Cortex XSIAM supports Syslog and email formats for IOC and BIOC alerts.
Cortex XSIAM logs its IOC and BIOC alerts to the Cortex XSIAM tenant. If you configure Cortex XSIAM to forward logs in legacy format, when alert logs are forwarded from the Cortex XSIAM tenant, each log record has the following format:
Syslog format:
"/edrData/action_country","/edrData/action_download","/edrData/action_external_hostname","/edrData/action_external_port","/edrData/action_file_extension","/edrData/action_file_md5","/edrData/action_file_name","/edrData/action_file_path","/edrData/action_file_previous_file_extension","/edrData/action_file_previous_file_name","/edrData/action_file_previous_file_path","/edrData/action_file_sha256","/edrData/action_file_size","/edrData/action_file_remote_ip","/edrData/action_file_remote_port","/edrData/action_is_injected_thread","/edrData/action_local_ip","/edrData/action_local_port","/edrData/action_module_base_address","/edrData/action_module_image_size","/edrData/action_module_is_remote","/edrData/action_module_is_replay","/edrData/action_module_path","/edrData/action_module_process_causality_id","/edrData/action_module_process_image_command_line","/edrData/action_module_process_image_extension","/edrData/action_module_process_image_md5","/edrData/action_module_process_image_name","/edrData/action_module_process_image_path","/edrData/action_module_process_image_sha256","/edrData/action_module_process_instance_id","/edrData/action_module_process_is_causality_root","/edrData/action_module_process_os_pid","/edrData/action_module_process_signature_product","/edrData/action_module_process_signature_status","/edrData/action_module_process_signature_vendor","/edrData/action_network_connection_id","/edrData/action_network_creation_time","/edrData/action_network_is_ipv6","/edrData/action_process_causality_id","/edrData/action_process_image_command_line","/edrData/action_process_image_extension","/edrData/action_process_image_md5","/edrData/action_process_image_name","/edrData/action_process_image_path","/edrData/action_process_image_sha256","/edrData/action_process_instance_id","/edrData/action_process_integrity_level","/edrData/action_process_is_causality_root","/edrData/action_process_is_replay","/edrData/action_process_is_special","/edrData/action_process_os_pid","/edrData/action_process_signature_product","/edrData/action_process_signature_status","/edrData/action_process_signature_vendor","/edrData/action_proxy","/edrData/action_registry_data","/edrData/action_registry_file_path","/edrData/action_registry_key_name","/edrData/action_registry_value_name","/edrData/action_registry_value_type","/edrData/action_remote_ip","/edrData/action_remote_port","/edrData/action_remote_process_causality_id","/edrData/action_remote_process_image_command_line","/edrData/action_remote_process_image_extension","/edrData/action_remote_process_image_md5","/edrData/action_remote_process_image_name","/edrData/action_remote_process_image_path","/edrData/action_remote_process_image_sha256","/edrData/action_remote_process_is_causality_root","/edrData/action_remote_process_os_pid","/edrData/action_remote_process_signature_product","/edrData/action_remote_process_signature_status","/edrData/action_remote_process_signature_vendor","/edrData/action_remote_process_thread_id","/edrData/action_remote_process_thread_start_address","/edrData/action_thread_thread_id","/edrData/action_total_download","/edrData/action_total_upload","/edrData/action_upload","/edrData/action_user_status","/edrData/action_username","/edrData/actor_causality_id","/edrData/actor_effective_user_sid","/edrData/actor_effective_username","/edrData/actor_is_injected_thread","/edrData/actor_primary_user_sid","/edrData/actor_primary_username","/edrData/actor_process_causality_id","/edrData/actor_process_command_line","/edrData/actor_process_execution_time","/edrData/actor_process_image_command_line","/edrData/actor_process_image_extension","/edrData/actor_process_image_md5","/edrData/actor_process_image_name","/edrData/actor_process_image_path","/edrData/actor_process_image_sha256","/edrData/actor_process_instance_id","/edrData/actor_process_integrity_level","/edrData/actor_process_is_special","/edrData/actor_process_os_pid","/edrData/actor_process_signature_product","/edrData/actor_process_signature_status","/edrData/actor_process_signature_vendor","/edrData/actor_thread_thread_id","/edrData/agent_content_version","/edrData/agent_host_boot_time","/edrData/agent_hostname","/edrData/agent_id","/edrData/agent_ip_addresses","/edrData/agent_is_vdi","/edrData/agent_os_sub_type","/edrData/agent_os_type","/edrData/agent_session_start_time","/edrData/agent_version","/edrData/causality_actor_causality_id","/edrData/causality_actor_effective_user_sid","/edrData/causality_actor_effective