Page Comparison

Table of Contents

minLevel	2
maxLevel	2
outline	false
type	list
printable	false

Introduction

The tags begin with edr.cortex_xdridentify the events generated by Cortex XDR.

Tag structure

The full tag must have 3 levels. The first two are fixed as edr.cortex_xdr. The third level identifies the type of events sent.

Product / Services	Tags	Data tables
Cortex XDR	`edr.cortex_xdr.alerts`	`edr.cortex_xdr.alerts`
	`edr.cortex_xdr.alerts_multi`	`edr.cortex_xdr.alerts_multi`
	`edr.cortex_xdr.alerts_multi_event`	`edr.cortex_xdr.alerts_multi_event`
	`edr.cortex_xdr.incidents`	`edr.cortex_xdr.incidents`

For more information, read more about Devo tags.

Table structure

These are the fields displayed in these tables:

edr.cortex_xdr.alerts
edr.cortex_xdr.alerts_multi
edr.cortex_xdr.alerts_multi_event
edr.cortex_xdr.incidents

Anchor
tag1
tag1
edr.cortex_xdr.alerts

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
incident_id	`str`
alert__external_id	`str`
alert__severity	`str`
alert__matching_status	`str`
alert__end_match_attempt_ts	`str`
alert__local_insert_ts	`timestamp`
alert__bioc_indicator	`str`
alert__matching_service_rule_id	`str`
alert__attempt_counter	`int4`
alert__bioc_category_enum_key	`str`
alert__case_id	`int4`
alert__is_whitelisted	`bool`
alert__starred	`bool`
alert__deduplicate_tokens	`str`
alert__filter_rule_id	`str`
alert__mitre_technique_id_and_name	`str`
alert__mitre_tactic_id_and_name	`str`
alert__agent_version	`str`
alert__agent_device_domain	`str`
alert__agent_fqdn	`str`
alert__agent_os_type	`str`
alert__agent_os_sub_type	`str`
alert__agent_data_collection_status	`bool`
alert__mac	`str`
alert__agent_is_vdi	`str`
alert__agent_install_type	`str`
alert__agent_host_boot_time	`str`
alert__event_sub_type	`str`
alert__module_id	`str`
alert__association_strength	`str`
alert__dst_association_strength	`str`
alert__story_id	`str`
alert__event_id	`str`
alert__event_type	`str`
alert__event_timestamp	`timestamp`
alert__actor_process_instance_id	`str`
alert__actor_process_image_path	`str`
alert__actor_process_image_name	`str`
alert__actor_process_command_line	`str`
alert__actor_process_signature_status	`str`
alert__actor_process_signature_vendor	`str`
alert__actor_process_image_sha256	`str`
alert__actor_process_image_md5	`str`
alert__actor_process_causality_id	`str`
alert__actor_causality_id	`str`
alert__actor_process_os_pid	`int4`
alert__actor_thread_thread_id	`str`
alert__causality_actor_process_image_name	`str`
alert__causality_actor_process_command_line	`str`
alert__causality_actor_process_image_path	`str`
alert__causality_actor_process_signature_vendor	`str`
alert__causality_actor_process_signature_status	`str`
alert__causality_actor_causality_id	`str`
alert__causality_actor_process_execution_time	`str`
alert__causality_actor_process_image_md5	`str`
alert__causality_actor_process_image_sha256	`str`
alert__action_file_path	`str`
alert__action_file_name	`str`
alert__action_file_md5	`str`
alert__action_file_sha256	`str`
alert__action_file_macro_sha256	`str`
alert__action_registry_data	`str`
alert__action_registry_key_name	`str`
alert__action_registry_value_name	`str`
alert__action_registry_full_key	`str`
alert__action_local_ip	`str`
alert__action_local_port	`str`
alert__action_remote_ip	`str`
alert__action_remote_port	`str`
alert__action_external_hostname	`str`
alert__action_country	`str`
alert__action_process_instance_id	`str`
alert__action_process_causality_id	`str`
alert__action_process_image_name	`str`
alert__action_process_image_sha256	`str`
alert__action_process_image_command_line	`str`
alert__action_process_signature_status	`str`
alert__action_process_signature_vendor	`str`
alert__os_actor_effective_username	`str`
alert__os_actor_process_instance_id	`str`
alert__os_actor_process_image_path	`str`
alert__os_actor_process_image_name	`str`
alert__os_actor_process_command_line	`str`
alert__os_actor_process_signature_status	`str`
alert__os_actor_process_signature_vendor	`str`
alert__os_actor_process_image_sha256	`str`
alert__os_actor_process_causality_id	`str`
alert__os_actor_causality_id	`str`
alert__os_actor_process_os_pid	`str`
alert__os_actor_thread_thread_id	`str`
alert__fw_app_id	`str`
alert__fw_interface_from	`str`
alert__fw_interface_to	`str`
alert__fw_rule	`str`
alert__fw_rule_id	`str`
alert__fw_device_name	`str`
alert__fw_serial_number	`str`
alert__fw_url_domain	`str`
alert__fw_email_subject	`str`
alert__fw_email_sender	`str`
alert__fw_email_recipient	`str`
alert__fw_app_subcategory	`str`
alert__fw_app_category	`str`
alert__fw_app_technology	`str`
alert__fw_vsys	`str`
alert__fw_xff	`str`
alert__fw_misc	`str`
alert__fw_is_phishing	`str`
alert__dst_agent_id	`str`
alert__dst_causality_actor_process_execution_time	`str`
alert__dns_query_name	`str`
alert__dst_action_external_hostname	`str`
alert__dst_action_country	`str`
alert__dst_action_external_port	`str`
alert__contains_featured_host	`str`
alert__contains_featured_user	`str`
alert__contains_featured_ip	`str`
alert__image_name	`str`
alert__container_id	`str`
alert__cluster_name	`str`
alert__referenced_resource	`str`
alert__operation_name	`str`
alert__identity_sub_type	`str`
alert__identity_type	`str`
alert__project	`str`
alert__cloud_provider	`str`
alert__resource_type	`str`
alert__resource_sub_type	`str`
alert__user_agent	`str`
alert__events_length	`int4`
alert__alert_id	`str`
alert__detection_timestamp	`timestamp`
alert__name	`str`
alert__category	`str`
alert__endpoint_id	`str`
alert__description	`str`
alert__host_ip	`ip4`
alert__host_name	`str`
alert__source	`str`
alert__action	`str`
alert__action_pretty	`str`
alert__user_name	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
tag2
tag2
edr.cortex_xdr.alerts_multi

