Page Comparison

Table of Contents

minLevel	2
maxLevel	2
outline	false
type	flat
separator	brackets
printable	false

Introduction

The tags begin with edr.cortex_xdridentify the events generated by Cortex XDR.

Tag structure

The full tag must have 3 levels. The first two are fixed as edr.cortex_xdr. The third level identifies the type of events sent.

Product / Services

Tags

Data tables

Cortex XDR

edr.cortex_xdr.alerts

Note

Deprecated parser

This table is deprecated. Please use edr.cortex_xdr.incident_alert instead.

edr.cortex_xdr.alerts_multi

edr.cortex_xdr.alerts_multi_event

Note

Deprecated parser

This table is deprecated. Please use edr.cortex_xdr.alerts_multi instead.

edr.cortex_xdr.all_alert

edr.cortex_xdr.audit_management

edr.cortex_xdr.incident_alert

edr.cortex_xdr.incidents

edr.cortex_xdr.violation

For more information, read more about Devo tags.

How is the data sent to Devo?

You can use the Cortex XDR collector to send events to your Devo domain. Learn more about this in this article.

Table structure

These are the fields displayed in these tables:

Rw ui tabs macro

Rw tab

title	Tables 1-4

edr.cortex_xdr.alerts
edr.cortex_xdr.alerts_multi
edr.cortex_xdr.alerts_multi_event
edr.cortex_xdr.all_alert