_username","/edrData/causality_actor_primary_user_sid","/edrData/causality_actor_primary_username","/edrData/causality_actor_process_causality_id","/edrData/causality_actor_process_command_line","/edrData/causality_actor_process_execution_time","/edrData/causality_actor_process_image_command_line","/edrData/causality_actor_process_image_extension","/edrData/causality_actor_process_image_md5","/edrData/causality_actor_process_image_name","/edrData/causality_actor_process_image_path","/edrData/causality_actor_process_image_sha256","/edrData/causality_actor_process_instance_id","/edrData/causality_actor_process_integrity_level","/edrData/causality_actor_process_is_special","/edrData/causality_actor_process_os_pid","/edrData/causality_actor_process_signature_product","/edrData/causality_actor_process_signature_status","/edrData/causality_actor_process_signature_vendor","/edrData/event_id","/edrData/event_is_simulated","/edrData/event_sub_type","/edrData/event_timestamp","/edrData/event_type","/edrData/event_utc_diff_minutes","/edrData/event_version","/edrData/host_metadata_hostname","/edrData/missing_action_remote_process_instance_id","/facility","/generatedTime","/recordType","/recsize","/trapsId","/uuid","/xdr_unique_id","/meta_internal_id","/external_id","/is_visible","/is_secdo_event","/severity","/alert_source","/internal_id","/matching_status","/local_insert_ts","/source_insert_ts","/alert_name","/alert_category","/alert_description","/bioc_indicator","/matching_service_rule_id","/external_url","/xdr_sub_type","/bioc_category_enum_key","/alert_action_status","/agent_data_collection_status","/attempt_counter","/case_id","/global_content_version_id","/global_rule_id","/is_whitelisted"
When alert logs are forwarded by email, each field is labeled, one line per field.
Email body format example.
edrData/action_country: edrData/action_download: edrData/action_external_hostname: edrData/action_external_port: edrData/action_file_extension: pdf edrData/action_file_md5: null edrData/action_file_name: XORXOR2614081980.pdf edrData/action_file_path: C:\ProgramData\Cyvera\Ransomware\16067987696371268494\XORXOR2614081980.pdf edrData/action_file_previous_file_extension: null edrData/action_file_previous_file_name: null edrData/action_file_previous_file_path: null edrData/action_file_sha256: null edrData/action_file_size: 0 edrData/action_file_remote_ip: null edrData/action_file_remote_port: null edrData/action_is_injected_thread: edrData/action_local_ip: edrData/action_local_port: edrData/action_module_base_address: edrData/action_module_image_size: edrData/action_module_is_remote: edrData/action_module_is_replay: edrData/action_module_path: edrData/action_module_process_causality_id: edrData/action_module_process_image_command_line: edrData/action_module_process_image_extension: edrData/action_module_process_image_md5: edrData/action_module_process_image_name: edrData/action_module_process_image_path: edrData/action_module_process_image_sha256: edrData/action_module_process_instance_id: edrData/action_module_process_is_causality_root: edrData/action_module_process_os_pid: edrData/action_module_process_signature_product: edrData/action_module_process_signature_status: edrData/action_module_process_signature_vendor: edrData/action_network_connection_id: edrData/action_network_creation_time: edrData/action_network_is_ipv6: edrData/action_process_causality_id: edrData/action_process_image_command_line: edrData/action_process_image_extension: edrData/action_process_image_md5: edrData/action_process_image_name: edrData/action_process_image_path: edrData/action_process_image_sha256: edrData/action_process_instance_id: edrData/action_process_integrity_level: edrData/action_process_is_causality_root: edrData/action_process_is_replay: edrData/action_process_is_special: edrData/action_process_os_pid: edrData/action_process_signature_product: edrData/action_process_signature_status: edrData/action_process_signature_vendor: edrData/action_proxy: edrData/action_registry_data: edrData/action_registry_file_path: edrData/action_registry_key_name: edrData/action_registry_value_name: edrData/action_registry_value_type: edrData/action_remote_ip: edrData/action_remote_port: edrData/action_remote_process_causality_id: edrData/action_remote_process_image_command_line: edrData/action_remote_process_image_extension: edrData/action_remote_process_image_md5: edrData/action_remote_process_image_name: edrData/action_remote_process_image_path: edrData/action_remote_process_image_sha256: edrData/action_remote_process_is_causality_root: edrData/action_remote_process_os_pid: edrData/action_remote_process_signature_product: edrData/action_remote_process_signature_status: edrData/action_remote_process_signature_vendor: edrData/action_remote_process_thread_id: