| Table of Contents |
|---|
| minLevel | 2 |
|---|
| maxLevel | 2 |
|---|
| outline | false |
|---|
| type | listflat |
|---|
| separator | brackets |
|---|
| printable | false |
|---|
|
Introduction
...
The full tag must have 3 levels. The first two are fixed as edr.cortex_xdr. The third level identifies the type of events sent.
Product / Services | Tags | Data tables |
|---|
Cortex XDR | edr.cortex_xdr.alerts
| edr.cortex_xdr.alerts
| Note |
|---|
Deprecated parser This table is deprecated. Please use edr.cortex_xdr. |
|
alertsmulti |
edr.cortex_xdr.alerts_multi
| edr.cortex_xdr.alerts_multi
|
_event |
edr.cortex_xdr.alerts_multi_event
| edr.cortex_xdr.
|
incidentsalerts_multi_event
| Note |
|---|
Deprecated parser This table is deprecated. Please use edr.cortex_xdr. |
|
incidentsFor more information, read more about Devo tags.
Table structure
These are the fields displayed in these tables:
...
...
...
...
...
management
| edr.cortex_xdr.
|
...
audit_management
|
edr.cortex_xdr.
|
...
Field | Type | Extra fields |
|---|
eventdate | timestamp
| |
hostname | str
| |
idstr
| | alert__external_id | str
| |
alert__severity | str
| |
alert__matching_status | str
| |
alert__end_match_attempt_ts | str
| |
alert__local_insert_ts | timestamp
| |
alert__bioc_indicator | str
| |
alert__matching_service_rule_id | str
| |
alert__attempt_counter | int4
| |
alert__bioc_category_enum_key | str
| |
alert__case_id | int4
| |
alert__is_whitelisted | bool
| |
alert__starred | bool
| |
alert__deduplicate_tokens | str
| |
alert__filter_rule_id | str
| |
alert__mitre_technique_id_and_name | str
| |
alert__mitre_tactic_id_and_name | str
| |
alert__agent_version | str
| |
alert__agent_device_domain | str
| |
alert__agent_fqdn | str
| |
alert__agent_os_type | str
| |
alert__agent_os_sub_type | str
| |
alert__agent_data_collection_status | bool
| |
alert__mac | str
| |
alert__agent_is_vdi | str
| |
alert__agent_install_type | str
| |
alert__agent_host_boot_time | str
| |
alert__event_sub_type | str
| |
alert__module_id | str
| |
alert__association_strength | str
| |
alert__dst_association_strength | str
| |
alert__story_id | str
| |
alert__event_id | str
| |
alert__event_type | str
| |
alert__event_timestamp | timestamp
| |
alert__actor_process_instance_id | str
| |
alert__actor_process_image_path | str
| |
alert__actor_process_image_name | str
| |
alert__actor_process_command_line | str
| |
alert__actor_process_signature_status | str
| |
alert__actor_process_signature_vendor | str
| |
alert__actor_process_image_sha256 | str
| |
alert__actor_process_image_md5 | str
| |
alert__actor_process_causality_id | str
| |
alert__actor_causality_id | str
| |
alert__actor_process_os_pid | int4
| |
alert__actor_thread_thread_id | str
| |
alert__causality_actor_process_image_name | str
| |
alert__causality_actor_process_command_line | str
| |
alert__causality_actor_process_image_path | str
| |
alert__causality_actor_process_signature_vendor | str
| |
alert__causality_actor_process_signature_status | str
| |
alert__causality_actor_causality_id | str
| |
alert__causality_actor_process_execution_time | str
| |
alert__causality_actor_process_image_md5 | str
| |
alert__causality_actor_process_image_sha256 | str
| |
alert__action_file_path | str
| |
alert__action_file_name | str
| |
alert__action_file_md5 | str
| |
alert__action_file_sha256 | str
| |
alert__action_file_macro_sha256 | str
| |
alert__action_registry_data | str
| |
alert__action_registry_key_name | str
| |
alert__action_registry_value_name | str
| |
alert__action_registry_full_key | str
| |
alert__action_local_ip | str
| |
alert__action_local_port | str
| |
alert__action_remote_ip | str
| |
alert__action_remote_port | str
| |
alert__action_external_hostname | str
| |
alert__action_country | str
| |
alert__action_process_instance_id | str
| |
alert__action_process_causality_id | str
| |
alert__action_process_image_name | str
| |
alert__action_process_image_sha256 | str
| |
alert__action_process_image_command_line | str
| |
alert__action_process_signature_status | str
| |
