Palo Alto Cortex XDR Integration
| Version | 2.1.2 (View all) |
| Compatible Kibana version(s) | 8.13.0 or higher 9.0.0 or higher |
| Supported Serverless project types What's this? |
Security Observability |
| Subscription level What's this? |
Basic |
| Level of support What's this? |
Elastic |
The PANW XDR integration collects alerts with multiple events from the Cortex XDR Alerts API and incidents from Cortex XDR Incidents API.
The Cortex XDR Alerts API is used to retrieve alerts generated by Cortex XDR based on raw endpoint data. A single alert might include one or more local endpoint events, each event generating its own document on Elasticsearch.
The Palo Alto XDR integration requires both an API key and API key ID, both which can be retrieved from the Cortex XDR UI. See: Get Started with Cortex XDR API
Example
{
"@timestamp": "2023-11-29T23:09:23.118Z",
"agent": {
"ephemeral_id": "0cc3def0-9810-4d00-99d2-a0f4abb24eba",
"id": "4257dff2-f7dd-4e61-b40f-217a22d6d4b9",
"name": "elastic-agent-72459",
"type": "filebeat",
"version": "8.13.0"
},
"data_stream": {
"dataset": "panw_cortex_xdr.alerts",
"namespace": "71499",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "4257dff2-f7dd-4e61-b40f-217a22d6d4b9",
"snapshot": false,
"version": "8.13.0"
},
"event": {
"action": "DETECTED",
"agent_id_status": "verified",
"category": [
"malware"
],
"created": "2019-09-22T13:36:03.318Z",
"dataset": "panw_cortex_xdr.alerts",
"id": "<external_id>",
"ingested": "2025-02-21T08:41:14Z",
"kind": "alert",
"original": "{\"action\":\"DETECTED\",\"action_country\":[\"UNKNOWN\"],\"action_external_hostname\":null,\"action_file_macro_sha256\":null,\"action_file_md5\":null,\"action_file_name\":null,\"action_file_path\":null,\"action_file_sha256\":null,\"action_local_ip\":null,\"action_local_ip_v6\":null,\"action_local_port\":null,\"action_pretty\":\"Detected\",\"action_process_causality_id\":null,\"action_process_image_command_line\":null,\"action_process_image_name\":null,\"action_process_image_sha256\":null,\"action_process_instance_id\":null,\"action_process_signature_status\":[\"N/A\"],\"action_process_signature_vendor\":null,\"action_registry_data\":null,\"action_registry_full_key\":null,\"action_registry_key_name\":null,\"action_registry_value_name\":null,\"action_remote_ip\":null,\"action_remote_ip_v6\":null,\"action_remote_port\":null,\"actor_causality_id\":[\"\\u003cactor_causality_id\\u003e\"],\"actor_process_causality_id\":[\"\\u003cprocess_causality_id\\u003e\"],\"actor_process_command_line\":[\"\\u003ccommand_line\\u003e\"],\"actor_process_image_md5\":[\"\\u003cimage_md5\\u003e\"],\"actor_process_image_name\":[\"\\u003cimage_name\\u003e\"],\"actor_process_image_path\":[\"\\u003cimage_path\\u003e\"],\"actor_process_image_sha256\":[\"\\u003cimage_sha256\\u003e\"],\"actor_process_instance_id\":[\"\\u003cinstance_id\\u003e\"],\"actor_process_os_pid\":[996],\"actor_process_signature_status\":[\"Signed\"],\"actor_process_signature_vendor\":[\"\\u003csignature_vendor\\u003e\"],\"actor_thread_thread_id\":[7452],\"agent_data_collection_status\":null,\"agent_device_domain\":null,\"agent_fqdn\":null,\"agent_host_boot_time\":[1669128165772],\"agent_install_type\":\"STANDARD\",\"agent_ip_addresses_v6\":null,\"agent_is_vdi\":false,\"agent_os_sub_type\":\"\\u003cos_sub_type\\u003e\",\"agent_os_type\":\"\\u003cos_type\\u003e\",\"agent_version\":\"\\u003cagent_version\\u003e\",\"alert_id\":\"1\",\"alert_type\":\"Unclassified\",\"association_strength\":[50],\"attempt_counter\":0,\"bioc_category_enum_key\":null,\"bioc_indicator\":null,\"case_id\":9629,\"category\":\"\\u003ccategory\\u003e\",\"causality_actor_causality_id\":[\"\\u003ccausality_id\\u003e\"],\"causality_actor_process_command_line\":[\"\\u003ccommand_line\\u003e\"],\"causality_actor_process_execution_time\":[1669528171295],\"causality_actor_process_image_md5\":[\"\\u003cimage_md5\\u003e\"],\"causality_actor_process_image_name\":[\"\\u003cimage_name\\u003e\"],\"causality_actor_process_image_path\":[\"\\u003cimage_path\\u003e\"],\"causality_actor_process_image_sha256\":[\"\\u003csha256\\u003e\"],\"causality_actor_process_signature_status\":[\"Signed\"],\"causality_actor_process_signature_vendor\":[\"\\u003csignature_vendor\\u003e\"],\"cloud_provider\":null,\"cluster_name\":null,\"container_id\":null,\"contains_featured_host\":[\"NO\"],\"contains_featured_ip\":[\"NO\"],\"contains_featured_user\":[\"NO\"],\"deduplicate_tokens\":null,\"description\":\"The user domain\\\\username enabled a default account. The default account enabled: domain\\\\username\",\"detection_timestamp\":1569159363318,\"dns_query_name\":null,\"dss_country\":null,\"dss_department\":null,\"dss_groups\":null,\"dss_job_title\":null,\"dst_action_country\":null,\"dst_action_external_hostname\":null,\"dst_action_external_port\":null,\"dst_agent_id\":[\"\\u003cagent_id\\u003e\"],\"dst_association_strength\":null,\"dst_causality_actor_process_execution_time\":null,\"dynamic_fields\":null,\"end_match_attempt_ts\":null,\"endpoint_id\":\"\\u003cendpoint_id\\u003e\",\"event_id\":[\"\\u003cevent_id\\u003e\"],\"event_sub_type\":[1],\"event_timestamp\":[1701299363118],\"event_type\":[\"Process