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

hostname

str

external_id

str

severity

str

matching_status

str

end_match_attempt_ts

str

local_insert_ts

timestamp

last_modified_ts

str

bioc_indicator

str

matching_service_rule_id

str

attempt_counter

str

bioc_category_enum_key

str

is_whitelisted

bool

starred

bool

deduplicate_tokens

str

filter_rule_id

str

mitre_technique_id_and_name_str

str

Code Block
join(mitre_technique_id_and_name, ',')

mitre_technique_id_and_name

mitre_tactic_id_and_name_str

str

Code Block
join(mitre_tactic_id_and_name, ',')

mitre_tactic_id_and_name

agent_version

str

agent_ip_addresses_v6

str

agent_device_domain

str

agent_fqdn

str

agent_os_type

str

agent_os_sub_type

str

agent_data_collection_status

str

mac

str

is_pcap

bool

alert_type

str

resolution_status

str

resolution_comment

str

dynamic_fields

str

alert_id

str

detection_timestamp

timestamp

name

str

category

str

endpoint_id

ip4

description

str

host_ip_str

str

Code Block
join(host_ip, ',')

host_ip

host_name

ip4

mac_addresses

str

source

str

action

str

action_pretty

str

tags_str

str

Code Block
join(tags, ',')

tags

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Anchor
tag3
tag3
edr.cortex_xdr.alerts_multi_event