alert__action_process_signature_vendor | str
| |
alert__os_actor_effective_username | str
| |
alert__os_actor_process_instance_id | str
| |
alert__os_actor_process_image_path | str
| |
alert__os_actor_process_image_name | str
| |
alert__os_actor_process_command_line | str
| |
alert__os_actor_process_signature_status | str
| |
alert__os_actor_process_signature_vendor | str
| |
alert__os_actor_process_image_sha256 | str
| |
alert__os_actor_process_causality_id | str
| |
alert__os_actor_causality_id | str
| |
alert__os_actor_process_os_pid | str
| |
alert__os_actor_thread_thread_id | str
| |
alert__fw_app_id | str
| |
alert__fw_interface_from | str
| |
alert__fw_interface_to | str
| |
alert__fw_rule | str
| |
alert__fw_rule_id | str
| |
alert__fw_device_name | str
| |
alert__fw_serial_number | str
| |
alert__fw_url_domain | str
| |
alert__fw_email_subject | str
| |
alert__fw_email_sender | str
| |
alert__fw_email_recipient | str
| |
alert__fw_app_subcategory | str
| |
alert__fw_app_category | str
| |
alert__fw_app_technology | str
| |
alert__fw_vsys | str
| |
alert__fw_xff | str
| |
alert__fw_misc | str
| |
alert__fw_is_phishing | str
| |
alert__dst_agent_id | str
| |
alert__dst_causality_actor_process_execution_time | str
| |
alert__dns_query_name | str
| |
alert__dst_action_external_hostname | str
| |
alert__dst_action_country | str
| |
alert__dst_action_external_port | str
| |
alert__contains_featured_host | str
| |
alert__contains_featured_user | str
| |
alert__contains_featured_ip | str
| |
alert__image_name | str
| |
alert__container_id | str
| |
alert__cluster_name | str
| |
alert__referenced_resource | str
| |
alert__operation_name | str
| |
alert__identity_sub_type | str
| |
alert__identity_type | str
| |
alert__project | str
| |
alert__cloud_provider | str
| |
alert__resource_type | str
| |
alert__resource_sub_type | str
| |
alert__user_agent | str
| |
alert__events_length | int4
| |
alert__alert_id | str
| |
alert__detection_timestamp | timestamp
| |
alert__name | str
| |
alert__category | str
| |
alert__endpoint_id | str
| |
alert__description | str
| |
alert__host_ip | ip4
| |
alert__host_name | str
| |
alert__source | str
| |
alert__action | str
| |
alert__action_pretty | str
| |
alert__user_name | str
| |
hostchain | str
| ✓ |
tag | str
| ✓ |
rawMessage | str
| ✓ |
...
Field
...
Type
...
Field transformation
...
Source field name
...
Extra fields
...
eventdate
...
timestamp
...
...
...
hostname
...
str
...
...
...
external_id
...
str
...
...
...
severity
...
str
...
...
...
matching_status
...
str
...
...
...
end_match_attempt_ts
...
str
...
...
...
local_insert_ts
...
timestamp
...
...
...
last_modified_ts
...
str
...
...
...
bioc_indicator
...
str
...
...
...
matching_service_rule_id
...
str
...
...
...
attempt_counter
...
str
...
...
...
bioc_category_enum_key
...
str
...
...
...
is_whitelisted
...
bool
...
...
...
starred
...
bool
...
...
...
deduplicate_tokens
...
str
...
...
...
filter_rule_id
...
str
...
...
...
mitre_technique_id_and_name_str
...
str
...
| Code Block |
|---|
join(mitre_technique_id_and_name, ',') |
...
mitre_technique_id_and_name
...
mitre_tactic_id_and_name_str
...
str
...
| Code Block |
|---|
join(mitre_tactic_id_and_name, ',') |
...
mitre_tactic_id_and_name
...
agent_version
...
str
...
...
...
agent_ip_addresses_v6
...
str
...
...
...
agent_device_domain
...
str
...
...
...
agent_fqdn
...
str
...
...
...
agent_os_type
...
str
...
...
...
agent_os_sub_type
...
str
...
...
...
agent_data_collection_status
...
str
...
...
...
mac
...
str
...
...
...
is_pcap
...
bool
...
...
...
alert_type
...
str
...
...
...
resolution_status
...
str
...
...
...
resolution_comment
...
str
...
...
...
dynamic_fields
...
str
...
...
...
alert_id
...
str
...
...
...
detection_timestamp
...
timestamp
...
...
...
name
...
str
...
...
...
category
...
str
...
...
...
endpoint_id
...
ip4
...
...
...
description
...
str
...
...
...
host_ip_str
...
str
...
| Code Block |
|---|
join(host_ip, ',') |
...
host_ip
...
host_name
...
ip4
...
...
...
mac_addresses
...
str
...
...
...
source
...
str
...
...
...
action
...
str
...
