Cortex IOC Messages

Cortex IOC Messages

Base Rule

Other Security

General Security

HEADER/Vendor

N/A

N/A

Vendor info.

HEADER/Device Product

N/A

N/A

Device product info.

HEADER/Device Version

<version>

Text/String

Device version info.

HEADER/Device Event Class ID

<vmid>

Text/String

N/A

HEADER/name

<vendorinfo>

Text/String

Action type.

HEADER/Severity

<severity>

Number

• Integer/0 - Unknown

• 6 - Low

• 8 - Medium

• 9 - High

end

N/A

N/A

Timestamp.

shost

<sname>

Text/String

Hostname of the machine from where the action was initiated.

suser

<login><domainorigin>

Text/String

Username of the user who initiated the action.

deviceFacility

N/A

N/A

N/A

cat

<threatname>

Text/String

N/A

externalId

<threatid>

Number

N/A

request

<url>

string/Number

N/A

cs1

<process>

Text/String

N/A

cs1Label

N/A

N/A

N/A

cs2

<command>

Text/String

N/A

cs2Label

N/A

N/A

N/A

cs3

N/A

N/A

N/A

cs3Label

N/A

N/A

N/A

cs4

N/A

N/A

N/A

cs4Label

N/A

N/A

N/A

cs5

N/A

N/A

N/A

cs5Label

N/A

N/A

N/A

cs6

N/A

N/A

N/A

cs6Label

N/A

N/A

N/A

dst

<dip>

Number

N/A

dpt

<dport>

Number

N/A

src

<sip>

Number

N/A

spt

<sport>

Number

N/A

app

<protname>

Text/String

N/A

fileHash

<hash>

Text/String

N/A

filePath

<object>

Text/String

N/A

targetprocesssignature

N/A

N/A

N/A

tenantname

N/A

N/A

N/A

tenantCDLid

N/A

N/A

N/A

CSPaccountname

N/A

N/A

N/A

initiatorSha256

N/A

N/A

N/A

initiatorPath

<parentprocesspath>

Text/String

N/A

cgoSha256

N/A

N/A

N/A

osParentName

N/A

N/A

N/A

osParentCmd

N/A

N/A

N/A

osParentSha256

N/A

N/A

N/A

osParentSignature

N/A

N/A

N/A

osParentSigner

N/A

N/A

N/A

incident

N/A

N/A

N/A

act

<action>

Text/String

N/A