Cortex Alert Messages

Vendor Documentation

https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-prevent-admin/logs/cortex-xdr-log-notification-formats/alert-notification-format.html

Classification

Rule Name	Rule Type	Common Event	Classification
Cortex Alert Messages	Base Rule	General Security	Other Security
Command And Control Detected	Sub Rule	Suspicious Activity	Suspicious
Discovery Detected	Sub Rule	Suspicious Activity	Suspicious
Persistence Detected	Sub Rule	Suspicious Activity	Suspicious
Execution Detected	Sub Rule	Arbitrary Code Execution	Attack
Impact Detected	Sub Rule	Suspicious Activity	Suspicious
Lateral Movement Detected	Sub Rule	Suspicious Activity	Suspicious
Credential Access Detected	Sub Rule	Suspicious Activity	Suspicious
Defense Evasion Detected	Sub Rule	Suspicious Activity	Suspicious
Initial Access Detected	Sub Rule	Suspicious Activity	Suspicious
Collection Detected	Sub Rule	Suspicious Activity	Suspicious
Exfiltration Detected	Sub Rule	Suspicious Activity	Suspicious
Privilege Escalation Detected	Sub Rule	Unauthorized Activity	Misuse
Virus Detected	Sub Rule	Detected Virus Activity	Malware
Spyware Detected	Sub Rule	Detected Spyware Activity	Malware
Vulnerability Detected	Sub Rule	General Security Alert	Warning
URL Filtering Detected	Sub Rule	General WebFilter URLFilter Critical	Critical
File Blocking Detected	Sub Rule	Device Blocked	Warning
Zone Protection Detected	Sub Rule	Detected Spyware Activity	Malware
DoS Detected	Sub Rule	Network Denial Of Service	Denial Of Service
Data Filtering Detected	Sub Rule	Detected Spyware Activity	Malware
Wildfire Analysis Detected	Sub Rule	Suspicious Activity	Suspicious
Discovery Prevented	Sub Rule	Failed Suspicious Activity	Failed Suspicious
Command And Control Prevented	Sub Rule	Failed Suspicious Activity	Failed Suspicious
Persistence Prevented	Sub Rule	Failed Suspicious Activity	Failed Suspicious
Execution Prevented	Sub Rule	Failed Arbitrary Code Execution	Failed Attack
Impact Prevented	Sub Rule	Failed Suspicious Activity	Failed Suspicious
Lateral Movement Prevented	Sub Rule	Failed Suspicious Activity	Failed Suspicious
Credential Access Prevented	Sub Rule	Failed Suspicious Activity	Failed Suspicious
Defense Evasion Prevented	Sub Rule	Failed Suspicious Activity	Failed Suspicious
Initial Access Prevented	Sub Rule	Failed Suspicious Activity	Failed Suspicious
Collection Prevented	Sub Rule	Failed Suspicious Activity	Failed Suspicious
Exfiltration Prevented	Sub Rule	Failed Suspicious Activity	Failed Suspicious
Privilege Escalation Prevented	Sub Rule	Failed Unauthorized Activity	Failed Misuse
Virus Prevented	Sub Rule	Failed Virus Activity	Failed Malware
Spyware Prevented	Sub Rule	Failed Spyware Activity	Failed Malware
Vulnerability Prevented	Sub Rule	Failed Suspicious Activity	Failed Suspicious
URL Filtering Prevented	Sub Rule	Failed Suspicious Activity	Failed Suspicious
File Blocking Prevented	Sub Rule	Blocked Message	Failed Activity
Zone Protection Prevented	Sub Rule	Failed Suspicious Activity	Failed Suspicious
DoS Protection Prevented	Sub Rule	Failed Network Denial Of Service	Failed Denial of Service
Data Filtering Prevented	Sub Rule	Failed Suspicious Activity	Failed Suspicious
Wildfire Analysis Prevented	Sub Rule	Failed Suspicious Activity	Failed Suspicious

Mapping with LogRhythm Schema

Device Key in Log Message	LogRhythm Schema	Data Type	Schema Description
HEADER/Vendor	N/A	N/A	Device Vendor
HEADER/Device Product	N/A	N/A	Device Product
HEADER/Device Version	<version>	Text/String	Product Version
HEADER/Device Event Class ID	<vmid>	Text/String	Device Event Class ID
HEADER/name	<vendorinfo>	Text/String	Name of the event
HEADER/Severity	<severity>	Number	Severity: 0 - Unknown 6 - Low 8 - Medium 9 - High
end	N/A	N/A	Timestamp
shost	<sname>	Text/String	Source Host
suser	<domainorigin> <login>	Text/String	Source User
deviceFacility	N/A	N/A	N/A
cat	<threatname>	Text/String	Category
externalId	<threatid>	Number	N/A
request	<url>	Text/String/Number	Link to XDR alert page
cs1	<process>	Text/String	The name of the process that initiated an activity such as a network connection or registry change.
cs1Label	N/A	N/A	N/A
cs2	<command>	Text/String	Command-line used to initiate the process including any arguments.
cs2Label	N/A	N/A	N/A
cs3	<status>	Text/String	Signing status of the process that initiated the activity: Unsigned Signed Invalid Signature Unknown
cs3Label	N/A	N/A	N/A
cs4	<parentprocessname>	Text/String	The name of the process that started the causality chain based on Cortex XDR causality logic.
cs4Label	N/A	N/A	N/A
cs5	N/A	N/A	Command-line arguments of the Causality Group Owner.
cs5Label	N/A	N/A	N/A
cs6	N/A	N/A	Signing status of the CGO: Unsigned Signed Invalid Signature Unknown
cs6Label	N/A	N/A	N/A
dst	<dip>	IP Address	Destination IP
dpt	<dport>	Number	Destination Port
src	<sip>	IP Address	Source IP
spt	<sport>	Number	Source Port
app	<protname>	Text/String	Application Used
fileHash	<hash>	Text/String	Hash value of the file.
filePath	<object>	Text/String	When the alert triggered on a file (the Event Type is File) this is the path to the file on the endpoint. If not, then N/A.
targetprocesssignature	N/A	N/A	N/A
tenantname	N/A	N/A	N/A
tenantCDLid	N/A	N/A	N/A
CSPaccountname	N/A	N/A	N/A
initiatorSha256	<hash>	Text/String	The SHA256 hash value of the initiator.
initiatorPath	N/A	N/A	Path of the initiating process.
cgoSha256	N/A	N/A	The SHA256 value of the CGO that initiated the alert.
osParentName	N/A	N/A	N/A
osParentCmd	N/A	N/A	Command-line used to by the parent operating system to initiate the process including any arguments.
osParentSignature	N/A	N/A	Signing status of the operating system of the activity: Unsigned Signed Invalid Signature Unknown
osParentSigner	N/A	N/A	Parent operating system signer.
incident	<reason>	Number	The ID of the any incident that includes the alert.
act	<action> <tag1>	Text/String	Action taken by the alert sensor, either Detected or Prevented with action status displayed in parenthesis.
srcZoneName	N/A	N/A	Source Zone Name
dstZoneName	N/A	N/A	Destination Zone Name
fwName	N/A	N/A	Firewall Name
msg	<subject>	Text/String	Message