Anchor
edr.cortex_xdr.alerts
edr.cortex_xdr.alerts
edr.cortex_xdr.alerts

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
incident_id	`str`
alert__external_id	`str`
alert__severity	`str`
alert__matching_status	`str`
alert__end_match_attempt_ts	`str`
alert__local_insert_ts	`timestamp`
alert__bioc_indicator	`str`
alert__matching_service_rule_id	`str`
alert__attempt_counter	`int4`
alert__bioc_category_enum_key	`str`
alert__case_id	`int4`
alert__is_whitelisted	`bool`
alert__starred	`bool`
alert__deduplicate_tokens	`str`
alert__filter_rule_id	`str`
alert__mitre_technique_id_and_name	`str`
alert__mitre_tactic_id_and_name	`str`
alert__agent_version	`str`
alert__agent_device_domain	`str`
alert__agent_fqdn	`str`
alert__agent_os_type	`str`
alert__agent_os_sub_type	`str`
alert__agent_data_collection_status	`bool`
alert__mac	`str`
alert__agent_is_vdi	`str`
alert__agent_install_type	`str`
alert__agent_host_boot_time	`str`
alert__event_sub_type	`str`
alert__module_id	`str`
alert__association_strength	`str`
alert__dst_association_strength	`str`
alert__story_id	`str`
alert__event_id	`str`
alert__event_type	`str`
alert__event_timestamp	`timestamp`
alert__actor_process_instance_id	`str`
alert__actor_process_image_path	`str`
alert__actor_process_image_name	`str`
alert__actor_process_command_line	`str`
alert__actor_process_signature_status	`str`
alert__actor_process_signature_vendor	`str`
alert__actor_process_image_sha256	`str`
alert__actor_process_image_md5	`str`
alert__actor_process_causality_id	`str`
alert__actor_causality_id	`str`
alert__actor_process_os_pid	`int4`
alert__actor_thread_thread_id	`str`
alert__causality_actor_process_image_name	`str`
alert__causality_actor_process_command_line	`str`
alert__causality_actor_process_image_path	`str`
alert__causality_actor_process_signature_vendor	`str`
alert__causality_actor_process_signature_status	`str`
alert__causality_actor_causality_id	`str`
alert__causality_actor_process_execution_time	`str`
alert__causality_actor_process_image_md5	`str`
alert__causality_actor_process_image_sha256	`str`
alert__action_file_path	`str`
alert__action_file_name	`str`
alert__action_file_md5	`str`
alert__action_file_sha256	`str`
alert__action_file_macro_sha256	`str`
alert__action_registry_data	`str`
alert__action_registry_key_name	`str`
alert__action_registry_value_name	`str`
alert__action_registry_full_key	`str`
alert__action_local_ip	`str`
alert__action_local_port	`str`
alert__action_remote_ip	`str`
alert__action_remote_port	`str`
alert__action_external_hostname	`str`
alert__action_country	`str`
alert__action_process_instance_id	`str`
alert__action_process_causality_id	`str`
alert__action_process_image_name	`str`
alert__action_process_image_sha256	`str`
alert__action_process_image_command_line	`str`
alert__action_process_signature_status	`str`
alert__action_process_signature_vendor	`str`
alert__os_actor_effective_username	`str`
alert__os_actor_process_instance_id	`str`
alert__os_actor_process_image_path	`str`
alert__os_actor_process_image_name	`str`
alert__os_actor_process_command_line	`str`
alert__os_actor_process_signature_status	`str`
alert__os_actor_process_signature_vendor	`str`
alert__os_actor_process_image_sha256	`str`
alert__os_actor_process_causality_id	`str`
alert__os_actor_causality_id	`str`
alert__os_actor_process_os_pid	`str`
alert__os_actor_thread_thread_id	`str`
alert__fw_app_id	`str`
alert__fw_interface_from	`str`
alert__fw_interface_to	`str`
alert__fw_rule	`str`
alert__fw_rule_id	`str`
alert__fw_device_name	`str`
alert__fw_serial_number	`str`
alert__fw_url_domain	`str`
alert__fw_email_subject	`str`
alert__fw_email_sender	`str`
alert__fw_email_recipient	`str`
alert__fw_app_subcategory	`str`
alert__fw_app_category	`str`
alert__fw_app_technology	`str`
alert__fw_vsys	`str`
alert__fw_xff	`str`
alert__fw_misc	`str`
alert__fw_is_phishing	`str`
alert__dst_agent_id	`str`
alert__dst_causality_actor_process_execution_time	`str`
alert__dns_query_name	`str`
alert__dst_action_external_hostname	`str`
alert__dst_action_country	`str`
alert__dst_action_external_port	`str`
alert__contains_featured_host	`str`
alert__contains_featured_user	`str`
alert__contains_featured_ip	`str`
alert__image_name	`str`
alert__container_id	`str`
alert__cluster_name	`str`
alert__referenced_resource	`str`
alert__operation_name	`str`
alert__identity_sub_type	`str`
alert__identity_type	`str`
alert__project	`str`
alert__cloud_provider	`str`
alert__resource_type	`str`
alert__resource_sub_type	`str`
alert__user_agent	`str`
alert__events_length	`int4`
alert__alert_id	`str`
alert__detection_timestamp	`timestamp`
alert__name	`str`
alert__category	`str`
alert__endpoint_id	`str`
alert__description	`str`
alert__host_ip	`ip4`
alert__host_name	`str`
alert__source	`str`
alert__action	`str`
alert__action_pretty	`str`
alert__user_name	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.cortex_xdr.alerts_multi
edr.cortex_xdr.alerts_multi
edr.cortex_xdr.alerts_multi

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

hostname

str

external_id

str

severity

str

matching_status

str

end_match_attempt_ts

str

local_insert_ts

timestamp

last_modified_ts

str

bioc_indicator

str

matching_service_rule_id

str

attempt_counter

str

bioc_category_enum_key

str

is_whitelisted

bool

starred

bool

deduplicate_tokens

str

filter_rule_id

str

mitre_technique_id_and_name_str

str

Code Block
join(mitre_technique_id_and_name, ',')

mitre_technique_id_and_name

mitre_tactic_id_and_name_str

str

Code Block
join(mitre_tactic_id_and_name, ',')

mitre_tactic_id_and_name

agent_version

str

agent_ip_addresses_v6

str

agent_device_domain

str

agent_fqdn

str

agent_os_type

str

agent_os_sub_type

str

agent_data_collection_status

str

mac

str

is_pcap

bool

alert_type

str

resolution_status

str

resolution_comment

str

dynamic_fields

str

alert_id

str

detection_timestamp

timestamp

name

str

category

str

endpoint_id

ip4

description

str

host_ip_str

str

Code Block
join(host_ip, ',')

host_ip

host_name

ip4

mac_addresses

str

source

str

action

str

action_pretty

str

tags_str

str

Code Block
join(tags, ',')

tags

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Anchor
edr.cortex_xdr.alerts_multi_event
edr.cortex_xdr.alerts_multi_event
edr.cortex_xdr.alerts_multi_event

