Cortex Agent Messages

Vendor Documentation

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/logs/cortex-xdr-log-notification-formats/cortex-xdr-ioc-bioc-log-format

Rule Name	Rule Type	Common Event	Classification
Cortext Agent Messages	Base Rule	General Alert	Operations : Warning

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
HEADER/Vendor	N/A	N/A	Vendor info
HEADER/Device Product	N/A	N/A	Device Product info
HEADER/Device Version	<version>	Text/String	Device Version info
HEADER/Device Event Class ID	<vmid>	Text/String	N/A
HEADER/name	<vendorinfo>	Text/String	Action type
HEADER/Severity	<severity>	Text/String	integer: 0 - Unknown, 6 - Low, 8 - Medium, 9 - High
end	N/A	N/A	Timestamp
shost	<sname>	Text/String	Hostname of the machine from where the action was initiated.
suser	<login><domainorigin>	Text/String	Username of the user who initiated the action.
deviceFacility	N/A	N/A	N/A
cat	<threatname>	Text/String	N/A
externalId	<threatid>	Number	N/A
request	<url>	Text/String/Number	N/A
cs1	<process>	Text/String	N/A
cs1Label	N/A	N/A	N/A
cs2	N/A	N/A	N/A
cs2Label	N/A	N/A	N/A
cs3	N/A	N/A	N/A
cs3Label	N/A	N/A	N/A
cs4	N/A	N/A	N/A
cs4Label	N/A	N/A	N/A
cs5	<command>	Text/String/Number	N/A
cs5Label	N/A	N/A	N/A
cs6	N/A	N/A	N/A
cs6Label	N/A	N/A	N/A
fileHash	<hash>	Text/String/Number	N/A
filePath	<object>	Text/String/Number	N/A
targetprocesssignature	N/A	N/A	N/A
tenantname	N/A	N/A	N/A
tenantCDLid	N/A	N/A	N/A
CSPaccountname	N/A	N/A	N/A
initiatorSha256	N/A	N/A	N/A
initiatorPath	<parentprocesspath>	Text/String/Number	N/A
osParentSignature	N/A	N/A	N/A
incident	N/A	N/A	N/A
act	<action>	Text/String	N/A