Endpoints Event Forwarding - included/excluded fields by event type - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-07
Category
Administrator Guide
Abstract

Learn more about the included/excluded fields by event type for Endpoint Event Forwarding in Cortex XSIAM.

Endpoints Event Forwarding exports ingested, parsed endpoint data for Cortex XDR pro EP and Cloud Endpoints. The exported logs are raw data, without any stories. Cortex XSIAM exports the data without filtering or configuration options. The tables below list the fields that are included and excluded for:

  • Types of events exported for the endpoints

  • Common fields for all event types

The table below lists the types of events exported for the endpoints and the fields that are included and excluded:

Exported event type

Included field

Excluded field

Network

action_socket_type

is_boot_replay

action_remote_ip

action_proxy

action_remote_port

action_network_app_ids

action_local_ip

action_network_rule_ids

action_local_port

action_network_dpi_fields

action_network_connection_id

action_network_is_loopback

action_network_is_server

action_upload

action_network_creation_time

action_download

action_total_upload

action_network_stats_seq

action_total_download

action_network_is_ipv6

action_network_protocol

action_network_stats_is_last

Process

uuid / _id

action_process_causality_id

action_process_os_pid

action_process_is_causality_root

action_process_instance_id

action_process_is_replay

action_process_image_md5

action_process_yara_file_scan_result

action_process_image_sha256

action_process_wf_verdict

action_process_image_path

action_process_static_analysis_score

action_process_image_name

execution_actor_causality_id

action_process_image_extension

action_process_ns_pid

action_process_image_command_line

action_process_container_id

action_process_signature_product

action_process_is_container_root

action_process_signature_vendor

action_process_image_command_line_indices

action_process_signature_is_embedded

action_process_is_special

action_process_signature_status

action_process_ns_user_sid

action_process_integrity_level

action_process_ns_user_real_sid

action_process_username

action_process_file_size

action_process_user_sid

action_process_file_create_time

action_process_in_txn

action_process_file_mod_time

action_process_pe_load_info

action_process_remote_session_ip

action_process_peb

action_process_file_info

action_process_peb32

action_process_device_info

action_process_last_writer_actor

execution_actor_instance_id

action_process_token

action_process_user_real_sid

action_process_privileges

action_process_requested_parent_pid

action_process_fds

action_process_requested_parent_iid

action_process_scheduled_task_name

action_process_termination_date

action_process_instance_execution_time

action_process_termination_code

File

action_file_path

action_file_wf_verdict

action_file_name

action_file_yara_file_scan_result

action_file_previous_file_path

action_file_dir_query

action_file_previous_file_name

action_file_previous_device_info

action_file_md5

action_file_device_info

action_file_sha256

action_file_reparse_path

action_file_size

action_file_reparse_count

action_file_attributes

action_file_dirty_reason

action_file_create_time

action_file_remote_ip

action_file_mod_time

action_file_remote_port

action_file_access_time

action_file_remote_file_ip

action_file_type

action_file_remote_file_host

action_file_operation_flags

action_file_sec_desc

action_file_mode

action_file_previous_file_extension

action_file_owner

action_file_extension

action_file_owner_name

action_file_archive_list

action_file_group

action_file_contents

action_file_group_name

action_file_device_type

action_file_signature_product

action_file_signature_vendor

action_file_signature_is_embedded

action_file_signature_status

action_file_pe_info

action_file_prev_type

action_file_last_writer_actor

action_file_is_anonymous

Registry

action_registry_value_type

action_registry_key_name

action_registry_data

action_registry_value_name

action_registry_old_key_name

action_registry_file_path

action_registry_return_val

Injection

action_remote_process_thread_id

action_remote_process_causality_id

action_remote_process_os_pid