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
external_id	`str`
agent_install_type	`str`
agent_host_boot_time	`timestamp`
event_sub_type	`int4`
module_id	`str`
association_strength	`int4`
dst_association_strength	`int4`
story_id	`str`
event_id	`str`
event_type	`str`
event_timestamp	`timestamp`
actor_process_instance_id	`str`
actor_process_image_path	`str`
actor_process_image_name	`str`
actor_process_command_line	`str`
actor_process_signature_status	`str`
actor_process_signature_vendor	`str`
actor_process_image_sha256	`str`
actor_process_image_md5	`str`
actor_process_causality_id	`str`
actor_causality_id	`str`
actor_process_os_pid	`int4`
actor_thread_thread_id	`int4`
causality_actor_process_image_name	`str`
causality_actor_process_command_line	`str`
causality_actor_process_image_path	`str`
causality_actor_process_signature_vendor	`str`
causality_actor_process_signature_status	`str`
causality_actor_causality_id	`str`
causality_actor_process_execution_time	`timestamp`
causality_actor_process_image_md5	`str`
causality_actor_process_image_sha256	`str`
action_file_path	`str`
action_file_name	`str`
action_file_md5	`str`
action_file_sha256	`str`
action_file_macro_sha256	`str`
action_registry_data	`str`
action_registry_key_name	`str`
action_registry_value_name	`str`
action_registry_full_key	`str`
action_local_ip	`ip4`
action_local_ip_v6	`str`
action_local_port	`int4`
action_remote_ip	`ip4`
action_remote_ip_v6	`str`
action_remote_port	`int4`
action_external_hostname	`str`
action_country	`str`
action_process_instance_id	`str`
action_process_causality_id	`str`
action_process_image_name	`str`
action_process_image_sha256	`str`
action_process_image_command_line	`str`
action_process_signature_status	`str`
action_process_signature_vendor	`str`
os_actor_effective_username	`str`
os_actor_process_instance_id	`str`
os_actor_process_image_path	`str`
os_actor_process_image_name	`str`
os_actor_process_command_line	`str`
os_actor_process_signature_status	`str`
os_actor_process_signature_vendor	`str`
os_actor_process_image_sha256	`str`
os_actor_process_causality_id	`str`
os_actor_causality_id	`str`
os_actor_process_os_pid	`int4`
os_actor_thread_thread_id	`int4`
fw_app_id	`str`
fw_interface_from	`str`
fw_interface_to	`str`
fw_rule	`str`
fw_rule_id	`str`
fw_device_name	`str`
fw_serial_number	`str`
fw_url_domain	`str`
fw_email_subject	`str`
fw_email_sender	`str`
fw_email_recipient	`str`
fw_app_subcategory	`str`
fw_app_category	`str`
fw_app_technology	`str`
fw_vsys	`str`
fw_xff	`str`
fw_misc	`str`
fw_is_phishing	`str`
dst_agent_id	`ip4`
dst_causality_actor_process_execution_time	`str`
dns_query_name	`str`
dst_action_external_hostname	`str`
dst_action_country	`str`
dst_action_external_port	`str`
contains_featured_host	`str`
contains_featured_user	`str`
contains_featured_ip	`str`
image_name	`str`
container_id	`str`
cluster_name	`str`
referenced_resource	`str`
operation_name	`str`
identity_sub_type	`str`
identity_type	`str`
project	`str`
cloud_provider	`str`
resource_type	`str`
resource_sub_type	`str`
user_agent	`str`
username	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
tag4
tag4
edr.cortex_xdr.incidents

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
hostname	`str`
incident_id	`str`
incident_name	`str`
creation_time	`timestamp`
modification_time	`timestamp`
detection_time	`str`
status	`str`
severity	`str`
description	`str`
assigned_user_mail	`str`
assigned_user_pretty_name	`str`
alert_count	`int4`
low_severity_alert_count	`int4`
med_severity_alert_count	`int4`
high_severity_alert_count	`int4`
user_count	`int4`
host_count	`int4`
notes	`str`
resolve_comment	`str`
resolved_timestamp	`str`
manual_severity	`str`
manual_description	`str`
xdr_url	`str`
starred	`bool`
hosts_str	`str`	hosts
users_str	`str`	users
incident_sources_str	`str`	incident_sources
rule_based_score	`str`
manual_score	`str`
wildfire_hits	`str`
alerts_grouping_status	`str`
mitre_tactics_ids_and_names	`str`
mitre_techniques_ids_and_names	`str`
alert_categories	`str`
hostchain	`str`		✓
tag	`str`		✓
rawMessage	`str`		✓

Versions Compared

Old Version 1

New Version 2

Key

Introduction

Tag structure

Table structure

Anchor
tag1
tag1
edr.cortex_xdr.alerts

Anchor
tag2
tag2
edr.cortex_xdr.alerts_multi

Anchor
tag3
tag3
edr.cortex_xdr.alerts_multi_event

Anchor
tag4
tag4
edr.cortex_xdr.incidents

Page Comparison

Versions Compared

Old Version 1

New Version 2

Key

Introduction

Tag structure

Table structure

Anchortag1tag1edr.cortex_xdr.alerts

Anchortag2tag2edr.cortex_xdr.alerts_multi

Anchortag3tag3edr.cortex_xdr.alerts_multi_event

Anchortag4tag4edr.cortex_xdr.incidents

Anchor
tag1
tag1
edr.cortex_xdr.alerts

Anchor
tag2
tag2
edr.cortex_xdr.alerts_multi

Anchor
tag3
tag3
edr.cortex_xdr.alerts_multi_event

Anchor
tag4
tag4
edr.cortex_xdr.incidents