edr.paloalto
- Juan Tomás Alonso Nieto (Unlicensed)
Jul 07, 2021
2 min read
Loading data...
Introduction
The tags beginning with edr.paloalto identify events generated by Palo Alto Cortex XDR services.
Tag structure
The full tag must have three levels. The first two are fixed as edr.paloalto. The third level identifies the type of event sent and can be set either to cortex_xdr or cortex_xdr_agent:
Technology | Brand | Type |
|---|---|---|
edr | paloalto |
|
Therefore, the valid tags and tables include:
- edr.paloalto.cortex_xdr
- edr.paloalto.cortex_xdr_agent
How is the data sent to Devo?
You can send your events to Devo using the Devo Relay and configuring the following rules. Learn how to configure rules for your relay in Defining a relay rule.
Relay rule 1 - edr.paloalto.cortex_xdr events
After setting up your relay, define a new rule using the following configuration:
| Parameter | Value |
|---|---|
| Source port | 13005 |
| Source data | (CEF:[^\|]*\|[^\|]*\|Cortex XDR\|.*)$ |
| Target message | \\D1 |
| Target tag | edr.paloalto.cortex_xdr |
| Stop processing | ✓ |
| Send without syslog tag | ✓ |
Relay rule 2 - edr.paloalto.cortex_xdr_agent events
After setting up your relay, define a new rule using the following configuration:
| Parameter | Value |
|---|---|
| Source port | 13005 |
| Source data | (CEF:[^\|]*\|[^\|]*\|Cortex XDR Agent\|.*)$ |
| Target message | \\D1 |
| Target tag | edr.paloalto.cortex_xdr_agent |
| Stop processing | ✓ |
| Send without syslog tag | ✓ |
Log samples
The following are sample logs for the tables in this technology:
edr.paloalto.cortex_xdr
2020-06-16 06:42:49.437 localhost=127.0.0.1 edr.paloalto.cortex_xdr: CEF:0|Palo Alto Networks|Cortex XDR|Cortex XDR 2.4|Alert|IOC (31.26.229.100)|9|end=1592274527000 deviceFacility=None cat=IP msg=IOC ( IP \\= 31.26.229.100 ) externalId=70356019 request=https://etc/buy/sudan/sometimes.mp3/70356019 cs1Label=Initiated by cs2Label=Initiator CMD cs3=N/bin/mooreandrew/almost/ground/src/don35/cell.jpeg- cs3Label=Signature cs4Label=CGO name cs5Label=CGO CMD cs6=N/bin/mooreandrew/almost/ground/src/don35/cell.jpeg- cs6Label=CGO Signature dst=190.150.34.13 dpt=5060 src=31.26.229.100 spt=5105 app=ip,udp,sip targetprocesssignature=N/bin/mooreandrew/almost/ground/src/don35/cell.jpeg- tenantname=TN-NAME-XDR-PROD - Cortex XDR tenantCDLid=24072002 CSPaccountname=Palo Alto Networks IT Department act=Detected
edr.paloalto.cortex_xdr_agent
2020-06-16 08:03:51.890 localhost=127.0.0.1 edr.paloalto.cortex_xdr_agent: CEF:0|Palo Alto Networks|Cortex XDR Agent|Cortex XDR Agent 7.0.0.1916|Agent Audit Logs|Policy|5|shost=guc1wwwvl06p cat=Audit end=1592274663000 rt=1592275060686 cs1Label=agentversion cs1=7.0.0.1916 cs2Label=subtype cs2=Policy Update cs3Label=result cs3=Success cs4Label=reason cs4=None msg=XDR Agent policy updated on guc1wwwvl06p tenantname=TN-NAME - Cortex XDR tenantCDLid=24072002 CSPaccountname=24072