Execution\"],\"events\":null,\"external_id\":\"\\u003cexternal_id\\u003e\",\"filter_rule_id\":null,\"fw_app_category\":null,\"fw_app_id\":null,\"fw_app_subcategory\":null,\"fw_app_technology\":null,\"fw_device_name\":null,\"fw_email_recipient\":null,\"fw_email_sender\":null,\"fw_email_subject\":null,\"fw_interface_from\":null,\"fw_interface_to\":null,\"fw_is_phishing\":[\"N/A\"],\"fw_misc\":null,\"fw_rule\":null,\"fw_rule_id\":null,\"fw_serial_number\":null,\"fw_url_domain\":null,\"fw_vsys\":null,\"fw_xff\":null,\"host_ip\":[\"192.168.2.2\"],\"host_name\":\"\\u003chost_name\\u003e\",\"identity_sub_type\":null,\"identity_type\":null,\"image_name\":null,\"is_pcap\":false,\"is_whitelisted\":false,\"last_modified_ts\":null,\"local_insert_ts\":1673372647792,\"mac_addresses\":null,\"matching_service_rule_id\":\"\\u003cservice_rule_id\\u003e\",\"matching_status\":\"MATCHED\",\"mitre_tactic_id_and_name\":[\"TA0005 - Defense Evasion\"],\"mitre_technique_id_and_name\":[\"T1089 - Disabling Security Tools\"],\"module_id\":null,\"name\":\"A user enabled the Windows DefaultAccount\",\"operation_name\":null,\"original_tags\":[\"EG:k8s agents\",\"EG:windows\",\"ET:DESKTOP-FCCIPAN\"],\"os_actor_causality_id\":null,\"os_actor_effective_username\":null,\"os_actor_process_causality_id\":[\"\\u003cprocess_causality_id\\u003e\"],\"os_actor_process_command_line\":[\"\\u003ccommand_line\\u003e\"],\"os_actor_process_image_name\":[\"\\u003cimage_name\\u003e\"],\"os_actor_process_image_path\":[\"\\u003cimage_path\\u003e\"],\"os_actor_process_image_sha256\":[\"\\u003cimage_sha256\\u003e\"],\"os_actor_process_instance_id\":[\"\\u003cinstance_id\\u003e\"],\"os_actor_process_os_pid\":[996],\"os_actor_process_signature_status\":[\"Signed\"],\"os_actor_process_signature_vendor\":[\"\\u003cSignature_vendor\\u003e\"],\"os_actor_thread_thread_id\":[7205],\"project\":null,\"referenced_resource\":null,\"resolution_comment\":null,\"resolution_status\":\"STATUS_010_NEW\",\"resource_sub_type\":null,\"resource_type\":null,\"severity\":\"low\",\"source\":null,\"starred\":true,\"story_id\":null,\"tags\":[\"ET:DESKTOP-FCCIPAN\",\"EG:k8s agents\",\"EG:windows\"],\"user_agent\":null,\"user_name\":[\"\\u003cuser_name\\u003e\"]}",
"reason": "The user domain\\username enabled a default account. The default account enabled: domain\\username",
"severity": 2,
"type": [
"info"
]
},
"host": {
"hostname": "<host_name>",
"id": "<endpoint_id>",
"ip": [
"192.168.2.2"
],
"name": "<host_name>",
"os": {
"name": "<os_type>",
"version": "<os_sub_type>"
}
},
"input": {
"type": "cel"
},
"message": "A user enabled the Windows DefaultAccount",
"panw_cortex": {
"xdr": {
"action_country": [
"UNKNOWN"
],
"action_pretty": "Detected",
"actor_causality_id": [
"<actor_causality_id>"
],
"actor_process_causality_id": [
"<process_causality_id>"
],
"actor_process_signature_status": [
"Signed"
],
"agent_host_boot_time": "2022-11-22T14:42:45.772Z",
"agent_install_type": "STANDARD",
"agent_is_vdi": false,
"agent_version": "<agent_version>",
"alert_id": "1",
"alert_type": "Unclassified",
"association_strength": [
50
],
"attempt_counter": 0,
"case_id": 9629,
"category": "<category>",
"contains_featured_host": [
"NO"
],
"contains_featured_ip": [
"NO"
],
"contains_featured_user": [
"NO"
],
"dst_agent_id": [
"<agent_id>"
],
"event_id": [
"<event_id>"
],
"event_sub_type": [
1
],
"event_type": [
"Process Execution"
],
"fw_is_phishing": [
"N/A"
],
"is_pcap": false,
"is_whitelisted": false,
"local_insert_ts": "2023-01-10T17:44:07.792Z",
"matching_service_rule_id": "<service_rule_id>",
"matching_status": "MATCHED",
"original_tags": [
"EG:k8s agents",
"EG:windows",
"ET:DESKTOP-FCCIPAN"
],
"os_actor_process_causality_id": [
"<process_causality_id>"
],
"os_actor_process_command_line": [
"<command_line>"
],
"os_actor_process_image_name": [
"<image_name>"
],
"os_actor_process_image_path": [
"<image_path>"
],
"os_actor_process_image_sha256": [
"<image_sha256>"
],
"os_actor_process_instance_id": [
"<instance_id>"
],
"os_actor_process_os_pid": [
996
],
"os_actor_process_signature_status": [
"Signed"
],
"os_actor_process_signature_vendor": [
"<Signature_vendor>"
],
"os_actor_thread_thread_id": [
7205
],
"resolution_status": "STATUS_010_NEW",
"starred": true
}
},
"process": {
"code_signature": {
"status": [
"N/A"
],
"subject_name": [
"<signature_vendor>"
]
},
"command_line": [
"<command_line>"
],
"entity_id": [
"<instance_id>"
],
"executable": [
"<image_path>"
],
"hash": {
"md5": [
"<image_md5>"
],
"sha256": [
"<image_sha256>"
]
},
"name": [
"<image_name>"
],
"parent": {
"code_signature": {
"status": [
"Signed"
],
"subject_name": [
"<signature_vendor>"
]
},
"command_line": [
"<command_line>"
],
"entity_id": [
"<causality_id>"
],
"executable": [
"<image_path>"
],
"hash": {
"md5": [
"<image_md5>"
],
"sha256": [
"<sha256>"
]
},
"name": [
"<image_name>"
],
"uptime": [
1669528171295
]
},
"pid": [
996
],
"thread": {
"id": [
7452
]
}
},
"related": {
"hash": [
"<image_md5>",
"<sha256>",
"<image_sha256>"
],
"user": [
"<user_name>"
]
},
"source": {
"user": {
"name": "<user_name>"
}
},
"tags": [
"preserve_original_event",
"forwarded",
"panw_cortex_xdr",
