describe registry activity and attributes such as key name, data, and previous value for which Traps reported activity.

edrData/action_network

Fields that begin with this prefix describe network attributes for which Traps reported activity.

edrData/action_remote_process*

Fields that begin with this prefix describe attributes of remote processes for which Traps reported activity.

edrData/actor*

Fields that begin with this prefix describe attributes about the acting user that initiated the activity on the endpoint.

edrData/agent*

Fields that begin with this prefix describe attributes about the Traps agent deployed on the endpoint.

edrData/causality_actor*

Fields that begin with this prefix describe attributes about the causality group owner.

Additional useful fields:

/severity

Severity assigned to the alert:

  • SEV_010_INFO

  • SEV_020_LOW

  • SEV_030_MEDIUM

  • SEV_040_HIGH

  • SEV_090_UNKNOWN

/alert_source

Source of the alert: BIOC or IOC

/local_insert_ts

Date and time when Cortex XDR – Investigation and Response ingested the app.

/source_insert_ts

Date and time the alert was reported by the alert source.

/alert_name

If the alert was generated by Cortex XDR – Investigation and Response, the alert name will be the specific Cortex XDR rule that created the alert (BIOC or IOC rule name). If from an external system, it will carry the name assigned to it by Cortex XDR .

/alert_category

Alert category based on the alert source.

  • BIOC alert categories:

    • OTHER

    • PERSISTENCE

    • EVASION

    • TAMPERING

    • FILE_TYPE_OBFUSCATION

    • PRIVILEGE_ESCALATION

    • CREDENTIAL_ACCESS

    • LATERAL_MOVEMENT

    • EXECUTION

    • COLLECTION

    • EXFILTRATION

    • INFILTRATION

    • DROPPER

    • FILE_PRIVILEGE_MANIPULATION

    • RECONNAISSANCE

  • IOC alert categories:

    • HASH

    • IP

    • PATH

    • DOMAIN_NAME

    • FILENAME

    • MIXED

/alert_description

Text summary of the event including the alert source, alert name, severity, and file path. For alerts triggered by BIOC and IOC rules, Cortex XDR displays detailed information about the rule.

/bioc_indicator

A JSON representation of the rule characteristics. For example:

[{""pretty_name"":""File"",""data_type"":null,
""render_type"":""entity"",""entity_map"":null},
{""pretty_name"":""action type"",
""data_type"":null,""render_type"":""attribute"",
""entity_map"":null},{""pretty_name"":""="",
""data_type"":null,""render_type"":""operator"",
""entity_map"":null},{""pretty_name"":""all"",
""data_type"":null,""render_type"":""value"",
""entity_map"":null},{""pretty_name"":""AND"",
""data_type"":null,""render_type"":""connector"",
""entity_map"":null},{""pretty_name"":""name"",
""data_type"":""TEXT"",
""render_type"":""attribute"",
""entity_map"":""attributes""},
{""pretty_name"":""="",""data_type"":null,
""render_type"":""operator"",
""entity_map"":""attributes""},
{""pretty_name"":""*.pdf"",""data_type"":null,
""render_type"":""value"",
""entity_map"":""attributes""}]"

/bioc_category_enum_key

Alert category based on the alert source. An example of a BIOC alert category is Evasion. An example of a Traps alert category is Exploit Modules.

/alert_action_status

Action taken by the alert sensor with action status displayed in parenthesis:

  • Detected

  • Detected (Download)

  • Detected (Post Detected)

  • Detected (Prompt Allow)

  • Detected (Reported)

  • Detected (Scanned)

  • Prevented (Blocked)

  • Prevented (Prompt Block)

/case_id

Unique identifier for the incident.

/global_content_version_id

Unique identifier for the content version in which a Palo Alto Networks global BIOC rule was released.

/global_rule_id

Unique identifier for an alert triggered by a Palo Alto Networks global BIOC rule.

/is_whitelisted

Boolean indicating whether the alert is excluded or not.