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
external_id	`str`
agent_install_type	`str`
agent_host_boot_time	`timestamp`
event_sub_type	`int4`
module_id	`str`
association_strength	`int4`
dst_association_strength	`int4`
story_id	`str`
event_id	`str`
event_type	`str`
event_timestamp	`timestamp`
actor_process_instance_id	`str`
actor_process_image_path	`str`
actor_process_image_name	`str`
actor_process_command_line	`str`
actor_process_signature_status	`str`
actor_process_signature_vendor	`str`
actor_process_image_sha256	`str`
actor_process_image_md5	`str`
actor_process_causality_id	`str`
actor_causality_id	`str`
actor_process_os_pid	`int4`
actor_thread_thread_id	`int4`
causality_actor_process_image_name	`str`
causality_actor_process_command_line	`str`
causality_actor_process_image_path	`str`
causality_actor_process_signature_vendor	`str`
causality_actor_process_signature_status	`str`
causality_actor_causality_id	`str`
causality_actor_process_execution_time	`timestamp`
causality_actor_process_image_md5	`str`
causality_actor_process_image_sha256	`str`
action_file_path	`str`
action_file_name	`str`
action_file_md5	`str`
action_file_sha256	`str`
action_file_macro_sha256	`str`
action_registry_data	`str`
action_registry_key_name	`str`
action_registry_value_name	`str`
action_registry_full_key	`str`
action_local_ip	`ip4`
action_local_ip_v6	`str`
action_local_port	`int4`
action_remote_ip	`ip4`
action_remote_ip_v6	`str`
action_remote_port	`int4`
action_external_hostname	`str`
action_country	`str`
action_process_instance_id	`str`
action_process_causality_id	`str`
action_process_image_name	`str`
action_process_image_sha256	`str`
action_process_image_command_line	`str`
action_process_signature_status	`str`
action_process_signature_vendor	`str`
os_actor_effective_username	`str`
os_actor_process_instance_id	`str`
os_actor_process_image_path	`str`
os_actor_process_image_name	`str`
os_actor_process_command_line	`str`
os_actor_process_signature_status	`str`
os_actor_process_signature_vendor	`str`
os_actor_process_image_sha256	`str`
os_actor_process_causality_id	`str`
os_actor_causality_id	`str`
os_actor_process_os_pid	`int4`
os_actor_thread_thread_id	`int4`
fw_app_id	`str`
fw_interface_from	`str`
fw_interface_to	`str`
fw_rule	`str`
fw_rule_id	`str`
fw_device_name	`str`
fw_serial_number	`str`
fw_url_domain	`str`
fw_email_subject	`str`
fw_email_sender	`str`
fw_email_recipient	`str`
fw_app_subcategory	`str`
fw_app_category	`str`
fw_app_technology	`str`
fw_vsys	`str`
fw_xff	`str`
fw_misc	`str`
fw_is_phishing	`str`
dst_agent_id	`ip4`
dst_causality_actor_process_execution_time	`str`
dns_query_name	`str`
dst_action_external_hostname	`str`
dst_action_country	`str`
dst_action_external_port	`str`
contains_featured_host	`str`
contains_featured_user	`str`
contains_featured_ip	`str`
image_name	`str`
container_id	`str`
cluster_name	`str`
referenced_resource	`str`
operation_name	`str`
identity_sub_type	`str`
identity_type	`str`
project	`str`
cloud_provider	`str`
resource_type	`str`
resource_sub_type	`str`
user_agent	`str`
username	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.cortex_xdr.all_alert
edr.cortex_xdr.all_alert
edr.cortex_xdr.all_alert