"ET:DESKTOP-FCCIPAN",
"EG:k8s agents",
"EG:windows"
],
"threat": {
"framework": "MITRE ATT&CK",
"tactic": {
"id": [
"TA0005"
],
"name": [
"Defense Evasion"
]
},
"technique": {
"id": [
"T1089"
],
"name": [
"Disabling Security Tools"
]
}
},
"user": {
"name": "<user_name>"
}
}
Exported fields
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| cloud.image.id | Image ID for the cloud instance. | keyword |
| data_stream.dataset | Data stream dataset name. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset | constant_keyword |
| event.module | Event module | constant_keyword |
| host.containerized | If the host is a container. | boolean |
| host.os.build | OS build information. | keyword |
| host.os.codename | OS codename, if any. | keyword |
| input.type | Type of Filebeat input. | keyword |
| log.flags | Flags for the log file. | keyword |
| log.offset | Offset of the entry in the log file. | long |
| panw_cortex.xdr.action_country | keyword | |
| panw_cortex.xdr.action_external_hostname | Any external hostname related to the specific event action. | keyword |
| panw_cortex.xdr.action_file_macro_sha256 | keyword | |
| panw_cortex.xdr.action_local_ip | ip | |
| panw_cortex.xdr.action_local_ip_v6 | ip | |
| panw_cortex.xdr.action_local_port | long | |
| panw_cortex.xdr.action_pretty | Pretty description of the action type. | keyword |
| panw_cortex.xdr.action_process_causality_id | The parent processor ID related to the action. | keyword |
| panw_cortex.xdr.action_process_signature_status | keyword | |
| panw_cortex.xdr.action_remote_ip | ip | |
| panw_cortex.xdr.action_remote_ip_v6 | ip | |
| panw_cortex.xdr.action_remote_port | long | |
| panw_cortex.xdr.actor_causality_id | The parent process ID of the actor process. | keyword |
| panw_cortex.xdr.actor_process_causality_id | The parent processor ID related to the actor. | keyword |
| panw_cortex.xdr.actor_process_command_line | Actor full command line. | keyword |
| panw_cortex.xdr.actor_process_image_md5 | keyword | |
| panw_cortex.xdr.actor_process_image_name | Actor binary name. | keyword |
| panw_cortex.xdr.actor_process_image_path | keyword | |
| panw_cortex.xdr.actor_process_image_sha256 | SHA256 hash indentifier of the actor. | keyword |
| panw_cortex.xdr.actor_process_instance_id | The process ID related to the actor. | keyword |
| panw_cortex.xdr.actor_process_os_pid | long | |
| panw_cortex.xdr.actor_process_signature_status | The signature of the actor process. | keyword |
| panw_cortex.xdr.actor_process_signature_vendor | The signature vendor of the actor process. | keyword |
| panw_cortex.xdr.actor_thread_thread_id | long | |
| panw_cortex.xdr.agent_data_collection_status | Collection status of the agent. | boolean |
| panw_cortex.xdr.agent_host_boot_time | Uptime of the host. | date |
| panw_cortex.xdr.agent_install_type | Display name of the actor. | keyword |
| panw_cortex.xdr.agent_ip_addresses_v6 | Agent ipv6 address | ip |
| panw_cortex.xdr.agent_is_vdi | If agent is running inside a Virtual Desktop. | boolean |
| panw_cortex.xdr.agent_version | Version of the XDR Endpoint agent. | keyword |
| panw_cortex.xdr.alert_id | The ID of the alert. | keyword |
| panw_cortex.xdr.alert_type | The type of the alert. | keyword |
| panw_cortex.xdr.association_strength | long | |
| panw_cortex.xdr.attempt_counter | Attempts to block or stop the malicious process. | long |
| panw_cortex.xdr.bioc_category_enum_key | Behavior Indicator type key. | keyword |
| panw_cortex.xdr.bioc_description | A description of the related bioc event. | flattened |
| panw_cortex.xdr.bioc_indicator | The Behavioral Indicator type matching to the event. | keyword |
| panw_cortex.xdr.case_id | long | |
| panw_cortex.xdr.category | The Alert category. | keyword |
| panw_cortex.xdr.causality_actor_causality_id | keyword | |
| panw_cortex.xdr.causality_actor_process_command_line | keyword | |
| panw_cortex.xdr.causality_actor_process_execution_time | long | |
| panw_cortex.xdr.causality_actor_process_image_md5 | keyword | |
| panw_cortex.xdr.causality_actor_process_image_name | keyword | |
| panw_cortex.xdr.causality_actor_process_image_path | keyword | |
| panw_cortex.xdr.causality_actor_process_image_sha256 | keyword | |
| panw_cortex.xdr.causality_actor_process_signature_status | keyword | |
| panw_cortex.xdr.causality_actor_process_signature_vendor | keyword | |
| panw_cortex.xdr.cloud_provider | keyword | |
| panw_cortex.xdr.cluster_name | keyword | |
| panw_cortex.xdr.container_id | keyword | |
| panw_cortex.xdr.contains_featured_host | keyword | |
| panw_cortex.xdr.contains_featured_ip | keyword | |
| panw_cortex.xdr.contains_featured_user | keyword | |
| panw_cortex.xdr.deduplicate_tokens | keyword | |
| panw_cortex.xdr.description | A description of the related event. | keyword |
| panw_cortex.xdr.detection_timestamp | date | |
| panw_cortex.xdr.dns_query_name | The related DNS query for the event. | keyword |
| panw_cortex.xdr.dss_country | keyword | |
| panw_cortex.xdr.dss_department | keyword | |
| panw_cortex.xdr.dss_groups | keyword | |
| panw_cortex.xdr.dss_job_title | keyword | |