edrData/action_remote_process_thread_start_address: edrData/action_thread_thread_id: edrData/action_total_download: edrData/action_total_upload: edrData/action_upload: edrData/action_user_status: edrData/action_username: edrData/actor_causality_id: AdUcamNT99kAAAAEAAAAAA== edrData/actor_effective_user_sid: S-1-5-18 edrData/actor_effective_username: NT AUTHORITY\SYSTEM edrData/actor_is_injected_thread: false edrData/actor_primary_user_sid: S-1-5-18 edrData/actor_primary_username: NT AUTHORITY\SYSTEM edrData/actor_process_causality_id: AdUcamNT99kAAAAEAAAAAA== edrData/actor_process_command_line: edrData/actor_process_execution_time: 1559827133585 edrData/actor_process_image_command_line: edrData/actor_process_image_extension: edrData/actor_process_image_md5: edrData/actor_process_image_name: System edrData/actor_process_image_path: System edrData/actor_process_image_sha256: edrData/actor_process_instance_id: AdUcamNT99kAAAAEAAAAAA== edrData/actor_process_integrity_level: 16384 edrData/actor_process_is_special: 1 edrData/actor_process_os_pid: 4 edrData/actor_process_signature_product: Microsoft Windows edrData/actor_process_signature_status: 1 edrData/actor_process_signature_vendor: Microsoft Corporation edrData/actor_thread_thread_id: 64 edrData/agent_content_version: 58-9124 edrData/agent_host_boot_time: 1559827133585 edrData/agent_hostname: padme-7 edrData/agent_id: a832f35013f16a06fc2495843674a3e9 edrData/agent_ip_addresses: ["10.196.172.74"] edrData/agent_is_vdi: false edrData/agent_os_sub_type: Windows 7 [6.1 (Build 7601: Service Pack 1)] edrData/agent_os_type: 1 edrData/agent_session_start_time: 1559827592661 edrData/agent_version: 6.1.0.13895 edrData/causality_actor_causality_id: AdUcamNT99kAAAAEAAAAAA== edrData/causality_actor_effective_user_sid: edrData/causality_actor_effective_username: edrData/causality_actor_primary_user_sid: S-1-5-18 edrData/causality_actor_primary_username: NT AUTHORITY\SYSTEM edrData/causality_actor_process_causality_id: edrData/causality_actor_process_command_line: edrData/causality_actor_process_execution_time: 1559827133585 edrData/causality_actor_process_image_command_line: edrData/causality_actor_process_image_extension: edrData/causality_actor_process_image_md5: edrData/causality_actor_process_image_name: System edrData/causality_actor_process_image_path: System edrData/causality_actor_process_image_sha256: edrData/causality_actor_process_instance_id: AdUcamNT99kAAAAEAAAAAA== edrData/causality_actor_process_integrity_level: 16384 edrData/causality_actor_process_is_special: 1 edrData/causality_actor_process_os_pid: 4 edrData/causality_actor_process_signature_product: Microsoft Windows edrData/causality_actor_process_signature_status: 1 edrData/causality_actor_process_signature_vendor: Microsoft Corporation edrData/event_id: AAABa13u2PQsqXnCAB1qjw== edrData/event_is_simulated: false edrData/event_sub_type: 1 edrData/event_timestamp: 1560649063308 edrData/event_type: 3 edrData/event_utc_diff_minutes: 120 edrData/event_version: 20 edrData/host_metadata_hostname: edrData/missing_action_remote_process_instance_id: facility: generatedTime: 2019-06-16T01:37:43 recordType: alert recsize: trapsId: uuid: xdr_unique_id: ae65c92c6e704023df129c728eab3d3e meta_internal_id: None external_id: 318b7f91-ae74-4860-abd1-b463e8cd6deb is_visible: null is_secdo_event: null severity: SEV_010_INFO alert_source: BIOC internal_id: None matching_status: null local_insert_ts: null source_insert_ts: 1560649063308 alert_name: BIOC-16 alert_category: CREDENTIAL_ACCESS alert_description: File action type = all AND name = *.pdf bioc_indicator: "[{""pretty_name"":""File"",""data_type"":null,""render_type"":""entity"", ""entity_map"":null},{""pretty_name"":""action type"",""data_type"":null, ""render_type"":""attribute"",""entity_map"":null},{""pretty_name"":""="", ""data_type"":null,""render_type"":""operator"",""entity_map"":null}, {""pretty_name"":""all"",""data_type"":null,""render_type"":""value"", ""entity_map"":null},{""pretty_name"":""AND"",""data_type"":null, ""render_type"":""connector"",""entity_map"":null}, {""pretty_name"":""name"",""data_type"":""TEXT"", ""render_type"":""attribute"",""entity_map"":""attributes""}, {""pretty_name"":""="",""data_type"":null,""render_type"":""operator"", ""entity_map"":""attributes""},{""pretty_name"":""*.pdf"", ""data_type"":null,""render_type"":""value"", ""entity_map"":""attributes""}]" matching_service_rule_id: 200 external_url: null xdr_sub_type: BIOC - Credential Access bioc_category_enum_key: null alert_action_status: null agent_data_collection_status: null attempt_counter: null case_id: null global_content_version_id: global_rule_id: is_whitelisted: false
The following table summarizes the field prefixes and additional relevant fields available for BIOC and IOC alert logs.