...
...
action_pretty
...
str
...
...
...
tags_str
...
str
...
| Code Block |
|---|
join(tags, ',') |
...
tags
...
hostchain
...
str
...
...
...
✓
...
tag
...
str
...
...
...
✓
...
rawMessage
...
str
...
...
...
✓
...
Field
...
Type
...
Extra fields
...
eventdate
...
timestamp
...
...
hostname
...
str
...
...
external_id
...
str
...
...
agent_install_type
...
str
...
...
agent_host_boot_time
...
timestamp
...
...
event_sub_type
...
int4
...
...
module_id
...
str
...
...
association_strength
...
int4
...
...
dst_association_strength
...
int4
...
...
story_id
...
str
...
...
event_id
...
str
...
...
event_type
...
str
...
...
event_timestamp
...
timestamp
...
...
actor_process_instance_id
...
str
...
...
actor_process_image_path
...
str
...
...
actor_process_image_name
...
str
...
...
actor_process_command_line
...
str
...
...
actor_process_signature_status
...
str
...
...
actor_process_signature_vendor
...
str
...
...
actor_process_image_sha256
...
str
...
...
actor_process_image_md5
...
str
...
...
actor_process_causality_id
...
str
...
...
actor_causality_id
...
str
...
...
actor_process_os_pid
...
int4
...
...
actor_thread_thread_id
...
int4
...
...
causality_actor_process_image_name
...
str
...
...
causality_actor_process_command_line
...
str
...
...
causality_actor_process_image_path
...
str
...
...
causality_actor_process_signature_vendor
...
str
...
...
causality_actor_process_signature_status
...
str
...
...
causality_actor_causality_id
...
str
...
...
causality_actor_process_execution_time
...
timestamp
...
...
causality_actor_process_image_md5
...
str
...
...
causality_actor_process_image_sha256
...
str
...
...
action_file_path
...
str
...
...
action_file_name
...
str
...
...
action_file_md5
...
str
...
...
action_file_sha256
...
str
...
...
action_file_macro_sha256
...
str
...
...
action_registry_data
...
str
...
...
action_registry_key_name
...
str
...
...
action_registry_value_name
...
str
...
...
action_registry_full_key
...
str
...
...
action_local_ip
...
ip4
...
...
action_local_ip_v6
...
str
...
...
action_local_port
...
int4
...
...
action_remote_ip
...
ip4
...
...
action_remote_ip_v6
...
str
...
...
action_remote_port
...
int4
...
...
action_external_hostname
...
str
...
...
action_country
...
str
...
...
action_process_instance_id
...
str
...
...
action_process_causality_id
...
str
...
...
action_process_image_name
...
str
...
...
action_process_image_sha256
...
str
...
...
action_process_image_command_line
...
str
...
...
action_process_signature_status
...
str
...
...
action_process_signature_vendor
...
str
...
...
os_actor_effective_username
...
str
...
...
os_actor_process_instance_id
...
str
...
...
os_actor_process_image_path
...
str
...
...
os_actor_process_image_name
...
str
...
...
os_actor_process_command_line
...
str
...
...
os_actor_process_signature_status
...
str
...
...
os_actor_process_signature_vendor
...
str
...
...
os_actor_process_image_sha256
...
str
...
...
os_actor_process_causality_id
...
str
...
...
os_actor_causality_id
...
str
...
...
os_actor_process_os_pid
...
int4
...
...
os_actor_thread_thread_id
...
int4
...
...
fw_app_id
...
str
...
...
fw_interface_from
...
str
...
...
fw_interface_to
...
str
...
...
fw_rule
...
str
...
...
fw_rule_id
...
str
...
...
fw_device_name
...
str
...
...
fw_serial_number
...
str
...
...
fw_url_domain
...
str
...
...
fw_email_subject
...
str
...
...
fw_email_sender
...
str
...
...
fw_email_recipient
...
str
...
...
fw_app_subcategory
...
str
...
...
fw_app_category
...
str
...
...
fw_app_technology
...
str
...
...
fw_vsys
...
str
...
...
fw_xff
...
str
...
...
fw_misc
...
str
...
...
fw_is_phishing
...
str
...
...
dst_agent_id
...
ip4
...
...
dst_causality_actor_process_execution_time
...
str
...
...
dns_query_name
...
str
...
...
dst_action_external_hostname
...
str
...
...
dst_action_country
...
str
...
...
dst_action_external_port
...
str
...
...
contains_featured_host
...
str
...
...
contains_featured_user
...
str
...
...
contains_featured_ip
...
str
...
...
image_name
...
str
...
...
container_id
...
str
...
...
cluster_name
...
str
...
...
referenced_resource
...
str
...