| panw_cortex.xdr.dst_action_country | The country related to the destination. | keyword |
| panw_cortex.xdr.dst_action_external_hostname | The external hostname of the destination. | keyword |
| panw_cortex.xdr.dst_action_external_port | The external (NAT) port of the destination. | keyword |
| panw_cortex.xdr.dst_agent_id | The endpoint ID of a destination agent. | keyword |
| panw_cortex.xdr.dst_association_strength | long | |
| panw_cortex.xdr.dst_causality_actor_process_execution_time | The process execution time of the destination process. | keyword |
| panw_cortex.xdr.dynamic_fields | keyword | |
| panw_cortex.xdr.end_match_attempt_ts | date | |
| panw_cortex.xdr.endpoint_id | The unique ID of the endpoint. | keyword |
| panw_cortex.xdr.event_id | The ID unique to the underlying event related to the alert. | keyword |
| panw_cortex.xdr.event_sub_type | Sub type of the event related to the alert. | integer |
| panw_cortex.xdr.event_timestamp | date | |
| panw_cortex.xdr.event_type | Event type | keyword |
| panw_cortex.xdr.events.action_country | keyword | |
| panw_cortex.xdr.events.action_external_hostname | Any external hostname related to the specific event action. | keyword |
| panw_cortex.xdr.events.action_file_macro_sha256 | keyword | |
| panw_cortex.xdr.events.action_process_causality_id | The parent processor ID related to the action. | keyword |
| panw_cortex.xdr.events.actor_causality_id | The parent process ID of the actor process. | keyword |
| panw_cortex.xdr.events.actor_process_causality_id | The parent processor ID related to the actor. | keyword |
| panw_cortex.xdr.events.actor_process_command_line | Actor full command line. | keyword |
| panw_cortex.xdr.events.actor_process_image_name | Actor binary name. | keyword |
| panw_cortex.xdr.events.actor_process_image_sha256 | SHA256 hash indentifier of the actor. | keyword |
| panw_cortex.xdr.events.actor_process_instance_id | The process ID related to the actor. | keyword |
| panw_cortex.xdr.events.actor_process_signature_status | The signature of the actor process. | keyword |
| panw_cortex.xdr.events.actor_process_signature_vendor | The signature vendor of the actor process. | keyword |
| panw_cortex.xdr.events.agent_host_boot_time | Uptime of the host. | date |
| panw_cortex.xdr.events.agent_install_type | Display name of the actor. | keyword |
| panw_cortex.xdr.events.association_strength | long | |
| panw_cortex.xdr.events.contains_featured_host | keyword | |
| panw_cortex.xdr.events.contains_featured_ip | keyword | |
| panw_cortex.xdr.events.contains_featured_user | keyword | |
| panw_cortex.xdr.events.dns_query_name | The related DNS query for the event. | keyword |
| panw_cortex.xdr.events.dst_action_country | The country related to the destination. | keyword |
| panw_cortex.xdr.events.dst_action_external_hostname | The external hostname of the destination. | keyword |
| panw_cortex.xdr.events.dst_action_external_port | The external (NAT) port of the destination. | keyword |
| panw_cortex.xdr.events.dst_agent_id | The endpoint ID of a destination agent. | keyword |
| panw_cortex.xdr.events.dst_association_strength | long | |
| panw_cortex.xdr.events.dst_causality_actor_process_execution_time | The process execution time of the destination process. | keyword |
| panw_cortex.xdr.events.event_id | The ID unique to the underlying event related to the alert. | keyword |
| panw_cortex.xdr.events.event_sub_type | Sub type of the event related to the alert. | integer |
| panw_cortex.xdr.events.event_type | Event type | keyword |
| panw_cortex.xdr.events.fw_app_category | Layer 7 application category related to the firewall event. | keyword |
| panw_cortex.xdr.events.fw_app_id | The layer 7 application ID from the firewall event. | keyword |
| panw_cortex.xdr.events.fw_app_subcategory | Layer 7 application subcategory related to the firewall event. | keyword |
| panw_cortex.xdr.events.fw_app_technology | Layer 7 application type related to the firewall event. | keyword |
| panw_cortex.xdr.events.fw_device_name | Related firewall device. | keyword |
| panw_cortex.xdr.events.fw_email_recipient | keyword | |
| panw_cortex.xdr.events.fw_email_sender | keyword | |
| panw_cortex.xdr.events.fw_email_subject | keyword | |
| panw_cortex.xdr.events.fw_is_phishing | If event is related to a phishing campaign. | keyword |
| panw_cortex.xdr.events.fw_misc | Additional information related to the firewall event. | keyword |
| panw_cortex.xdr.events.fw_url_domain | Related domain to the firewall event. | keyword |
| panw_cortex.xdr.events.fw_vsys | The related VSYS name if applicable. | keyword |
| panw_cortex.xdr.events.fw_xff | keyword | |
| panw_cortex.xdr.events.module_id | The ID of the module that caught the event. | keyword |
| panw_cortex.xdr.events.os_actor_causality_id | The ID of the OS actor process | keyword |
| panw_cortex.xdr.events.os_actor_effective_username | Username related to the OS actor. | keyword |
| panw_cortex.xdr.events.os_actor_process_causality_id | The ID of the parent process related to the OS actor. | keyword |
| panw_cortex.xdr.events.os_actor_process_command_line | OS actor full command line example. | keyword |