Field Name | Definition |
---|---|
/edrData/action_file* | Fields that begin with this prefix describe attributes of a file for which Traps reported activity. |
edrData/action_module* | Fields that begin with this prefix describe attributes of a module for which Traps reported module loading activity. |
edrData/action_module_process* | Fields that begin with this prefix describe attributes and activity related to processes reported by Traps that load modules such as DLLs on the endpoint. |
edrData/action_process_image* | Fields that begin with this prefix describe attributes of a process image for which Traps reported activity. |
edrData/action_registry* | Fields that begin with this prefix describe registry activity and attributes such as key name, data, and previous value for which Traps reported activity. |
edrData/action_network | Fields that begin with this prefix describe network attributes for which Traps reported activity. |
edrData/action_remote_process* | Fields that begin with this prefix describe attributes of remote processes for which Traps reported activity. |
edrData/actor* | Fields that begin with this prefix describe attributes about the acting user that initiated the activity on the endpoint. |
edrData/agent* | Fields that begin with this prefix describe attributes about the Traps agent deployed on the endpoint. |
edrData/causality_actor* | Fields that begin with this prefix describe attributes about the causality group owner. |
Additional useful fields: | |
/severity | Severity assigned to the alert:
|
/alert_source | Source of the alert: BIOC or IOC |
/local_insert_ts | Date and time when Cortex XSIAM – Investigation and Response ingested the app. |
/source_insert_ts | Date and time the alert was reported by the alert source. |
/alert_name | If the alert was generated by Cortex XSIAM – Investigation and Response, the alert name will be the specific Cortex XSIAM rule that created the alert (BIOC or IOC rule name). If from an external system, it will carry the name assigned to it by Cortex XSIAM . |
/alert_category | Alert category based on the alert source.
|
/alert_description | Text summary of the event including the alert source, alert name, severity, and file path. For alerts triggered by BIOC and IOC rules, Cortex XSIAM displays detailed information about the rule. |
/bioc_indicator | A JSON representation of the rule characteristics. For example: [{""pretty_name"":""File"",""data_type"":null, ""render_type"":""entity"",""entity_map"":null}, {""pretty_name"":""action type"", ""data_type"":null,""render_type"":""attribute"", ""entity_map"":null},{""pretty_name"":""="", ""data_type"":null,""render_type"":""operator"", ""entity_map"":null},{""pretty_name"":""all"", ""data_type"":null,""render_type"":""value"", ""entity_map"":null},{""pretty_name"":""AND"", ""data_type"":null,""render_type"":""connector"", ""entity_map"":null},{""pretty_name"":""name"", ""data_type"":""TEXT"", ""render_type"":""attribute"", ""entity_map"":""attributes""}, {""pretty_name"":""="",""data_type"":null, ""render_type"":""operator"", ""entity_map"":""attributes""}, {""pretty_name"":""*.pdf"",""data_type"":null, ""render_type"":""value"", ""entity_map"":""attributes""}]" |
/bioc_category_enum_key | Alert category based on the alert source. An example of a BIOC alert category is Evasion. An example of a Traps alert category is Exploit Modules. |
/alert_action_status | Action taken by the alert sensor with action status displayed in parenthesis:
|
/case_id | Unique identifier for the incident. |
/global_content_version_id | Unique identifier for the content version in which a Palo Alto Networks global BIOC rule was released. |
/global_rule_id | Unique identifier for an alert triggered by a Palo Alto Networks global BIOC rule. |
/is_whitelisted | Boolean indicating whether the alert is excluded or not. |