Learn about the syntax and different variables that are used in the analytics log format.
Cortex XSIAM Analytics logs its alerts to the Cortex XSIAM tenant as analytics alert logs. If you configure Cortex XSIAM to forward logs in legacy format, each log record has the following format:
Syslog format
sub_type,time_generated,id,version_info/document_version,version_info/magnifier_version,version_info/detection_version,alert/url,alert/category,alert/type,alert/name,alert/description/html,alert/description/text,alert/severity,alert/state,alert/is_whitelisted,alert/ports,alert/internal_destinations/single_destinations,alert/internal_destinations/ip_ranges,alert/external_destinations,alert/app_id,alert/schedule/activity_first_seen_at,alert/schedule/activity_last_seen_at,alert/schedule/first_detected_at,alert/schedule/last_detected_at,user/user_name,user/url,user/display_name,user/org_unit,device/id,device/url,device/mac,device/hostname,device/ip,device/ip_ranges,device/owner,device/org_unit,files
Email body format example.
When analytics alert logs are forwarded by email, each field is labeled, one line per field.
sub_type: Update time_generated: 1547717480 id: 4 version_info/document_version: 1 version_info/magnifier_version: 1.8 version_info/detection_version: 2019.2.0rc1 alert/url: https:\/\/ddc1... alert/category: Recon alert/type: Port Scan alert/name: Port Scan alert/description/html: \t<ul>\n\t\t<li>The device.... alert/description/text: The device ... alert/severity: Low alert/state: Reopened alert/is_whitelisted: false alert/ports: "[1,2,3,4,5,6,7,8,9,10,11...] alert/internal_destinations/single_destinations: [] alert/internal_destinations/ip_ranges: "[{""max_ip"":""..."",""name"":""..."",""min_ip"":""...""}]" alert/external_destinations: [] alert/app_id: alert/schedule/activity_first_seen_at: 1542178800 alert/schedule/activity_last_seen_at: 1542182400 alert/schedule/first_detected_at: 1542182400 alert/schedule/last_detected_at: 1542182400 user/user_name: user/url: user/display_name: user/org_unit: device/id: 2-85e40edd-b2d1-1f25-2c1e-a3dd576c8a7e device/url: https:\/\/ddc1 ... device/mac: 00-50-56-a5-db-b2 device/hostname: DC1ENV3APC42 device/ip: 10.201.102.17 device/ip_ranges: "[{""max_ip"":""..."",""name"":""..."",""min_ip"":""..."",""asset"":""""}]" device/owner: device/org_unit: files: []
The following table describes each field.
Field Name | Definition |
---|---|
| Alert log subtype. Values are:
|
| Time the log record was sent to the Cortex XSIAM tenant. Value is a Unix Epoch timestamp. |
| Unique identifier for the alert. Any given alert can generate multiple log records—one when the alert is initially raised, and then additional records every time the alert status changes. This ID remains constant for all such alert records. You can obtain the current status of the alert by looking for log records with this id and the most recent |
| Identifies the log schema version number used for this log record. |
| The version number of the Cortex XSIAM – Analytics instance that wrote this log record. |
| Identifies the version of the Cortex XSIAM – Analytics detection software used to raise the alert. |
| Provides the full URL to the alert page in the Cortex XSIAM – Analytics user interface. |
| Identifies the alert category, which is a reflection of the anomalous network activity location in the attack life cycle. Possible categories are:
|
| Identifies the categorization to which the alert belongs. For example Tunneling Process, Sandbox Detection, Malware, and so forth. |
| The alert name as it appears in the Cortex XSIAM – Analytics user interface. |
| The alert textual description in HTML formatting. |
| The alert textual description in plain text. |
| Identifies the alert severity. These severities indicate the likelihood that the anomalous network activity is a real attack.
|
| Identifies the alert state.
|
| Indicates whether the alert is whitelisted. Whitelisting indicates that anomalous-appearing network activity is legitimate. If an alert is whitelisted, then it is not visible in the Cortex XSIAM – Analytics user interface. Alerts can be dismissed or archived and still have a whitelist rule. |
| List of ports accessed by the network entity during its anomalous behavior. |
| Network destinations that the entity reached, or tried to reach, during the course of the network activity that caused Cortex XSIAM – Analytics to raise the alert. This field contains a sequence of JSON objects, each of which contains the following fields:
|
| IP address range subnets that the entity reached, or tried to reach, during the course of the network activity that caused Cortex XSIAM – Analytics to raise the alert. This field contains a sequence of JSON objects, each of which contains the following fields:
|
| Provides a list of destinations external to the monitored network that the entity tried to reach, or actually reached, during the activity that raised this alert. This list can contain IP addresses or fully qualified domain names. |
| The App-ID associated with this alert. |
| Time when Cortex XSIAM – Analytics first detected the network activity that caused it to raise the alert. Be aware that there is frequently a delay between this timestamp, and the time when Cortex XSIAM – Analytics raises an alert (see the |
| Time when Cortex XSIAM – Analytics last detected the network activity that caused it to raise the alert. |
| Time when Cortex XSIAM – Analytics first alerted on the network activity. |
| Time when Cortex XSIAM – Analytics last alerted on the network activity. |
| The name of the user associated with this alert. This name is obtained from Active Directory. |
| Provides the full URL to the user page in the Cortex XSIAM – Analytics user interface for the user who is associated with the alert. |
| The user name as retrieved from Active Directory. This is the user name displayed within the Cortex XSIAM – Analytics user interface for the user who is associated with this alert. |
| The organizational unit of the user associated with this alert, as identified using Active Directory. |
| A unique ID assigned by Cortex XSIAM – Analytics to the device. All alerts raised due to activity occurring on this endpoint will share this ID. |
| Provides the full URL to the device page in the Cortex XSIAM – Analytics user interface. |
| The MAC address of the network card in use on the device. |
| The device host name. |
| The device IP address. |
| Identifies the subnet or subnets that the device is on. This sequence can contain multiple inclusive subnets. Each element in this sequence is a JSON object with the following fields:
|
| The user name of the person who owns the device. |
| The organizational unit that owns the device, as identified by Active Directory. |
| Identifies the files associated with the alert. Each element in this sequence is a JSON object with the following fields:
|