Field	Type	Extra fields
eventdate	`timestamp`
machine	`str`
external_id	`str`
severity	`str`
matching_status	`str`
end_match_attempt_ts	`str`
local_insert_ts	`timestamp`
last_modified_ts	`str`
bioc_indicator	`str`
matching_service_rule_id	`str`
attempt_counter	`int4`
bioc_category_enum_key	`str`
case_id	`int4`
is_whitelisted	`bool`
starred	`bool`
deduplicate_tokens	`str`
filter_rule_id	`str`
mitre_technique_id_and_name	`str`
mitre_tactic_id_and_name	`str`
agent_version	`str`
agent_ip_addresses_v6	`str`
agent_device_domain	`str`
agent_fqdn	`str`
agent_os_type	`str`
agent_os_sub_type	`str`
agent_data_collection_status	`str`
mac	`str`
agent_is_vdi	`bool`
agent_install_type	`str`
agent_host_boot_time	`timestamp`
event_sub_type	`int4`
module_id	`str`
association_strength	`int4`
dst_association_strength	`int4`
story_id	`str`
event_id	`str`
event_type	`str`
event_timestamp	`timestamp`
actor_process_instance_id	`str`
actor_process_image_path	`str`
actor_process_image_name	`str`
actor_process_command_line	`str`
actor_process_signature_status	`str`
actor_process_signature_vendor	`str`
actor_process_image_sha256	`str`
actor_process_image_md5	`str`
actor_process_causality_id	`str`
actor_causality_id	`str`
actor_process_os_pid	`int4`
actor_thread_thread_id	`str`
causality_actor_process_image_name	`str`
causality_actor_process_command_line	`str`
causality_actor_process_image_path	`str`
causality_actor_process_signature_vendor	`str`
causality_actor_process_signature_status	`str`
causality_actor_causality_id	`str`
causality_actor_process_execution_time	`timestamp`
causality_actor_process_image_md5	`str`
causality_actor_process_image_sha256	`str`
action_file_path	`str`
action_file_name	`str`
action_file_md5	`str`
action_file_sha256	`str`
action_file_macro_sha256	`str`
action_registry_data	`str`
action_registry_key_name	`str`
action_registry_value_name	`str`
action_registry_full_key	`str`
action_local_ip	`str`
action_local_ipv4	`ip4`
action_local_ipv6	`ip6`
action_local_ip_v6	`str`
action_local_port	`int4`
action_remote_ip	`str`
action_remote_ipv4	`ip4`
action_remote_ipv6	`ip6`
action_remote_ip_v6	`str`
action_remote_port	`int4`
action_external_hostname	`str`
action_country	`str`
action_process_instance_id	`str`
action_process_causality_id	`str`
action_process_image_name	`str`
action_process_image_sha256	`str`
action_process_image_command_line	`str`
action_process_signature_status	`str`
action_process_signature_vendor	`str`
os_actor_effective_username	`str`
os_actor_process_instance_id	`str`
os_actor_process_image_path	`str`
os_actor_process_image_name	`str`
os_actor_process_command_line	`str`
os_actor_process_signature_status	`str`
os_actor_process_signature_vendor	`str`
os_actor_process_image_sha256	`str`
os_actor_process_causality_id	`str`
os_actor_causality_id	`str`
os_actor_process_os_pid	`int4`
os_actor_thread_thread_id	`str`
fw_app_id	`str`
fw_interface_from	`str`
fw_interface_to	`str`
fw_rule	`str`
fw_rule_id	`str`
fw_device_name	`str`
fw_serial_number	`str`
fw_url_domain	`str`
fw_email_subject	`str`
fw_email_sender	`str`
fw_email_recipient	`str`
fw_app_subcategory	`str`
fw_app_category	`str`
fw_app_technology	`str`
fw_vsys	`str`
fw_xff	`str`
fw_misc	`str`
fw_is_phishing	`str`
dst_agent_id	`str`
dst_agent_id_ipv4	`ip4`
dst_agent_id_ipv6	`ip6`
dst_causality_actor_process_execution_time	`str`
dns_query_name	`str`
dst_action_external_hostname	`str`
dst_action_country	`str`
dst_action_external_port	`str`
is_pcap	`bool`
contains_featured_host	`str`
contains_featured_user	`str`
contains_featured_ip	`str`
image_name	`str`
image_id	`str`
container_id	`str`
container_name	`str`
namespace	`str`
cluster_name	`str`
referenced_resource	`str`
operation_name	`str`
identity_sub_type	`str`
identity_type	`str`
project	`str`
cloud_provider	`str`
resource_type	`str`
resource_sub_type	`str`
user_agent	`str`
alert_type	`str`
resolution_status	`str`
resolution_comment	`str`
dynamic_fields	`str`
tags	`str`
malicious_urls	`str`
alert_id	`str`
detection_timestamp	`timestamp`
name	`str`
category	`str`
endpoint_id	`str`
description	`str`
host_ip	`str`
host_ipv4	`ip4`
host_ipv6	`ip6`
host_name	`str`
source	`str`
action	`str`
action_pretty	`str`
username	`str`
events_length	`int4`
original_tags	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Rw tab

