Abstract
Learn about the syntax and different variables that are used in the analytics log format.
Cortex XSIAM Analytics logs alerts as analytics alert logs. If you configure Cortex XSIAM to forward logs in the legacy format, each log record has the following format:
Syslog format:
Example 12.sub_type,time_generated,id,version_info/document_version,version_info/magnifier_version,version_info/detection_version,alert/url,alert/category,alert/type,alert/name,alert/description/html,alert/description/text,alert/severity,alert/state,alert/is_whitelisted,alert/ports,alert/internal_destinations/single_destinations,alert/internal_destinations/ip_ranges,alert/external_destinations,alert/app_id,alert/schedule/activity_first_seen_at,alert/schedule/activity_last_seen_at,alert/schedule/first_detected_at,alert/schedule/last_detected_at,user/user_name,user/url,user/display_name,user/org_unit,device/id,device/url,device/mac,device/hostname,device/ip,device/ip_ranges,device/owner,device/org_unit,files
Email account: Each field is labeled, one line per field.
Example 13.sub_type: Update time_generated: 1547717480 id: 4 version_info/document_version: 1 version_info/magnifier_version: 1.8 version_info/detection_version: 2019.2.0rc1 alert/url: https:\/\/ddc1... alert/category: Recon alert/type: Port Scan alert/name: Port Scan alert/description/html: \t<ul>\n\t\t<li>The device.... alert/description/text: The device ... ... device/id: 2-85e40edd-b2d1-1f25-2c1e-a3dd576c8a7e device/url: https:\/\/ddc1 ... device/mac: 00-50-56-a5-db-b2 device/hostname: DC1ENV3APC42 device/ip: 10.201.102.17 device/ip_ranges: "[{""max_ip"":""..."",""name"":""..."",""min_ip"":""..."",""asset"":""""}]" device/owner: device/org_unit: files: []