Abstract
An email account or a syslog server are the notification channels through which the agent audit log is communicated.
Cortex XSIAM forwards the agent audit log to external data resources according to the following formats.
Email Account
Cortex XSIAM can forward agent audit log notifications to email accounts.
Syslog Server
Agent audit logs forwarded to a Syslog server are sent in a CEF format RFC 5425 according to the following mapping.
Section | Description |
---|---|
Syslog Header | <9>: PRI (considered a prioirty field)1: version number2020-03-22T07:55:07.964311Z: timestamp of when alert/log was sentcortexxdr: host name |
CEF Header | HEADER/Vendor="Palo Alto Networks" (as a constant string)HEADER/Device Product="Cortex XDR Agent" (as a constant string)HEADER/Device Version= Cortex XDR Agent version (7.0/7.1....)HEADER/Severity=(integer/0 - Unknown, 6 - Low, 8 - Medium, 9 - High)HEADER/Device Event Class ID="Agent Audit Logs" (as a constant string)HEADER/name = type |
CEF Body | dvchost=domain shost=endpoint_name cat=category end=timestamp rt=received_time cs1Label=agentversion (constant string) cs1=agent_version cs2Label=subtype (constant string) cs2=subtype cs3Label=result (constant string) cs3=result cs4Label=reason (constant string) cs4=reason msg=event_description tenantname=tenant_name tenantCDLid=tenant_id CSPaccountname=csp_id |
Example:
<182>1 2020-10-04T10:41:14.608731Z cortexxdr - - - - CEF:0|Palo Alto Networks|Cortex XDR Agent|Cortex XDR Agent 7.2.0.63060|Agent Audit Logs|Agent Service|9|dvchost=WORKGROUP shost=Test-Agent cat=Monitoring end=1601808073102 rt=1601808074596 cs1Label=agentversion cs1=7.2.0.63060 cs2Label=subtype cs2=Stop cs3Label=result cs3=N\/A cs4Label=reason cs4=None msg=XDR service cyserver was stopped on Test-Agent tenantname=Test tenantCDLid=123456 CSPaccountname=1234