Learn about the different log formats that Cortex XSIAM can forward to an external server or email account.
The following lists the fields for each log type that Cortex XSIAM can forward to an external server or email destination.
Keep in mind the following:
When log forwarding to a syslog receiver, Cortex XSIAM sends logs in the IETF syslog message format defined in RFC 5425. To facilitate parsing, the delimiter is a comma and each field is a comma-separated value (CSV) string.
Note
The FUTURE_USE tag applies to fields that Cortex XSIAM does not currently implement.
When log forwarding to an email account, Cortex XSIAM sends an email with each field on a separate line in the email body.
Threat logs
The syslog format is as follows:
recordType, class, FUTURE_USE, eventType, generatedTime, serverTime, agentTime, tzOffset, FUTURE_USE, facility, customerId, trapsId, serverHost, serverComponentVersion, regionId, isEndpoint, agentId, osType, isVdi, osVersion, is64, agentIp, deviceName, deviceDomain, severity, trapsSeverity, agentVersion, contentVersion, protectionStatus, preventionKey, moduleId, profile, moduleStatusId, verdict, preventionMode, terminate, terminateTarget, quarantine, block, postDetected, eventParameters(Array), sourceProcessIdx(Array), targetProcessIdx(Array), fileIdx(Array), processes(Array), files(Array), users(Array), urls(Array), description(Array)
Field Name | Description |
---|---|
recordType | Record type associated with the event and that you can use when managing logging quotas. In this case, the record type is threat which includes logs related to security events that occur on the endpoints. |
class | Class of Cortex XDR agent log: config, policy, system, or agent_log. |
eventType | Subtype of event: AgentActionReport, AgentDeviceControlViolation, AgentGenericMessage, AgentSamReport, AgentScanReport, AgentSecurityEvent, AgentStatistics, AgentTimelineEvent, ServerLogPerAgent, ServerLogPerTenant, or ServerLogSystem. |
generatedTime | Coordinated Universal Time (UTC) equivalent of the time at which an event was logged. For agent events, this represents the time on the endpoint. For policy, configuration, and system events, this represents the time on Cortex XSIAM in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z). |
serverTime | Coordinated Universal Time (UTC) equivalent of the time at which the server generated the log. If the log was generated on an endpoint, this field identifies the time the server received the log in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z). |
agentTime | Coordinated Universal Time (UTC) equivalent of the time at which an agent logged an event in ISO-8601 string representation. |
tzOffset | Effective endpoint time zone offset from UTC, in minutes. |
facility | The Cortex XSIAM system component that initiated the event, for example: TrapsAgent, TrapsServiceCore, TrapsServiceManagement, and TrapsServiceBackend. |
customerId | The ID that uniquely identifies the Cortex XSIAM tenant instance which received this log record. |
trapsId | Tenant external ID. |
serverHost | Hostname of Cortex XSIAM. |
serverComponentVersion | Software version of Cortex XSIAM. |
regionId | ID of Cortex XSIAM region:
|
isEndpoint | Indicates whether the event occurred on an endpoint.
|
agentId | Unique identifier for the Cortex XDR agent. |
osType | Operating system of the endpoint:
|
isVdi | Indicates whether the endpoint is a virtual desktop infrastructure (VDI):
|
osVersion | Full version number of the operating system running on the endpoint. For example, 6.1.7601.19135. |
is64 | Indicates whether the endpoint is running a 64-bit version of Windows:
|
agentIp | IP address of the endpoint. |
deviceName | Hostname of the endpoint on which the event was logged. |
deviceDomain | Domain to which the endpoint belongs. |
severity | Syslog severity level associated with the event.
Each event also has an associated Cortex XSIAM severity. See the |
trapsSeverity | Severity level associated with the event defined for Cortex XSIAM. Each of these severities corresponds to a syslog severity level:
See also the |
agentVersion | Version of the Cortex XDR agent. |
contentVersion | Content version in the local security policy. |
protectionStatus | Cortex XDR agent protection status:
|
preventionKey | Unique identifier for security events. |
moduleId | Security module name. |
profile | Name of the security profile that triggered the event. |
moduleStatusId | Identifies the specific component of Cortex XSIAM modules.
|
verdict | Verdict for the file:
|
preventionMode | Action carried out by the Cortex XDR agent (block or notify). The prevention mode is specified in the rule configuration. |
terminate | Termination action taken on the file.
