Cortex XDR¶
About¶
Cortex XDR provides visibility into network traffic and user behavior. Cortex XDR applies machine learning at cloud scale to rich network, endpoint, and cloud data, so that targeted attacks, insider abuse, and compromised endpoints can be quickly found and stopped and correlates data from the Cortex XDR Data Lake to reveal threat causalities and timelines.
Product Details¶
Vendor URL: Cortex XDR
Product Type: Network Detection Response
Product Tier: Tier II
Integration Method: Custom
Integration URL: Cortex XDR - Cyderes Documentation
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: CEF or JSON
Expected Normalization Rate: near 100%
Data Label: CORTEX_XDR
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| description | metadata.description |
| event_type | metadata.product_event_type |
| incident_id | metadata.product_log_id |
| xdr_url | metadata.url_back_to_product |
| host_name | principal.hostname |
| host_ip | principal.ip |
| mac | principal.mac |
| action_country | security_result.about.location.country_or_region |
| action | security_result.action |
| alert_id | security_result.rule_id |
| severity | security_result.severity |
| name | security_result.summary |
| event_type | security_result.threat_name |
| agent_device_domain | target.administrative_domain |
| actor_process_image_path | target.file.full_path |
| action_file_path | target.file.full_path |
| action_file_sha256 | target.file.sha256 |
| hosts | target.hostname |
| agent_os_type | target.platform |
| agent_os_sub_type | target.platform_version |
| actor_process_command_line | target.process.command_line |
| actor_process_image_sha256 | target.process.file.sha256 |
| actor_process_instance_id | target.process.pid |
| endpoint_id | target.process.product_specific_process_id |
| hosts | target.user.employee_id |
| users | target.user.userid |
Product Event Types¶
| event_type, category | metadata.event_type | security_result.category |
|---|---|---|
| all others | GENERIC_EVENT | |
| File Event | SCAN_FILE | |
| Local Analysis Malware | SCAN_HOST | |
| Malware | SOFTWARE_MALICIOUS | |
| Process Execution | PROCESS_LAUNCH |
Log Sample¶
<25>1 2021-12-16T09:00:10.104221Z cortexxdr - - - - CEF:0|Palo Alto Networks|Cortex XDR|Cortex XDR 3.1.0|XDR Agent|Kernel Privilege Escalation|8|end=1639645118376 shost=hostname1 suser=['root'] deviceFacility=None cat=Exploit externalId=externalid request=url cs1=freeradius cs1Label=Initiated by cs2=/usr/sbin/freeradius -f cs2Label=Initiator CMD cs3=SIGNATURE_UNAVAILABLE-None cs3Label=Signature cs4=freeradius cs4Label=label name cs5=/usr/sbin/freeradius -f cs5Label=label CMD cs6=SIGNATURE_UNAVAILABLE-None cs6Label=label Signature fileHash=hash filePath=/usr/sbin/freeradius targetprocesssignature=SIGNATURE_UNAVAILABLE-None tenantname=acocuntname - Cortex XDR tenantCDLid=tenantid CSPaccountname=acocuntname initiatorSha256=hash initiatorPath=/usr/sbin/freeradius labelSha256=hash osParentSignature=SIGNATURE_UNAVAILABLE incident=2741 act=Prevented (Blocked)
Sample Parsing¶
metadata.event_timestamp = "2021-12-16T09:00:10.104221Z"
metadata.event_type = "PROCESS_LAUNCH"
metadata.vendor_name = "Palo Alto Networks"
metadata.product_name = "Cortex"
metadata.product_version = "3.1.0"
metadata.description = "Kernel Privilege Escalation"
metadata.url_back_to_product = "url"
metadata.ingested_timestamp = "2021-12-16T09:00:21.802509Z"
principal.hostname = "hostname1"
principal.user.userid = "root"
principal.process.file.sha256 = "hash"
principal.process.file.full_path = "/usr/sbin/freeradius"
principal.process.command_line = "/usr/sbin/freeradius -f"
principal.asset.hostname = "hostname1"
target.process.file.sha256 = "hash"
target.process.file.full_path = "/usr/sbin/freeradius"
security_result.category = "EXPLOIT"
security_result.category_details = "Exploit"
security_result.summary = "Blocked"
security_result.severity_details = "8"
security_result.action_details = "Prevented"
Parser Alerting¶
If status == "new"
Rules¶
Coming Soon