Analytics log format - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-15
Category
Administrator Guide
Abstract

Learn about the syntax and different variables that are used in the analytics log format.

Cortex XSIAM Analytics logs alerts as analytics alert logs. If you configure Cortex XSIAM to forward logs in the legacy format, each log record has the following format:

  • Syslog format:

    Example 12. 
    sub_type,time_generated,id,version_info/document_version,version_info/magnifier_version,version_info/detection_version,alert/url,alert/category,alert/type,alert/name,alert/description/html,alert/description/text,alert/severity,alert/state,alert/is_whitelisted,alert/ports,alert/internal_destinations/single_destinations,alert/internal_destinations/ip_ranges,alert/external_destinations,alert/app_id,alert/schedule/activity_first_seen_at,alert/schedule/activity_last_seen_at,alert/schedule/first_detected_at,alert/schedule/last_detected_at,user/user_name,user/url,user/display_name,user/org_unit,device/id,device/url,device/mac,device/hostname,device/ip,device/ip_ranges,device/owner,device/org_unit,files

  • Email account: Each field is labeled, one line per field.

    Example 13. 
    sub_type: Update
    time_generated: 1547717480
    id: 4
    version_info/document_version: 1
    version_info/magnifier_version: 1.8
    version_info/detection_version: 2019.2.0rc1
    alert/url: https:\/\/ddc1...
    alert/category: Recon
    alert/type: Port Scan
    alert/name: Port Scan 
    alert/description/html: \t<ul>\n\t\t<li>The device....
    alert/description/text: The device ...
    ...
    device/id: 2-85e40edd-b2d1-1f25-2c1e-a3dd576c8a7e
    device/url: https:\/\/ddc1 ...
    device/mac: 00-50-56-a5-db-b2
    device/hostname: DC1ENV3APC42
    device/ip: 10.201.102.17
    device/ip_ranges: "[{""max_ip"":""..."",""name"":""..."",""min_ip"":""..."",""asset"":""""}]"
    device/owner: 
    device/org_unit: 
    files: []