|
terminateTarget | Termination action taken on the target file (relevant for some child process execution events where we terminate the child process but not the parent process):
|
quarantine | Quarantine action taken on the file:
|
block | Block action taken on the file:
|
postDetected | Post detection status of the file:
|
eventParameters(Array) | Parameters associated with the type of event. For example, username, endpoint hostname, and filename. |
sourceProcessIdx(Array) | The prevention source process index in the processes array. |
targetProcessIdx(Array) | Target process index in the processes array. A missing or negative value means there is no target process. |
fileIdx(Array) | Index of target files for specific security events such as: Scanning, Malicious DLL, Malicious Macro events. |
processes(Array) | All related details for the process file that triggered an event:
|
files(Array) | File object includes:
|
users(Array) | Details about the active user on the endpoint when the event occurred:
|
urls(Array) | Additional details related to a URL:
|
description(Array) | (Mac only) Description of components related to Cortex XSIAM . For example, the description of the ROP, JIT, Dylib hijacking modules for Mac endpoints is Memory Corruption Exploit. |
Config logs
The syslog format is as follows:
recordType, class, FUTURE_USE, subClassId, eventType, eventCategory, generatedTime, serverTime, FUTURE_USE, facility, customerId, trapsId, serverHost, serverComponentVersion, regionId, isEndpoint, severity, trapsSeverity, messageCode, friendlyName, FUTURE_USE, msgTextEn, userFullName, userName, userRole, userDomain, additionalData(Array), messageCode, errorText, errorData, resultData
Field Name | Description |
---|---|
recordType | Record type associated with the event and that you can use when managing logging quotas. In this case, the record type is config which includes logs related to Cortex XSIAM administration and configuration changes. |
class | Class of Cortex XSIAM log. System logs have a value of system. |
subClass | Subclass of event. Used to categorize logs in Cortex XSIAM. |
subClassId | Numeric representation of the subClass field for easy sorting and filtering. |
eventType | Subtype of event. |
eventCategory | Category of event, used internally for processing the flow of logs. Event categories vary by class:
|
generatedTime | Coordinated Universal Time (UTC) equivalent of the time at which an event was logged. For agent events, this represents the time on the endpoint. For policy, configuration, and system events, this represents the time on Cortex XSIAM in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z). |
serverTime | Coordinated Universal Time (UTC) equivalent of the time at which the server generated the log. If the log was generated on an endpoint, this field identifies the time the server received the log in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z). |
facility | The Cortex XSIAM system component that initiated the event, for example: TrapsAgent, TrapsServiceCore, TrapsServiceManagement, and TrapsServiceBackend. |
customerId | The ID that uniquely identifies the Cortex XSIAM tenant instance which received this log record. |
trapsId | Tenant external ID. |
serverHost | Hostname of Cortex XSIAM. |
serverComponentVersion | Software version of Cortex XSIAM. |
regionId | ID of Cortex XSIAM region:
|
isEndpoint | Indicates whether the event occurred on an endpoint.
|
agentId | Unique identifier for the Cortex XDR agent. |
severity | Syslog severity level associated with the event.
