Learn about the formats used to forward Cortex XDR agent, BIOC, IOC, analytics, correlation, and third-party alerts.
Cortex XDR agent, BIOC, IOC, analytics, correlation, and third-party alerts are forwarded to external data resources according to the email, Slack, or syslog format.
Email account
Alert notifications are sent to email accounts according to the settings you configured. Email messages also include an alert code snippet of the fields according to the columns in the Alert table.
The notification format is as follows:
If only one alert exists in the queue, a single alert email format is sent.
If more than one alert was grouped in the time frame, all the alerts in the queue are forwarded together in a grouped email format.
Single alert email message
Email Subject: Alert: <alert_name> Email Body: Alert Name: Suspicious Process Creation Severity: High Source: XDR Agent Category: Malware Action: Detected Host: <host name> Username:<user name> Excluded: No Starred: Yes Alert: <link to Cortex XDR app alert view> Incident: <link to Cortex XDR app incident view>
Grouped alert email message
Email Subject: Alerts: <first_highest_severity_alert> + x others Email Body: Alert Name: Suspicious Process Creation Severity: High Source: XDR Agent Category: MalwareAction: Detected Host: <host name> Username:<user name> Excluded:No Starred: Yes Alert: <link to Cortex XDR app alert view>Incident: <link to Cortex XDR app incident view> Alert Name: Behavioral Threat Protection Alert ID: 2412 Description: A really cool detection Severity: Medium Source: XDR Agent Category: Exploit Action: Prevented Host: <host name> Starred: Yes Alert: <link to Cortex XDR app alert view> Incident: <link to Cortex XDR app incident view> Notification Name: “My notification policy 2 ” Notification Description: “Starred alerts with medium severity”
Email body
{ "original_alert_json":{ "uuid":"<UUID Value>", "recordType":"threat", "customerId":"<Customer ID>", "severity":4, "...", "is_pcap":null, "contains_featured_host":[ "NO" ], "contains_featured_user":[ "YES" ], "contains_featured_ip":[ "YES" ], "events_length":1, "is_excluded":false }
Slack channel
You can send alert notifications to a single Slack contact or a Slack channel. Notifications are similar to the email format.
Syslog receiver
Alert notifications forwarded to a syslog receiver are sent in a CEF format RF 5425.
Section | Description |
---|---|
Syslog header |
|
CEF header |
|
CEF body |
|
end=timestamp shost=endpoint_name deviceFacility=facility cat=category externalId=external_id request=request cs1=initiated_by_process cs1Label=Initiated by (constant string) cs2=initiator_commande cs2Label=Initiator CMD (constant string) cs3=signature cs3Label=Signature (constant string) cs4=cgo_name cs4Label=CGO name (constant string) cs5=cgo_command cs5Label=CGO CMD (constant string) cs6=cgo_signature cs6Label=CGO Signature (constant string) dst=destination_ip dpt=destination_port src=source_ip spt=source_port fileHash=file_hash filePath=file_path targetprocesssignature=target_process_signature tenantname=tenant_name tenantCDLid=tenant_id CSPaccountname=account_name initiatorSha256=initiator_hash initiatorPath=initiator_path osParentName=parent_name osParentCmd=parent_command osParentSha256=parent_hash osParentSignature=parent_signature osParentSigner=parent_signer incident=incident_id act=action suser=actor_effective_username