title	Tables 5-8

edr.cortex_xdr.audit_management
edr.cortex_xdr.incident_alert
edr.cortex_xdr.incidents
edr.cortex_xdr.violation

Anchor
edr.cortex_xdr.audit_management
edr.cortex_xdr.audit_management
edr.cortex_xdr.audit_management

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
audit_id	`int8`
audit_owner_name	`str`
audit_owner_email	`str`
audit_asset_json	`str`
audit_asset_names	`str`
audit_hostname	`str`
audit_result	`str`
audit_reason	`str`
audit_description	`str`
audit_entity	`str`
audit_entity_subtype	`str`
audit_session_id	`str`
audit_case_id	`str`
audit_insert_time	`timestamp`
audit_severity	`str`
audit_link	`str`
audit_source_ip	`str`
audit_source_ipv4	`ip4`
audit_source_ipv6	`ip6`
audit_user_agent	`str`
audit_user_roles	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Anchor
edr.cortex_xdr.incident_alert
edr.cortex_xdr.incident_alert
edr.cortex_xdr.incident_alert

Field	Type	Source field name	Extra fields
eventdate	`timestamp`
hostname	`str`
incident_id	`str`
incident_name	`str`
creation_time	`timestamp`
modification_time	`timestamp`
detection_time	`str`
status	`str`
severity	`str`
description	`str`
assigned_user_mail	`str`
assigned_user_pretty_name	`str`
alert_count	`int4`
low_severity_alert_count	`int4`
med_severity_alert_count	`int4`
high_severity_alert_count	`int4`
user_count	`int4`
host_count	`int4`
notes	`str`
resolve_comment	`str`
resolved_timestamp	`str`
manual_severity	`str`
manual_description	`str`
xdr_url	`str`
starred	`bool`
hosts_str	`str`	hosts
users_str	`str`	users
incident_sources_str	`str`	incident_sources
rule_based_score	`str`
manual_score	`str`
wildfire_hits	`str`
alerts_grouping_status	`str`
mitre_tactics_ids_and_names	`str`
mitre_techniques_ids_and_names	`str`
alert_categories	`str`
hostchain	`str`		✓
tag	`str`		✓
rawMessage	`str`		✓

Anchor
edr.cortex_xdr.incidents
edr.cortex_xdr.incidents
edr.cortex_xdr.incidents

Field

Type

Field transformation

Source field name

Extra fields

eventdate

timestamp

hostname

str

incident_id

str

incident_name

str

creation_time

timestamp

modification_time

timestamp

detection_time

str

status

str

severity

str

description

str

assigned_user_mail

str

assigned_user_pretty_name

str

alert_count

int4

low_severity_alert_count

int4

med_severity_alert_count

int4

high_severity_alert_count

int4

user_count

int4

host_count

int4

notes

str

resolve_comment

str

resolved_timestamp

str

manual_severity

str

manual_description

str

xdr_url

str

starred

bool

hosts_str

str

Code Block
join(hosts, ',')

hosts

users_str

str

Code Block
join(users, ',')

users

incident_sources_str

str

Code Block
join(incident_sources, ',')

incident_sources

rule_based_score

str

manual_score

str

wildfire_hits

str

alerts_grouping_status

str

mitre_tactics_ids_and_names

str

mitre_techniques_ids_and_names

str

alert_categories

str

hostchain

str

✓

tag

str

✓

rawMessage

str

✓

Anchor
edr.cortex_xdr.violation
edr.cortex_xdr.violation
edr.cortex_xdr.violation