Each event also has an associated Cortex XSIAM severity. See the |
trapsSeverity | Severity level associated with the event defined for Cortex XSIAM. Each of these severities corresponds to a syslog severity level:
See also the |
messageCode | System-wide unique message code. |
friendlyName | Descriptive log message name. |
msgTextEn | Description of the event, in English. |
userFullName | Full username of Cortex XSIAM user. |
userName | Username associated with Cortex XSIAM user. |
userRole | Role assigned to Cortex XSIAM user. |
userDomain | Domain to which the user belongs. |
agentTime | Coordinated Universal Time (UTC) equivalent of the time at which an agent logged an event in ISO-8601 string representation. |
tzOffset | Effective endpoint time zone offset from UTC, in minutes. |
osType | Operating system of the endpoint:
|
isVdi | Indicates whether the endpoint is a virtual desktop infrastructure (VDI):
|
osVersion | Full version number of the operating system running on the endpoint. For example, 6.1.7601.19135. |
is64 | Indicates whether the endpoint is running a 64-bit version of Windows:
|
agentIp | IP address of the endpoint. |
deviceName | Hostname of the endpoint on which the event was logged. |
deviceDomain | Domain to which the endpoint belongs. |
agentVersion | Version of the Cortex XSIAM agent. |
contentVersion | Content version in the local security policy. |
protectionStatus | Cortex XSIAM agent protection status:
|
userFullName | Full name of Cortex XSIAM user. |
userName | Username associated with Cortex XSIAM user. |
userRole | Role assigned to Cortex XSIAM user. |
userDomain | Domain to which the user belongs. |
messageName | Name of the message. |
messageId | Unique numeric identifier of the message. |
processStatus | State of the process related to the event. |
errorText | If known, a description of the documented error. |
errorData | Parameters related to an event error. |
resultData | Parameters related to a successful event. |
parameters | Parameters supplied in the log message. |
additionalData(Array) | Additional information regarding event parameters. |
loggedInUser | User that is logged in to the Cortex XSIAM. |
Analytics logs
The syslog format is as follows:
recordType, class, FUTURE_USE, eventType, eventCategory, generatedTime, serverTime, agentTime, tzOffset, FUTURE_USE, facility, customerId, trapsId, serverHost, serverComponentVersion, regionId, isEndpoint, agentId, osType, isVdi, osVersion, is64, agentIp, deviceName, deviceDomain, severity, agentVersion, contentVersion, protectionStatus, sha256, type, parentSha256, lastSeen, fileName, filePath, fileSize, localAnalysisResult, reported, blocked, executionCount
Field Name | Description |
---|---|
recordType | Record type associated with the event and that you can use when managing logging quotas. In this case, the record type is analytics which includes hash execution reports from the agent. |
class | Class of Cortex XSIAM log: config, policy, system, and agent_log. |
eventType | Subtype of event. |
eventCategory | Category of event, used internally for processing the flow of logs. Event categories vary by class:
|
generatedTime | Coordinated Universal Time (UTC) equivalent of the time at which an event was logged. For agent events, this represents the time on the endpoint. For policy, configuration, and system events, this represents the time on Cortex XSIAM in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z). |
serverTime | Coordinated Universal Time (UTC) equivalent of the time at which the server generated the log. If the log was generated on an endpoint, this field identifies the time the server received the log in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z). |
agentTime | Coordinated Universal Time (UTC) equivalent of the time at which an agent logged an event in ISO-8601 string representation. |
tzOffset | Effective endpoint time zone offset from UTC, in minutes. |
facility | The Cortex XSIAM system component that initiated the event, for example: TrapsAgent, TrapsServiceCore, TrapsServiceManagement, and TrapsServiceBackend. |
customerId | The ID that uniquely identifies the Cortex XSIAM tenant instance which received this log record. |
trapsId | Tenant external ID. |
serverHost | Hostname of Cortex XSIAM. |
serverComponentVersion | Software version of Cortex XSIAM. |
regionId | ID of Cortex XSIAM region:
|
isEndpoint | Indicates whether the event occurred on an endpoint.
|
agentId | Unique identifier for the Cortex XDR agent. |
osType | Operating system of the endpoint:
|
isVdi | Indicates whether the endpoint is a virtual desktop infrastructure (VDI):
|
osVersion | Full version number of the operating system running on the endpoint. For example, 6.1.7601.19135. |
is64 | Indicates whether the endpoint is running a 64-bit version of Windows:
|
agentIp | IP address of the endpoint. |
deviceName | Hostname of the endpoint on which the event was logged. |
deviceDomain | Domain to which the endpoint belongs. |
severity | Syslog severity level associated with the event.
