To aid in endpoint detection and alert investigation, the Cortex XDR agent collects endpoint information when an alert is triggered.
When the Cortex XDR agent raises an alert on endpoint activity, a minimum set of metadata about the endpoint is sent to the server as described in Metadata Collected for Cortex XDR Agent Alerts.
When you enable behavioral threat protection or EDR data collection in your endpoint security policy, the Cortex XDR agent can also continuously monitor endpoint activity for malicious event chains identified by Palo Alto Networks. The endpoint data that the Cortex XDR agent collects when you enable these capabilities vary by platform type.
Note
Agents with Cortex XDR Pro per Endpoint apply limits and filters on network, file, and registry logs. To expand these limits and filters, the Extended Threat Hunting Data (XTH) add-on must be purchased.
The tables below note whether specific logs require the XTH add-on.
When the Cortex XDR agent raises an alert on endpoint activity, the following metadata is sent to the server:
Field | Description |
---|---|
Absolute Timestamp | Kernel system time |
Relative Timestamp | Uptime since the computer started |
Thread ID | ID of the originating thread |
Process ID | ID of the originating process |
Process Creation Time | Part of the process unique ID per boot session (PID + creation time) |
Sequence ID | Unique integer per boot session |
Primary User SID | Unique identifier of the user |
Impersonating User SID | Unique identifier of the impersonating user, if applicable |
Category | Events | Attributes |
---|---|---|
Mount a device (volume and hardware) |
|
|
Executable metadata (Traps 6.1 and later) | Process start |
|
Files |
|
|
Image (DLL) | Load |
|
Process |
|
|
Thread | Injection |
|
Network |
|
|
Network Protocols |
|
|
Network Statistics |
|
Traps sends statistics both when a connection is closed, and at periodic intervals while the connection remains open. |
Registry |
|
|
Session |
|
|
Host Status |
|
|
User Presence (Traps 6.1 and later) | User Detection | Detection when a user is present or idle per active user session on the computer. |
RPC Calls |
|
|
System Calls | Syscall types change frequently, and can be observed in each event's data. |
|
Event Log | See the table below for the list of Windows Event Logs that can be sent to the server. |
In Traps 6.1.3 and later releases, Cortex XDR and Traps agents can send the following Windows Event Logs to the tenant.
Cortex XSIAM saves the Windows event logs both in xdr_data and in the microsoft_windows_raw datasets.
Path | Provider | Event IDs and Description |
---|---|---|
Application | EMET | |
Application | Windows Error Reporting | Only for Windows Error Reporting (WER) events when an application stops unexpectedly |
Application | Microsoft-Windows-User Profiles Service |
|
Application | Application Error | 1000: Application unexpected stop/hang events, similar to WER/1001. These events include the full path to the EXE file, or to the module with the fault. |
Application | Application Hang | 1002: Application unexpected stop/hang events, similar to WER/1001. These events include the full path to the EXE file, or to the module with the fault. |
Microsoft-Windows-LDAP-client | 30: Windows Event Collector (WEC) recommended event | |
Microsoft-Windows-CAPI2/Operational | Windows CAPI2 logging events:
| |
Microsoft-Windows-DNS-Client/Operational | 3008: A DNS query was completed without local machine name resolution events, and without empty name resolution events. | |
Microsoft-Windows-DriverFrameworks-UserMode/Operational | 2004: Detection of User-Mode drivers loading, for potential BadUSB detection | |
Microsoft-Windows-PowerShell/Operational |
| |
Microsoft-Windows-PrintService | Microsoft-Windows-PrintService | |
Microsoft-Windows-TaskScheduler/Operational | Microsoft-Windows-TaskScheduler | 106, 129, 141, 142, 200, 201 |
Microsoft-Windows-TerminalServices-RDPClient/Operational | 1024: A terminal service (TS) attempted to connect to a remote server | |
Microsoft-Windows-Windows Defender/Operational |
| |
Microsoft-Antimalware-Scan-Interface | 1101: Anti-Malware Scan Interface (AMSI) content scan event | |
Microsoft-Windows-Windows Defender/Operational |
| |
Microsoft-Windows-Windows Firewall With Advanced Security/Firewall | Microsoft-Windows-Windows Firewall With Advanced Security | 2004, 2005, 2006, 2009, 2033: Windows Firewall With Advanced Security Local Modifications (Levels 0, 2, 4) |
Security | 1102: The Security log cleared events | |
Security | Microsoft-Windows-Eventlog | Event log service events specific to the Security channel |
Security |
| |
Security | Microsoft-Windows-Security-Auditing |
|
Security | Microsoft-Windows-Security-Auditing |
|
Security | Microsoft-Windows-Security-Auditing |
|
Security | Microsoft-Windows-Security-Auditing |
|
Security | Microsoft-Windows-Security-Auditing | 4713: Kerberos policy was changed on a domain controller |
Security | Microsoft-Windows-Security-Auditing | 4662: An operation was performed on an Active Directory object |
Category | Events | Attributes |
---|---|---|
Files |
|
|
Process |
|
|
Network |
|
|
Event Log |
|
|
Category | Events | Attributes |
---|---|---|
Files |
|
NoteFor specific files only and only if the file was written. |
|
| |
|
| |
Network |
|
|
Process |
|
|
|
| |
Event Log |
|
|
Field | Description |
---|---|
Time |
|
Agent information |
|
Event information |
|
Actor information | Actor process instance ID |
OS actor information |
|
Sample information |
|
CPU usage information |
|
Memory usage information |
|
Vendor | Vendor name |
Product | Product name |
ZIP | ZIP ID |
Server information | Server request time |