| panw_cortex.xdr.events.os_actor_process_image_name | OS actor binary name. | keyword |
| panw_cortex.xdr.events.os_actor_process_image_path | OS actor binary path. | keyword |
| panw_cortex.xdr.events.os_actor_process_image_sha256 | SHA256 hash indentifier of the OS actor process. | keyword |
| panw_cortex.xdr.events.os_actor_process_instance_id | The process ID related to the OS actor. | keyword |
| panw_cortex.xdr.events.os_actor_process_os_pid | The OS PID related to the related process. | integer |
| panw_cortex.xdr.events.os_actor_process_signature_status | Signature of the OS actor process. | keyword |
| panw_cortex.xdr.events.os_actor_process_signature_vendor | Signature vendor of the OS actor process. | keyword |
| panw_cortex.xdr.events.os_actor_thread_thread_id | The thread ID related to the related OS actor process. | integer |
| panw_cortex.xdr.events.story_id | keyword | |
| panw_cortex.xdr.external_id | External ID related to the Alert itself. | keyword |
| panw_cortex.xdr.filter_rule_id | ID of the filter rule. | keyword |
| panw_cortex.xdr.fw_app_category | Layer 7 application category related to the firewall event. | keyword |
| panw_cortex.xdr.fw_app_id | The layer 7 application ID from the firewall event. | keyword |
| panw_cortex.xdr.fw_app_subcategory | Layer 7 application subcategory related to the firewall event. | keyword |
| panw_cortex.xdr.fw_app_technology | Layer 7 application type related to the firewall event. | keyword |
| panw_cortex.xdr.fw_device_name | Related firewall device. | keyword |
| panw_cortex.xdr.fw_email_recipient | keyword | |
| panw_cortex.xdr.fw_email_sender | keyword | |
| panw_cortex.xdr.fw_email_subject | keyword | |
| panw_cortex.xdr.fw_is_phishing | If event is related to a phishing campaign. | keyword |
| panw_cortex.xdr.fw_misc | Additional information related to the firewall event. | keyword |
| panw_cortex.xdr.fw_url_domain | Related domain to the firewall event. | keyword |
| panw_cortex.xdr.fw_vsys | The related VSYS name if applicable. | keyword |
| panw_cortex.xdr.fw_xff | keyword | |
| panw_cortex.xdr.identity_sub_type | keyword | |
| panw_cortex.xdr.identity_type | keyword | |
| panw_cortex.xdr.image_name | keyword | |
| panw_cortex.xdr.is_pcap | If alert contains pcap. | boolean |
| panw_cortex.xdr.is_whitelisted | If process is whitelisted. | boolean |
| panw_cortex.xdr.last_modified_ts | date | |
| panw_cortex.xdr.local_insert_ts | date | |
| panw_cortex.xdr.mac | Main MAC address of the agent. | keyword |
| panw_cortex.xdr.mac_address | Array of all the MAC addresses related to the agent. | keyword |
| panw_cortex.xdr.mac_addresses | keyword | |
| panw_cortex.xdr.matching_service_rule_id | keyword | |
| panw_cortex.xdr.matching_status | Matching status of the endpoint group. | keyword |
| panw_cortex.xdr.mitre_tactic_id_and_name | keyword | |
| panw_cortex.xdr.mitre_technique_id_and_name | keyword | |
| panw_cortex.xdr.module_id | The ID of the module that caught the event. | keyword |
| panw_cortex.xdr.operation_name | keyword | |
| panw_cortex.xdr.original_tags | Original tags for the asset. | keyword |
| panw_cortex.xdr.os_actor_causality_id | The ID of the OS actor process | keyword |
| panw_cortex.xdr.os_actor_effective_username | Username related to the OS actor. | keyword |
| panw_cortex.xdr.os_actor_process_causality_id | The ID of the parent process related to the OS actor. | keyword |
| panw_cortex.xdr.os_actor_process_command_line | OS actor full command line example. | keyword |
| panw_cortex.xdr.os_actor_process_image_name | OS actor binary name. | keyword |
| panw_cortex.xdr.os_actor_process_image_path | OS actor binary path. | keyword |
| panw_cortex.xdr.os_actor_process_image_sha256 | SHA256 hash indentifier of the OS actor process. | keyword |
| panw_cortex.xdr.os_actor_process_instance_id | The process ID related to the OS actor. | keyword |
| panw_cortex.xdr.os_actor_process_os_pid | The OS PID related to the related process. | integer |
| panw_cortex.xdr.os_actor_process_signature_status | Signature of the OS actor process. | keyword |
| panw_cortex.xdr.os_actor_process_signature_vendor | Signature vendor of the OS actor process. | keyword |
| panw_cortex.xdr.os_actor_thread_thread_id | The thread ID related to the related OS actor process. | integer |
| panw_cortex.xdr.project | keyword | |
| panw_cortex.xdr.referenced_resource | keyword | |
| panw_cortex.xdr.resolution_comment | keyword | |
| panw_cortex.xdr.resolution_status | keyword | |
| panw_cortex.xdr.resource_sub_type | keyword | |
| panw_cortex.xdr.resource_type | keyword | |
| panw_cortex.xdr.severity | keyword | |
| panw_cortex.xdr.source | keyword | |
| panw_cortex.xdr.starred | If alert type is prioritized (starred). | boolean |
| panw_cortex.xdr.story_id | keyword | |
| panw_cortex.xdr.tags | keyword | |
| panw_cortex.xdr.user_agent | keyword | |
| panw_cortex.xdr.user_name | keyword |
The Cortex XDR Incidents API is used to retrieve incidents generated by Cortex XDR based on raw endpoint data. A single incident might include one or more local endpoint events, each event generating its own document on Elasticsearch.