...
operation_name
...
str
...
...
identity_sub_type
...
str
...
...
identity_type
...
str
...
...
project
...
str
...
...
cloud_provider
...
str
...
...
resource_type
...
str
...
...
resource_sub_type
...
str
...
...
user_agent
...
str
...
...
username
...
str
...
...
hostchain
...
str
...
✓
...
tag
...
str
...
✓
...
rawMessage
...
str
...
✓
...
Field | Type | Source field name | Extra fields |
|---|
eventdate | timestamp
| | hostname | str
| | incident_id | str
| | incident_name | str
| | creation_time | timestamp
| | modification_time | timestamp
| | detection_time | str
| | status | str
| | severity | str
| | description | str
| | assigned_user_mail | str
| | assigned_user_pretty_name | str
| | alert_count | int4
| | low_severity_alert_count | int4
| | med_severity_alert_count | int4
| | high_severity_alert_count | int4
| | user_count | int4
| | host_count | int4
| | notes | str
| | resolve_comment | str
| | resolved_timestamp | str
| | manual_severity | str
| | manual_description | str
| | xdr_url | str
| | starred | bool
| | hosts_str | str
| hosts | users_str | str
| users | incident_sources_str | str
| incident_sources | rule_based_score | str
| | manual_score | str
| | wildfire_hits | str
| | alerts_grouping_status | str
| | mitre_tactics_ids_and_names | str
| | mitre_techniques_ids_and_names | str
| | alert_categories | str
| | hostchain | str
| | ✓ |
tag | str
| | ✓ |
rawMessage | str
| alert
| edr.cortex_xdr.incident_alert
|
edr.cortex_xdr.incidents
| edr.cortex_xdr.incidents
|
edr.cortex_xdr.violation
| edr.cortex_xdr.violation
|
For more information, read more about Devo tags.
How is the data sent to Devo?
You can use the Cortex XDR collector to send events to your Devo domain. Learn more about this in this article.
Table structure
These are the fields displayed in these tables:
| Rw ui tabs macro |
|---|
| Anchor |
|---|
| edr.cortex_xdr.alerts |
|---|
| edr.cortex_xdr.alerts |
|---|
|
edr.cortex_xdr.alertsField | Type | Extra fields |
|---|
eventdate | timestamp
| | hostname | str
| | incident_id | str
| | alert__external_id | str
| | alert__severity | str
| | alert__matching_status | str
| | alert__end_match_attempt_ts | str
| | alert__local_insert_ts | timestamp
| | alert__bioc_indicator | str
| | alert__matching_service_rule_id | str
| | alert__attempt_counter | int4
| | alert__bioc_category_enum_key | str
| | alert__case_id | int4
| | alert__is_whitelisted | bool
| | alert__starred | bool
| | alert__deduplicate_tokens | str
| | alert__filter_rule_id | str
| | alert__mitre_technique_id_and_name | str
| | alert__mitre_tactic_id_and_name | str
| | alert__agent_version | str
| | alert__agent_device_domain | str
| | alert__agent_fqdn | str
| | alert__agent_os_type | str
| | alert__agent_os_sub_type | str
| | alert__agent_data_collection_status | bool
| | alert__mac | str
| | alert__agent_is_vdi | str
| | alert__agent_install_type | str
| | alert__agent_host_boot_time | str
| | alert__event_sub_type | str
| | alert__module_id | str
| | alert__association_strength | str
| | alert__dst_association_strength | str
| | alert__story_id | str
| | alert__event_id | str
| | alert__event_type | str
| | alert__event_timestamp | timestamp
| | alert__actor_process_instance_id | str
| | alert__actor_process_image_path | str
| | alert__actor_process_image_name | str
| | alert__actor_process_command_line | str
| | alert__actor_process_signature_status | str
| | alert__actor_process_signature_vendor | str
| | alert__actor_process_image_sha256 | str
| | alert__actor_process_image_md5 | str
| | alert__actor_process_causality_id | str
| | alert__actor_causality_id | str
| | alert__actor_process_os_pid | int4
| | alert__actor_thread_thread_id | str
| | alert__causality_actor_process_image_name | str
| | alert__causality_actor_process_command_line | str
| | alert__causality_actor_process_image_path | str
| | alert__causality_actor_process_signature_vendor | str
| | alert__causality_actor_process_signature_status | str
| | alert__causality_actor_causality_id | str
| | alert__causality_actor_process_execution_time | str
| | alert__causality_actor_process_image_md5 | str
| | alert__causality_actor_process_image_sha256 | str
| | alert__action_file_path | str
| | alert__action_file_name | str
| | alert__action_file_md5 | str
| | alert__action_file_sha256 | str
| | alert__action_file_macro_sha256 | str
| | alert__action_registry_data | str