action_remote_process_is_causality_root

action_remote_process_instance_id

action_remote_process_is_replay

action_remote_process_image_md5

action_remote_process_image_extension

action_remote_process_image_sha256

action_remote_process_image_command_line_indices

action_remote_process_image_path

action_remote_process_is_special

action_remote_process_image_name

action_remote_process_file_size

action_remote_process_image_command_line

action_remote_process_file_create_time

action_remote_process_signature_product

action_remote_process_file_mod_time

action_remote_process_signature_vendor

action_remote_process_file_info

action_remote_process_signature_is_embedded

action_remote_process_signature_status

action_remote_process_thread_start_address

action_remote_process_integrity_level

action_remote_process_username

action_remote_process_user_sid

address_mapping

Load Image

action_module_path

action_module_is_replay

action_module_md5

action_module_yara_file_scan_result

action_module_sha256

action_module_file_size

action_module_base_address

action_module_file_create_time

action_module_image_size

action_module_file_mod_time

action_module_signature_product

action_module_file_access_time

action_module_signature_vendor

action_module_device_info

action_module_signature_is_embedded

action_module_wf_verdict

action_module_signature_status

action_module_file_info

action_module_last_writer_actor

action_module_other_load_location

action_module_page_protection

action_module_system_properties

action_module_code_integrity

action_module_boot_code_integrity

User Status Change

action_user_status

action_username

action_user_status_sid

action_user_session_id

action_user_is_local_session

Host Status Change

action_boot_time

action_powered_off

Agent Status Change

action_boot_instance_cleanup_required

agent_status_component

Host Metadata Discovery/Change

host_metadata_interface_map

host_metadata_hostname

host_metadata_domain

The table below lists the common fields for all event types and the fields that are included and excluded.

Common fields for all event types

Included field

Excluded field

Agent

agent_content_version

agent_install_type

agent_hostname

event_utc_diff_minutes

agent_interface_map

manifest_file_version

agent_os_sub_type

source_message_id

agent_os_type

zip_id

agent_version

agent_request_time

agent_id

server_request_time

agent_ip_addresses

agent_id_hash

agent_ip_addresses_v6

agent_id_hash_bre

backtrace_identities

_product

_vendor

actor_fields

agent_is_vdi

Common

event_version

event_is_impersonated

event_type

event_is_replay

event_sub_type

event_impersonation_status

event_id

event_is_simulated

event_timestamp

event_user_presence

event_rpc_interface_uuid

agent_host_boot_time

event_rpc_func_opnum

agent_session_start_time

event_validity_enum

event_invalidity_field

event_rpc_inteface_version_major

event_rpc_inteface_version_minor

event_rpc_protocol

event_address_mapped

event_user_presence_status

Actor

os_actor_local_ip

actor_ns_user_sid

os_actor_local_port

actor_process_auth_id

os_actor_primary_user_sid

actor_process_causality_id

os_actor_primary_username

actor_process_ns_pid

os_actor_process_command_line

actor_process_session_id

os_actor_process_image_md5

actor_process_signature_is_embedded

os_actor_process_image_name

actor_process_signature_product

os_actor_process_image_path

actor_process_signature_vendor

os_actor_process_image_sha256

actor_remote_host

os_actor_process_signature_status

actor_remote_pipe_name

os_actor_process_logon_id

actor_remote_port

os_actor_process_os_pid

actor_rpc_interface_version_major

os_actor_remote_ip

actor_rpc_interface_version_minor

os_actor_process_instance_id

actor_rpc_protocol

os_actor_thread_thread_id

actor_type

actor_rpc_func_opnum

actor_rpc_interface_uuid

actor_process_device_info

actor_process_execution_time

actor_process_file_create_time

actor_process_file_mod_time

actor_process_file_size

actor_process_image_extension

actor_process_instance_id

actor_process_command_line_indices

actor_process_integrity_level

actor_process_is_special

actor_process_last_writer_actor

actor_process_instance_id

actor_thread_thread_id

actor_is_injected_thread

actor_causality_id

actor_effective_username

actor_effective_user_sid