The Palo Alto XDR integration requires both an API key and API key ID, both which can be retrieved from the Cortex XDR UI. See: Get Started with Cortex XDR API
When a Cortex XDR Incident is modified in the Cortex XDR UI (e.g. severity or status changed, additional alerts linked) it will be indexed as a new document with the new values.
Example
{
"@timestamp": "2023-08-14T01:20:00.230Z",
"agent": {
"ephemeral_id": "02205f80-afa5-4cf8-a320-018c29c153fe",
"id": "6245802f-8bd9-4634-b1db-411601495ab1",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.9.0"
},
"data_stream": {
"dataset": "panw_cortex_xdr.incidents",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "6245802f-8bd9-4634-b1db-411601495ab1",
"snapshot": false,
"version": "8.9.0"
},
"event": {
"agent_id_status": "verified",
"category": [
"malware"
],
"created": "2023-08-17T06:15:40.867Z",
"dataset": "panw_cortex_xdr.incidents",
"id": "893",
"ingested": "2023-08-17T06:15:43Z",
"kind": "alert",
"original": "{\"aggregated_score\":5,\"alert_categories\":[\"Exfiltration\"],\"alert_count\":1,\"alerts_grouping_status\":\"Enabled\",\"assigned_user_mail\":null,\"assigned_user_pretty_name\":null,\"creation_time\":1691976000230,\"critical_severity_alert_count\":0,\"description\":\"'Large Upload (Generic)' generated by XDR Analytics detected on host test1234 involving user nt authority\\\\system\",\"detection_time\":null,\"high_severity_alert_count\":0,\"host_count\":1,\"hosts\":[\"test1234:b567c1a651e66999158aef5d864dad25\"],\"incident_id\":\"893\",\"incident_name\":null,\"incident_sources\":[\"XDR Analytics\"],\"low_severity_alert_count\":1,\"manual_description\":null,\"manual_score\":null,\"manual_severity\":null,\"med_severity_alert_count\":0,\"mitre_tactics_ids_and_names\":[\"TA0010 - Exfiltration\"],\"mitre_techniques_ids_and_names\":[\"T1048 - Exfiltration Over Alternative Protocol\"],\"modification_time\":1691976000230,\"notes\":null,\"original_tags\":[\"DS:PANW/XDR Agent\",\"EG:win-server-ex-ransomeware_report\",\"EG:win-server-default\"],\"predicted_score\":5,\"resolve_comment\":null,\"resolved_timestamp\":null,\"rule_based_score\":null,\"severity\":\"low\",\"starred\":false,\"status\":\"new\",\"tags\":[\"DS:PANW/XDR Agent\",\"EG:win-server-default\",\"EG:win-server-ex-ransomeware_report\"],\"user_count\":1,\"users\":[\"nt authority\\\\system\"],\"wildfire_hits\":0,\"xdr_url\":\"https://test.xdr.eu.paloaltonetworks.com/incident-view?caseId=893\"}",
"reason": "'Large Upload (Generic)' generated by XDR Analytics detected on host test1234 involving user nt authority\\system",
"severity": 2,
"type": [
"info"
]
},
"input": {
"type": "httpjson"
},
"panw_cortex": {
"xdr": {
"aggregated_score": 5,
"alert_categories": [
"Exfiltration"
],
"alert_count": 1,
"alerts_grouping_status": "Enabled",
"creation_time": "2023-08-14T01:20:00.230Z",
"critical_severity_alert_count": 0,
"high_severity_alert_count": 0,
"host_count": 1,
"hosts": [
"test1234:b567c1a651e66999158aef5d864dad25"
],
"incident_sources": [
"XDR Analytics"
],
"low_severity_alert_count": 1,
"med_severity_alert_count": 0,
"mitre_tactics_ids_and_names": [
"TA0010 - Exfiltration"
],
"mitre_techniques_ids_and_names": [
"T1048 - Exfiltration Over Alternative Protocol"
],
"modification_time": "2023-08-14T01:20:00.230Z",
"original_tags": [
"DS:PANW/XDR Agent",
"EG:win-server-ex-ransomeware_report",
"EG:win-server-default"
],
"predicted_score": 5,
"starred": false,
"status": "new",
"user_count": 1,
"users": [
"nt authority\\system"
],
"wildfire_hits": 0,
"xdr_url": "https://test.xdr.eu.paloaltonetworks.com/incident-view?caseId=893"
}
},
"related": {
"hosts": [
"test1234"
],
"user": [
"system"
]
},
"tags": [
"preserve_original_event",
"forwarded",
"panw_cortex_xdr",
"DS:PANW/XDR Agent",
"EG:win-server-default",
"EG:win-server-ex-ransomeware_report"
],
"threat": {
"framework": "MITRE ATT&CK",
"tactic": {
"id": [
"TA0010"
],
"name": [
"Exfiltration"
]
},
"technique": {
"id": [
"T1048"
],
"name": [
"Exfiltration Over Alternative Protocol"
]
}
}
}
Exported fields
| Field | Description | Type |
|---|---|---|
| @timestamp | Event timestamp. | date |
| cloud.image.id | Image ID for the cloud instance. | keyword |
| data_stream.dataset | Data stream dataset name. | constant_keyword |
| data_stream.namespace | Data stream namespace. | constant_keyword |
| data_stream.type | Data stream type. | constant_keyword |
| event.dataset | Event dataset | constant_keyword |
| event.module | Event module | constant_keyword |
| host.containerized | If the host is a container. | boolean |
| host.os.build | OS build information. | keyword |
| host.os.codename | OS codename, if any. | keyword |
| input.type | Type of Filebeat input. | keyword |
| log.flags | Flags for the log file. | keyword |