| | alert__action_registry_key_name | str
| | alert__action_registry_value_name | str
| | alert__action_registry_full_key | str
| | alert__action_local_ip | str
| | alert__action_local_port | str
| | alert__action_remote_ip | str
| | alert__action_remote_port | str
| | alert__action_external_hostname | str
| | alert__action_country | str
| | alert__action_process_instance_id | str
| | alert__action_process_causality_id | str
| | alert__action_process_image_name | str
| | alert__action_process_image_sha256 | str
| | alert__action_process_image_command_line | str
| | alert__action_process_signature_status | str
| | alert__action_process_signature_vendor | str
| | alert__os_actor_effective_username | str
| | alert__os_actor_process_instance_id | str
| | alert__os_actor_process_image_path | str
| | alert__os_actor_process_image_name | str
| | alert__os_actor_process_command_line | str
| | alert__os_actor_process_signature_status | str
| | alert__os_actor_process_signature_vendor | str
| | alert__os_actor_process_image_sha256 | str
| | alert__os_actor_process_causality_id | str
| | alert__os_actor_causality_id | str
| | alert__os_actor_process_os_pid | str
| | alert__os_actor_thread_thread_id | str
| | alert__fw_app_id | str
| | alert__fw_interface_from | str
| | alert__fw_interface_to | str
| | alert__fw_rule | str
| | alert__fw_rule_id | str
| | alert__fw_device_name | str
| | alert__fw_serial_number | str
| | alert__fw_url_domain | str
| | alert__fw_email_subject | str
| | alert__fw_email_sender | str
| | alert__fw_email_recipient | str
| | alert__fw_app_subcategory | str
| | alert__fw_app_category | str
| | alert__fw_app_technology | str
| | alert__fw_vsys | str
| | alert__fw_xff | str
| | alert__fw_misc | str
| | alert__fw_is_phishing | str
| | alert__dst_agent_id | str
| | alert__dst_causality_actor_process_execution_time | str
| | alert__dns_query_name | str
| | alert__dst_action_external_hostname | str
| | alert__dst_action_country | str
| | alert__dst_action_external_port | str
| | alert__contains_featured_host | str
| | alert__contains_featured_user | str
| | alert__contains_featured_ip | str
| | alert__image_name | str
| | alert__container_id | str
| | alert__cluster_name | str
| | alert__referenced_resource | str
| | alert__operation_name | str
| | alert__identity_sub_type | str
| | alert__identity_type | str
| | alert__project | str
| | alert__cloud_provider | str
| | alert__resource_type | str
| | alert__resource_sub_type | str
| | alert__user_agent | str
| | alert__events_length | int4
| | alert__alert_id | str
| | alert__detection_timestamp | timestamp
| | alert__name | str
| | alert__category | str
| | alert__endpoint_id | str
| | alert__description | str
| | alert__host_ip | ip4
| | alert__host_name | str
| | alert__source | str
| | alert__action | str
| | alert__action_pretty | str
| | alert__user_name | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
| Anchor |
|---|
| edr.cortex_xdr.alerts_multi |
|---|
| edr.cortex_xdr.alerts_multi |
|---|
|
edr.cortex_xdr.alerts_multiField | Type | Field transformation | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | | hostname | str
| | | | external_id | str
| | | | severity | str
| | | | matching_status | str
| | | | end_match_attempt_ts | str
| | | | local_insert_ts | timestamp
| | | | last_modified_ts | str
| | | | bioc_indicator | str
| | | | matching_service_rule_id | str
| | | | attempt_counter | str
| | | | bioc_category_enum_key | str
| | | | is_whitelisted | bool
| | | | starred | bool
| | | | deduplicate_tokens | str
| | | | filter_rule_id | str
| | | | mitre_technique_id_and_name_str | str
| | Code Block |
|---|
join(mitre_technique_id_and_name, ',') |
| mitre_technique_id_and_name | | mitre_tactic_id_and_name_str | str
| | Code Block |
|---|
join(mitre_tactic_id_and_name, ',') |
| mitre_tactic_id_and_name | | agent_version | str
| | | | agent_ip_addresses_v6 | str
| | | | agent_device_domain | str
| | | | agent_fqdn | str
| | | | agent_os_type | str
| | | | agent_os_sub_type | str
| | | | agent_data_collection_status | str
| | | | mac | str
| | | | is_pcap | bool
| | | | alert_type | str
| | | | resolution_status | str
| | | | resolution_comment | str
| | | | dynamic_fields | str
| | | | alert_id | str
| | | | detection_timestamp | timestamp
| | | | name | str
| | | | category | str
| | | | endpoint_id | ip4