Each event also has an associated Cortex XSIAM severity. See the |
agentVersion | Version of the Cortex XDR agent. |
contentVersion | Content version in the local security policy. |
protectionStatus | Cortex XDR agent protection status:
|
sha256 | Hash of the file using SHA256 encoding. |
type | Type of file:
|
parentSha256 | Hash of the parent file using SHA256 encoding. |
lastSeen | Coordinated Universal Time (UTC) equivalent of the time when the file last ran on an endpoint in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z). |
fileName | File name, without the path or the file type extension. |
filePath | Full path, aligned to the OS format. |
fileSize | Size of the file in bytes. |
localAnalysisResult | This object includes the content version, local analysis module version, verdict result, file signer, and trusted signer result. The trusted signer result is an integer value:
|
reported | Reporting status of the file, in integer value:
|
blocked | Blocking status of the file, in integer value:
|
executionCount | The total number of times a file identified by a specific hash was executed. |
System logs
The syslog format is as follows:
recordType, class, FUTURE_USE, subClassId, eventType, eventCategory, generatedTime, serverTime, FUTURE_USE, facility, customerId, trapsId, serverHost, serverComponentVersion, regionId, isEndpoint, agentId, severity, trapsSeverity, messageCode, friendlyName, FUTURE_USE, msgTextEn, userFullName, username, userRole, userDomain, agentTime, tzOffset, osType, isVdi, osVersion, is64, agentIp, deviceName, deviceDomain, agentVersion, contentVersion, protectionStatus, userFullName, username, userRole, userDomain, messageName, messageId, processStatus, errorText, errorData, resultData, parameters, additionalData(Array)
Field Name | Description |
---|---|
recordType | Record type associated with the event and that you can use when managing logging quotas. In this case, the record type is system which includes logs related to automated system management and agent reporting events. |
class | Class of Cortex XSIAM log. System logs have a value of system. |
subClass | Subclass of event. Used to categorize logs in Cortex XSIAM user interface. |
subClassId | Numeric representation of the subClass field for easy sorting and filtering. |
eventType | Subtype of event. |
eventCategory | Category of event, used internally for processing the flow of logs. Event categories vary by class:
|
generatedTime | Coordinated Universal Time (UTC) equivalent of the time at which an event was logged. For agent events, this represents the time on the endpoint. For policy, configuration, and system events, this represents the time on Cortex XSIAM in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z). |
serverTime | Coordinated Universal Time (UTC) equivalent of the time at which the server generated the log. If the log was generated on an endpoint, this field identifies the time the server received the log in ISO-8601 string representation (for example, 2017-01-24T09:08:59Z). |
facility | The Cortex XSIAM system component that initiated the event, for example: TrapsAgent, TrapsServiceCore, TrapsServiceManagement, and TrapsServiceBackend. |
customerId | The ID that uniquely identifies the Cortex XSIAM tenant instance which received this log record. |
trapsId | Tenant external ID. |
serverHost | Hostname of Cortex XSIAM. |
serverComponentVersion | Software version of Cortex XSIAM. |
regionId | ID of Cortex XSIAM region:
|
isEndpoint | Indicates whether the event occurred on an endpoint.
|
agentId | Unique identifier for the Cortex XDR agent. |
severity | Syslog severity level associated with the event.
Each event also has an associated Cortex XSIAM severity. See the |
trapsSeverity | Severity level associated with the event defined for Cortex XSIAM. Each of these severities corresponds to a syslog severity level:
See also the |
messageCode | System-wide unique message code. |
friendlyName | Descriptive log message name. |
msgTextEn | Description of the event, in English. |
userFullName | Full username of Cortex XSIAM user. |
userName | Username associated with Cortex XSIAM user. |
userRole | Role assigned to Cortex XSIAM user. |
userDomain | Domain to which the user belongs. |
agentTime | Coordinated Universal Time (UTC) equivalent of the time at which an agent logged an event in ISO-8601 string representation. |
tzOffset | Effective endpoint time zone offset from UTC, in minutes. |
osType | Operating system of the endpoint:
|
isVdi | Indicates whether the endpoint is a virtual desktop infrastructure (VDI):
|
osVersion | Full version number of the operating system running on the endpoint. For example, 6.1.7601.19135. |
is64 | Indicates whether the endpoint is running a 64-bit version of Windows:
|
agentIp | IP address of the endpoint. |
deviceName | Hostname of the endpoint on which the event was logged. |
deviceDomain | Domain to which the endpoint belongs. |
agentVersion | Version of the Cortex XDR agent. |
contentVersion | Content version in the local security policy. |
protectionStatus | Cortex XDR agent protection status:
|
userFullName | Full name of Cortex XSIAM user. |
userName | Username associated with Cortex XSIAM user. |
userRole | Role assigned to Cortex XSIAM user. |
userDomain | Domain to which the user belongs. |
messageName | Name of the message. |
messageId | Unique numeric identifier of the message. |
processStatus | State of the process related to the event. |
errorText | If known, a description of the documented error. |
errorData | Parameters related to an event error. |
resultData | Parameters related to a successful event. |
parameters | Parameters supplied in the log message. |
additionalData(Array) | Additional information regarding event parameters. |
loggedInUser | User that is logged in to the Cortex XSIAM. |