Field	Type	Extra fields
eventdate	`timestamp`
machine	`str`
hostname2	`str`
username	`str`
ip	`str`
timestamp	`int4`
violation_id	`int4`
type	`str`
vendor_id	`str`
vendor	`str`
product_id	`str`
product	`str`
serial	`str`
endpoint_id	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

Versions Compared

Old Version 1

New Version Current

Key

Introduction

Tag structure

How is the data sent to Devo?

Table structure

Anchor
edr.cortex_xdr.alerts
edr.cortex_xdr.alerts
edr.cortex_xdr.alerts

Anchor
edr.cortex_xdr.alerts_multi
edr.cortex_xdr.alerts_multi
edr.cortex_xdr.alerts_multi

Anchor
edr.cortex_xdr.alerts_multi_event
edr.cortex_xdr.alerts_multi_event
edr.cortex_xdr.alerts_multi_event

Anchor
edr.cortex_xdr.all_alert
edr.cortex_xdr.all_alert
edr.cortex_xdr.all_alert

Anchor
edr.cortex_xdr.audit_management
edr.cortex_xdr.audit_management
edr.cortex_xdr.audit_management

Anchor
edr.cortex_xdr.incident_alert
edr.cortex_xdr.incident_alert
edr.cortex_xdr.incident_alert

Anchor
edr.cortex_xdr.incidents
edr.cortex_xdr.incidents
edr.cortex_xdr.incidents

Anchor
edr.cortex_xdr.violation
edr.cortex_xdr.violation
edr.cortex_xdr.violation

Page Comparison

Versions Compared

Old Version 1

New Version Current

Key

Introduction

Tag structure

How is the data sent to Devo?

Table structure

Anchoredr.cortex_xdr.alertsedr.cortex_xdr.alertsedr.cortex_xdr.alerts

Anchoredr.cortex_xdr.alerts_multiedr.cortex_xdr.alerts_multiedr.cortex_xdr.alerts_multi

Anchoredr.cortex_xdr.alerts_multi_eventedr.cortex_xdr.alerts_multi_eventedr.cortex_xdr.alerts_multi_event

Anchoredr.cortex_xdr.all_alertedr.cortex_xdr.all_alertedr.cortex_xdr.all_alert

Anchoredr.cortex_xdr.audit_managementedr.cortex_xdr.audit_managementedr.cortex_xdr.audit_management

Anchoredr.cortex_xdr.incident_alertedr.cortex_xdr.incident_alertedr.cortex_xdr.incident_alert

Anchoredr.cortex_xdr.incidentsedr.cortex_xdr.incidentsedr.cortex_xdr.incidents

Anchoredr.cortex_xdr.violationedr.cortex_xdr.violationedr.cortex_xdr.violation

Anchor
edr.cortex_xdr.alerts
edr.cortex_xdr.alerts
edr.cortex_xdr.alerts

Anchor
edr.cortex_xdr.alerts_multi
edr.cortex_xdr.alerts_multi
edr.cortex_xdr.alerts_multi

Anchor
edr.cortex_xdr.alerts_multi_event
edr.cortex_xdr.alerts_multi_event
edr.cortex_xdr.alerts_multi_event

Anchor
edr.cortex_xdr.all_alert
edr.cortex_xdr.all_alert
edr.cortex_xdr.all_alert

Anchor
edr.cortex_xdr.audit_management
edr.cortex_xdr.audit_management
edr.cortex_xdr.audit_management

Anchor
edr.cortex_xdr.incident_alert
edr.cortex_xdr.incident_alert
edr.cortex_xdr.incident_alert

Anchor
edr.cortex_xdr.incidents
edr.cortex_xdr.incidents
edr.cortex_xdr.incidents

Anchor
edr.cortex_xdr.violation
edr.cortex_xdr.violation
edr.cortex_xdr.violation