| | | | description | str
| | | | host_ip_str | str
| | Code Block |
|---|
join(host_ip, ',') |
| host_ip | | host_name | ip4
| | | | mac_addresses | str
| | | | source | str
| | | | action | str
| | | | action_pretty | str
| | | | tags_str | str
| | Code Block |
|---|
join(tags, ',') |
| tags | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
| Anchor |
|---|
| edr.cortex_xdr.alerts_multi_event |
|---|
| edr.cortex_xdr.alerts_multi_event |
|---|
|
edr.cortex_xdr.alerts_multi_eventField | Type | Extra fields |
|---|
eventdate | timestamp
| | hostname | str
| | external_id | str
| | agent_install_type | str
| | agent_host_boot_time | timestamp
| | event_sub_type | int4
| | module_id | str
| | association_strength | int4
| | dst_association_strength | int4
| | story_id | str
| | event_id | str
| | event_type | str
| | event_timestamp | timestamp
| | actor_process_instance_id | str
| | actor_process_image_path | str
| | actor_process_image_name | str
| | actor_process_command_line | str
| | actor_process_signature_status | str
| | actor_process_signature_vendor | str
| | actor_process_image_sha256 | str
| | actor_process_image_md5 | str
| | actor_process_causality_id | str
| | actor_causality_id | str
| | actor_process_os_pid | int4
| | actor_thread_thread_id | int4
| | causality_actor_process_image_name | str
| | causality_actor_process_command_line | str
| | causality_actor_process_image_path | str
| | causality_actor_process_signature_vendor | str
| | causality_actor_process_signature_status | str
| | causality_actor_causality_id | str
| | causality_actor_process_execution_time | timestamp
| | causality_actor_process_image_md5 | str
| | causality_actor_process_image_sha256 | str
| | action_file_path | str
| | action_file_name | str
| | action_file_md5 | str
| | action_file_sha256 | str
| | action_file_macro_sha256 | str
| | action_registry_data | str
| | action_registry_key_name | str
| | action_registry_value_name | str
| | action_registry_full_key | str
| | action_local_ip | ip4
| | action_local_ip_v6 | str
| | action_local_port | int4
| | action_remote_ip | ip4
| | action_remote_ip_v6 | str
| | action_remote_port | int4
| | action_external_hostname | str
| | action_country | str
| | action_process_instance_id | str
| | action_process_causality_id | str
| | action_process_image_name | str
| | action_process_image_sha256 | str
| | action_process_image_command_line | str
| | action_process_signature_status | str
| | action_process_signature_vendor | str
| | os_actor_effective_username | str
| | os_actor_process_instance_id | str
| | os_actor_process_image_path | str
| | os_actor_process_image_name | str
| | os_actor_process_command_line | str
| | os_actor_process_signature_status | str
| | os_actor_process_signature_vendor | str
| | os_actor_process_image_sha256 | str
| | os_actor_process_causality_id | str
| | os_actor_causality_id | str
| | os_actor_process_os_pid | int4
| | os_actor_thread_thread_id | int4
| | fw_app_id | str
| | fw_interface_from | str
| | fw_interface_to | str
| | fw_rule | str
| | fw_rule_id | str
| | fw_device_name | str
| | fw_serial_number | str
| | fw_url_domain | str
| | fw_email_subject | str
| | fw_email_sender | str
| | fw_email_recipient | str
| | fw_app_subcategory | str
| | fw_app_category | str
| | fw_app_technology | str
| | fw_vsys | str
| | fw_xff | str
| | fw_misc | str
| | fw_is_phishing | str
| | dst_agent_id | ip4
| | dst_causality_actor_process_execution_time | str
| | dns_query_name | str
| | dst_action_external_hostname | str
| | dst_action_country | str
| | dst_action_external_port | str
| | contains_featured_host | str
| | contains_featured_user | str
| | contains_featured_ip | str
| | image_name | str
| | container_id | str
| | cluster_name | str
| | referenced_resource | str
| | operation_name | str
| | identity_sub_type | str
| | identity_type | str
| | project | str
| | cloud_provider | str
| | resource_type | str
| | resource_sub_type | str
| | user_agent | str
| | username | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
| Anchor |
|---|
| edr.cortex_xdr.all_alert |
|---|
| edr.cortex_xdr.all_alert |
|---|
|
edr.cortex_xdr.all_alertField | Type | Extra fields |
|---|
eventdate | timestamp
| | machine | str
| | external_id | str
| | severity | str
| | matching_status | str
| | end_match_attempt_ts | str
| | local_insert_ts | timestamp
| | last_modified_ts | str