| log.offset | Offset of the entry in the log file. | long |
| panw_cortex.xdr.aggregated_score | Aggregated incident score. | long |
| panw_cortex.xdr.alert_categories | Categories for alerts contained in the incident. | keyword |
| panw_cortex.xdr.alert_count | Count of alerts. | long |
| panw_cortex.xdr.alerts_grouping_status | Is alert grouping enabled for this incident. | keyword |
| panw_cortex.xdr.assigned_user_mail | Email for the assigned user. | keyword |
| panw_cortex.xdr.assigned_user_pretty_name | Pretty name for the assigned user. | keyword |
| panw_cortex.xdr.creation_time | Incident creation time. | date |
| panw_cortex.xdr.critical_severity_alert_count | Count of critical severity alerts for this incident. | long |
| panw_cortex.xdr.detection_time | Detection time. | flattened |
| panw_cortex.xdr.high_severity_alert_count | Count of high severity alerts for this incident. | long |
| panw_cortex.xdr.host_count | Count of hosts related to this incident. | long |
| panw_cortex.xdr.hosts | Host names and host ID's related to this incident. | keyword |
| panw_cortex.xdr.incident_id | Incident ID | keyword |
| panw_cortex.xdr.incident_name | Incident name | keyword |
| panw_cortex.xdr.incident_sources | Detection sources for this incident. | keyword |
| panw_cortex.xdr.low_severity_alert_count | Count of low severity alerts for this incident. | long |
| panw_cortex.xdr.manual_description | Manual incident description. | keyword |
| panw_cortex.xdr.manual_score | Manual incident score. | flattened |
| panw_cortex.xdr.manual_severity | Manual incident severity. | keyword |
| panw_cortex.xdr.med_severity_alert_count | Count of medium severity alerts for this incident. | long |
| panw_cortex.xdr.mitre_tactics_ids_and_names | MITRE tactic ID's and names | keyword |
| panw_cortex.xdr.mitre_techniques_ids_and_names | MITRE technique ID's and names | keyword |
| panw_cortex.xdr.modification_time | Incident modification time. | date |
| panw_cortex.xdr.notes | Incident notes. | keyword |
| panw_cortex.xdr.original_tags | Original tags for the asset. | keyword |
| panw_cortex.xdr.predicted_score | Predicted incident score. | long |
| panw_cortex.xdr.resolve_comment | Incident resolution comment. | keyword |
| panw_cortex.xdr.resolved_timestamp | Incident resolution timestamp. | date |
| panw_cortex.xdr.rule_based_score | Rule based incident score. | long |
| panw_cortex.xdr.starred | Starred incident. | boolean |
| panw_cortex.xdr.status | Incident status. | keyword |
| panw_cortex.xdr.user_count | Count of users related to the incident. | long |
| panw_cortex.xdr.users | Usernames related to the incident. | keyword |
| panw_cortex.xdr.wildfire_hits | Count of Wildfire hits. | long |
| panw_cortex.xdr.xdr_url | URL to Cortex XDR incident. | keyword |
Changelog
| Version | Details | Kibana version(s) |
|---|---|---|
| 2.1.2 | Bug fix (View pull request) Updated description to ssl nodes to be consistent with other packages descriptions. |
8.13.0 or higher 9.0.0 or higher |
| 2.1.1 | Bug fix (View pull request) Fix CEL type conversion in alerts v2. |
8.13.0 or higher 9.0.0 or higher |
| 2.1.0 | Enhancement (View pull request) Update Kibana constraint to support 9.0.0. |
8.13.0 or higher 9.0.0 or higher |
| 2.0.0 | Enhancement (View pull request) Add support for alerts v2 API. |
8.13.0 or higher |
| 1.32.1 | Bug fix (View pull request) Delete the remove processor thats clearing all fields and update rename processors with override - true. |
8.13.0 or higher |
| 1.32.0 | Enhancement (View pull request) Do not remove event.original in main ingest pipeline. |
8.13.0 or higher |
| 1.31.0 | Enhancement (View pull request) Do not remove event.original in main ingest pipeline. |
8.13.0 or higher |
| 1.30.0 | Enhancement (View pull request) Add "preserve_original_event" tag to documents with event.kind set to "pipeline_error". |
8.13.0 or higher |
| 1.29.0 | Enhancement (View pull request) Use Cortex XDR SIEM ingestion time for cursor progression. |
8.13.0 or higher |
| 1.28.0 | Enhancement (View pull request) Modify incident handling to match Defender for Endpoint. Change fingerprint, timestamp, and search cursor to modification_time. Add severity:critical. |
8.13.0 or higher |
| 1.27.0 | Enhancement (View pull request) Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template. |
8.13.0 or higher |
| 1.26.0 | Enhancement (View pull request) Improve handling of empty responses. |
8.12.0 or higher |
| 1.25.0 | Enhancement (View pull request) Set sensitive values as secret. |
8.12.0 or higher |
| 1.24.2 | Bug fix (View pull request) Clean up null handling |
8.7.1 or higher |
| 1.24.1 | Enhancement (View pull request) Changed owners |
8.7.1 or higher |
| 1.24.0 | Enhancement (View pull request) Limit request tracer log count to five. |
