Cortex XDR Events¶
About¶
Cortex XDR provides visibility into network traffic and user behavior. Cortex XDR applies machine learning at cloud scale to rich network, endpoint, and cloud data, so that targeted attacks, insider abuse, and compromised endpoints can be quickly found and stopped and correlates data from the Cortex XDR Data Lake to reveal threat causalities and timelines.
Product Details¶
Vendor URL: Cortex XDR
Product Type: Network Detection Response
Product Tier: Tier II
Integration Method: Custom
Integration URL: Cortex XDR - Cyderes Documentation
Log Guide: Sample Logs by Log Type
Parser Details¶
Log Format: CEF, JSON, SYSLOG
Expected Normalization Rate: near 100%
Data Label: PAN_CORTEX_XDR_EVENTS
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| description | metadata.description |
| vpn | metadata.product_event_type |
| authentication | metadata.product_event_type |
| session_id | network.session_id |
| observer_dvc | observer.hostname |
| system | principal.application |
| globalprotect | principal.application |
| dhcp | principal.application |
| system | principal.application |
| user_group | principal.group.group_display_name |
| pri_dvc | principal.hostname |
| pri_ip | principal.ip |
| country | principal.location.country_or_region |
| pri_port | principal.port |
| event_id | principal.resource.product_object_id |
| userid | principal.user.userid |
| event_action | security_result.action_details |
| severity | security_result.severity |
| summary | security_result.summary |
| target_dvc | target.hostname |
| target_ip | target.ip |
| target_url | target.url |
Product Event Types¶
| event_type, category | metadata.event_type | security_result.category |
|---|---|---|
| all others | GENERIC_EVENT | UNKNOWN_CATEGORY |
| Auth Event | USER_LOGIN | AUTH_VIOLATION |
| Network Event | NETWORK_CONNECTION |
Log Sample¶
<172>Feb 5 08:10:28 Observer_hostname 1,2024/02/05 08:10:27,021201057278,SYSTEM,auth,2561,2024/02/05 08:10:28,,auth-fail,LOCAL-USERS,0,0,general,medium,"failed authentication for user 'username'. Reason: User is not in allowlist. auth profile 'Group_Name', target_hostname, From: 00.000.00.000.",7310948839414316372,0x0,0,0,0,0,,Observer_hostname,0,0,2024-02-05T08:10:28.534-05:00
Sample Parsing¶
metadata.event_timestamp = "2024-02-05T08:10:28.534Z"
metadata.event_type = "PROCESS_LAUNCH"
metadata.vendor_name = "Palo Alto Networks"
metadata.product_name = "Cortex"
metadata.product_event_type = "Authentication"
observer.hostname = "Observer_hostname"
principal.application = "SYSTEM"
principal.group.group_display_name = "Group_Name"
principal.user.userid = "pri_user"
security_result.action_details = "auth-fail"
security_result.category_details = "User is not in allowlist"
security_result.category = "AUTH_VIOLATION"
security_result.severity = "MEDIUM"
security_result.summary = "failed authentication for user 'username'"
target.hostname = "target_hostname"