| | bioc_indicator | str
| | matching_service_rule_id | str
| | attempt_counter | int4
| | bioc_category_enum_key | str
| | case_id | int4
| | is_whitelisted | bool
| | starred | bool
| | deduplicate_tokens | str
| | filter_rule_id | str
| | mitre_technique_id_and_name | str
| | mitre_tactic_id_and_name | str
| | agent_version | str
| | agent_ip_addresses_v6 | str
| | agent_device_domain | str
| | agent_fqdn | str
| | agent_os_type | str
| | agent_os_sub_type | str
| | agent_data_collection_status | str
| | mac | str
| | agent_is_vdi | bool
| | agent_install_type | str
| | agent_host_boot_time | timestamp
| | event_sub_type | int4
| | module_id | str
| | association_strength | int4
| | dst_association_strength | int4
| | story_id | str
| | event_id | str
| | event_type | str
| | event_timestamp | timestamp
| | actor_process_instance_id | str
| | actor_process_image_path | str
| | actor_process_image_name | str
| | actor_process_command_line | str
| | actor_process_signature_status | str
| | actor_process_signature_vendor | str
| | actor_process_image_sha256 | str
| | actor_process_image_md5 | str
| | actor_process_causality_id | str
| | actor_causality_id | str
| | actor_process_os_pid | int4
| | actor_thread_thread_id | str
| | causality_actor_process_image_name | str
| | causality_actor_process_command_line | str
| | causality_actor_process_image_path | str
| | causality_actor_process_signature_vendor | str
| | causality_actor_process_signature_status | str
| | causality_actor_causality_id | str
| | causality_actor_process_execution_time | timestamp
| | causality_actor_process_image_md5 | str
| | causality_actor_process_image_sha256 | str
| | action_file_path | str
| | action_file_name | str
| | action_file_md5 | str
| | action_file_sha256 | str
| | action_file_macro_sha256 | str
| | action_registry_data | str
| | action_registry_key_name | str
| | action_registry_value_name | str
| | action_registry_full_key | str
| | action_local_ip | str
| | action_local_ipv4 | ip4
| | action_local_ipv6 | ip6
| | action_local_ip_v6 | str
| | action_local_port | int4
| | action_remote_ip | str
| | action_remote_ipv4 | ip4
| | action_remote_ipv6 | ip6
| | action_remote_ip_v6 | str
| | action_remote_port | int4
| | action_external_hostname | str
| | action_country | str
| | action_process_instance_id | str
| | action_process_causality_id | str
| | action_process_image_name | str
| | action_process_image_sha256 | str
| | action_process_image_command_line | str
| | action_process_signature_status | str
| | action_process_signature_vendor | str
| | os_actor_effective_username | str
| | os_actor_process_instance_id | str
| | os_actor_process_image_path | str
| | os_actor_process_image_name | str
| | os_actor_process_command_line | str
| | os_actor_process_signature_status | str
| | os_actor_process_signature_vendor | str
| | os_actor_process_image_sha256 | str
| | os_actor_process_causality_id | str
| | os_actor_causality_id | str
| | os_actor_process_os_pid | int4
| | os_actor_thread_thread_id | str
| | fw_app_id | str
| | fw_interface_from | str
| | fw_interface_to | str
| | fw_rule | str
| | fw_rule_id | str
| | fw_device_name | str
| | fw_serial_number | str
| | fw_url_domain | str
| | fw_email_subject | str
| | fw_email_sender | str
| | fw_email_recipient | str
| | fw_app_subcategory | str
| | fw_app_category | str
| | fw_app_technology | str
| | fw_vsys | str
| | fw_xff | str
| | fw_misc | str
| | fw_is_phishing | str
| | dst_agent_id | str
| | dst_agent_id_ipv4 | ip4
| | dst_agent_id_ipv6 | ip6
| | dst_causality_actor_process_execution_time | str
| | dns_query_name | str
| | dst_action_external_hostname | str
| | dst_action_country | str
| | dst_action_external_port | str
| | is_pcap | bool
| | contains_featured_host | str
| | contains_featured_user | str
| | contains_featured_ip | str
| | image_name | str
| | image_id | str
| | container_id | str
| | container_name | str
| | namespace | str
| | cluster_name | str
| | referenced_resource | str
| | operation_name | str
| | identity_sub_type | str
| | identity_type | str
| | project | str
| | cloud_provider | str
| | resource_type | str
| | resource_sub_type | str
| | user_agent | str
| | alert_type | str
| | resolution_status | str
| | resolution_comment | str
| | dynamic_fields | str
| | tags | str
| | malicious_urls | str
| | alert_id | str
| | detection_timestamp | timestamp