8.7.1 or higher |
| 1.23.0 | Enhancement (View pull request) ECS version updated to 8.11.0. |
8.7.1 or higher |
| 1.22.0 | Enhancement (View pull request) Improve 'event.original' check to avoid errors if set. |
8.7.1 or higher |
| 1.21.1 | Bug fix (View pull request) Fix mapping of group fields |
8.7.1 or higher |
| 1.21.0 | Enhancement (View pull request) ECS version updated to 8.10.0. |
8.7.1 or higher |
| 1.20.0 | Enhancement (View pull request) The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest. |
8.7.1 or higher |
| 1.19.0 | Enhancement (View pull request) Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI. |
8.7.1 or higher |
| 1.18.0 | Enhancement (View pull request) Add incident type events |
8.7.1 or higher |
| 1.17.0 | Enhancement (View pull request) Update package-spec to 2.9.0. |
8.7.1 or higher |
| 1.16.0 | Enhancement (View pull request) Update package to ECS 8.9.0. |
8.7.1 or higher |
| 1.15.0 | Enhancement (View pull request) Document SSL options |
8.7.1 or higher |
| 1.14.0 | Enhancement (View pull request) Document duration units. |
8.7.1 or higher |
| 1.13.0 | Enhancement (View pull request) Document valid duration units. |
8.7.1 or higher |
| 1.12.0 | Enhancement (View pull request) Ensure event.kind is correctly set for pipeline errors. |
8.7.1 or higher |
| 1.11.0 | Enhancement (View pull request) Update package to ECS 8.8.0. |
8.7.1 or higher |
| 1.10.0 | Enhancement (View pull request) Lowercase host.name field |
8.7.1 or higher |
| 1.9.0 | Enhancement (View pull request) Add a new flag to enable request tracing |
8.7.1 or higher |
| 1.8.2 | Enhancement (View pull request) Drop empty events |
7.15.0 or higher 8.0.0 or higher |
| 1.8.1 | Enhancement (View pull request) Map Threat ECS fields to Mitre |
7.15.0 or higher 8.0.0 or higher |
| 1.8.0 | Enhancement (View pull request) Update package to ECS 8.7.0. |
7.15.0 or higher 8.0.0 or higher |
| 1.7.1 | Enhancement (View pull request) Added categories and/or subcategories. |
7.15.0 or higher 8.0.0 or higher |
| 1.7.0 | Enhancement (View pull request) Add support for Advanced security level |
7.15.0 or higher 8.0.0 or higher |
| 1.6.0 | Enhancement (View pull request) Update package to ECS 8.6.0. |
7.15.0 or higher 8.0.0 or higher |
| 1.5.2 | Bug fix (View pull request) Conform user fields to ECS standards. |
7.15.0 or higher 8.0.0 or higher |
| 1.5.1 | Bug fix (View pull request) Remove duplicate fields. Bug fix (View pull request) Make mac addresses conform with ECS syntax. |
7.15.0 or higher 8.0.0 or higher |
| 1.5.0 | Enhancement (View pull request) Update package to ECS 8.5.0. |
7.15.0 or higher 8.0.0 or higher |
| 1.4.2 | Enhancement (View pull request) Use ECS geo.location definition. |
7.15.0 or higher 8.0.0 or higher |
| 1.4.1 | Enhancement (View pull request) Bugfix on rename processors with conditionals. |
7.15.0 or higher 8.0.0 or higher |
| 1.4.0 | Enhancement (View pull request) Update package to ECS 8.4.0 |
7.15.0 or higher 8.0.0 or higher |
| 1.3.3 | Bug fix (View pull request) Fix possible endless pagination. |
7.15.0 or higher 8.0.0 or higher |
| 1.3.2 | Enhancement (View pull request) Update package name and description to align with standard wording |
7.15.0 or higher 8.0.0 or higher |
| 1.3.1 | Bug fix (View pull request) Fix rate limit. |
7.15.0 or higher 8.0.0 or higher |
| 1.3.0 | Enhancement (View pull request) Update package to ECS 8.3.0. |
7.15.0 or higher 8.0.0 or higher |
| 1.2.1 | Enhancement (View pull request) Updated the links in the file to Palo Alto Cortex XDR documentation |
7.15.0 or higher 8.0.0 or higher |
| 1.2.0 | Enhancement (View pull request) Update to ECS 8.2 to use new email field set. |
7.15.0 or higher 8.0.0 or higher |
| 1.1.1 | Enhancement (View pull request) Add documentation for multi-fields |
7.15.0 or higher 8.0.0 or higher |
| 1.1.0 | Enhancement (View pull request) Update to ECS 8.0 |
7.15.0 or higher 8.0.0 or higher |
| 1.0.0 | Enhancement (View pull request) GA integration |
7.15.0 or higher 8.0.0 or higher |
| 0.3.0 | Enhancement (View pull request) Add 8.0.0 version constraint |
— |
| 0.2.6 | Bug fix (View pull request) Regenerate test files using the new GeoIP database |
— |
| 0.2.5 | Bug fix (View pull request) Change test public IPs to the supported subset |
— |
| 0.2.4 | Enhancement (View pull request) Uniform with guidelines |
— |
| 0.2.3 | Enhancement (View pull request) Update Title and Description. |
— |
| 0.2.2 | Bug fix (View pull request) Fix duplicate events |
— |
| 0.2.1 | Bug fix (View pull request) Fix logic that checks for the 'forwarded' tag |
— |
| 0.2.0 | Enhancement (View pull request) Update to ECS 1.12.0 |
— |
| 0.1.0 | Enhancement (View pull request) initial release |
— |