| | name | str
| | category | str
| | endpoint_id | str
| | description | str
| | host_ip | str
| | host_ipv4 | ip4
| | host_ipv6 | ip6
| | host_name | str
| | source | str
| | action | str
| | action_pretty | str
| | username | str
| | events_length | int4
| | original_tags | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
| Anchor |
|---|
| edr.cortex_xdr.audit_management |
|---|
| edr.cortex_xdr.audit_management |
|---|
|
edr.cortex_xdr.audit_managementField | Type | Extra fields |
|---|
eventdate | timestamp
| | hostname | str
| | audit_id | int8
| | audit_owner_name | str
| | audit_owner_email | str
| | audit_asset_json | str
| | audit_asset_names | str
| | audit_hostname | str
| | audit_result | str
| | audit_reason | str
| | audit_description | str
| | audit_entity | str
| | audit_entity_subtype | str
| | audit_session_id | str
| | audit_case_id | str
| | audit_insert_time | timestamp
| | audit_severity | str
| | audit_link | str
| | audit_source_ip | str
| | audit_source_ipv4 | ip4
| | audit_source_ipv6 | ip6
| | audit_user_agent | str
| | audit_user_roles | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
| Anchor |
|---|
| edr.cortex_xdr.incident_alert |
|---|
| edr.cortex_xdr.incident_alert |
|---|
|
edr.cortex_xdr.incident_alertField | Type | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | hostname | str
| | | incident_id | str
| | | incident_name | str
| | | creation_time | timestamp
| | | modification_time | timestamp
| | | detection_time | str
| | | status | str
| | | severity | str
| | | description | str
| | | assigned_user_mail | str
| | | assigned_user_pretty_name | str
| | | alert_count | int4
| | | low_severity_alert_count | int4
| | | med_severity_alert_count | int4
| | | high_severity_alert_count | int4
| | | user_count | int4
| | | host_count | int4
| | | notes | str
| | | resolve_comment | str
| | | resolved_timestamp | str
| | | manual_severity | str
| | | manual_description | str
| | | xdr_url | str
| | | starred | bool
| | | hosts_str | str
| hosts | | users_str | str
| users | | incident_sources_str | str
| incident_sources | | rule_based_score | str
| | | manual_score | str
| | | wildfire_hits | str
| | | alerts_grouping_status | str
| | | mitre_tactics_ids_and_names | str
| | | mitre_techniques_ids_and_names | str
| | | alert_categories | str
| | | hostchain | str
| | ✓ | tag | str
| | ✓ | rawMessage | str
| | ✓ |
| Anchor |
|---|
| edr.cortex_xdr.incidents |
|---|
| edr.cortex_xdr.incidents |
|---|
|
edr.cortex_xdr.incidentsField | Type | Field transformation | Source field name | Extra fields |
|---|
eventdate | timestamp
| | | | hostname | str
| | | | incident_id | str
| | | | incident_name | str
| | | | creation_time | timestamp
| | | | modification_time | timestamp
| | | | detection_time | str
| | | | status | str
| | | | severity | str
| | | | description | str
| | | | assigned_user_mail | str
| | | | assigned_user_pretty_name | str
| | | | alert_count | int4
| | | | low_severity_alert_count | int4
| | | | med_severity_alert_count | int4
| | | | high_severity_alert_count | int4
| | | | user_count | int4
| | | | host_count | int4
| | | | notes | str
| | | | resolve_comment | str
| | | | resolved_timestamp | str
| | | | manual_severity | str
| | | | manual_description | str
| | | | xdr_url | str
| | | | starred | bool
| | | | hosts_str | str
| | Code Block |
|---|
join(hosts, ',') |
| hosts | | users_str | str
| | Code Block |
|---|
join(users, ',') |
| users | | incident_sources_str | str
| | Code Block |
|---|
join(incident_sources, ',') |
| incident_sources | | rule_based_score | str
| | | | manual_score | str
| | | | wildfire_hits | str
| | | | alerts_grouping_status | str
| | | | mitre_tactics_ids_and_names | str
| | | | mitre_techniques_ids_and_names | str
| | | | alert_categories | str
| | | | hostchain | str
| | | ✓ | tag | str
| | | ✓ | rawMessage | str
| | | ✓ |
| Anchor |
|---|
| edr.cortex_xdr.violation |
|---|
| edr.cortex_xdr.violation |
|---|
|
edr.cortex_xdr.violationField | Type | Extra fields |
|---|
eventdate | timestamp
| | machine | str
| | hostname2 | str
| | username | str
| | ip | str
| | timestamp | int4
| | violation_id | int4
| | type | str
| | vendor_id | str
| | vendor | str
| | product_id | str
| | product | str
| | serial | str
| | endpoint_id | str
| | hostchain | str
| ✓ | tag | str
| ✓ | rawMessage | str
| ✓ |
|
