edr.paloalto

[ 1 Introduction ] [ 2 Tag structure ] [ 3 How is the data sent to Devo? ] [ 4 Table structure ]

Introduction

The tags beginning with edr.paloalto identify events generated by Palo Alto Cortex XDR services.

Tag structure

The full tag must have 3 levels. The first two are fixed as edr.paloalto. The third level identifies the type of event sent.

Therefore, the valid tags and tables include:

Product / Services	Tags	Data tables

Product / Services	Tags	Data tables
Palo Alto Cortex XDR	`edr.paloalto.cortex_xdr`	`edr.paloalto.cortex_xdr`
Palo Alto Cortex XDR	`edr.paloalto.cortex_xdr_agent`	`edr.paloalto.cortex_xdr_agent`
Palo Alto Networks Traps	`edr.paloalto.traps`	`edr.paloalto.traps`

How is the data sent to Devo?

You can send your events to Devo using the Devo Relay and configuring the following rules. Learn how to configure rules for your relay in Defining a relay rule.

Relay rule 1 - edr.paloalto.cortex_xdr events

After setting up your relay, define a new rule using the following configuration:

Source port	`13005`
Source data	`(CEF:[^\\|]\\|[^\\|]\\|Cortex XDR\\|.*)$`
Target message	`\\D1`
Target tag	`edr.paloalto.cortex_xdr`
Stop processing	✓
Send without syslog tag	✓

Relay rule 2 - edr.paloalto.cortex_xdr_agent events

After setting up your relay, define a new rule using the following configuration:

Source port	`13005`
Source data	`(CEF:[^\\|]\\|[^\\|]\\|Cortex XDR Agent\\|.*)$`
Target message	`\\D1`
Target tag	`edr.paloalto.cortex_xdr_agent`
Stop processing	✓
Send without syslog tag	✓

Table structure

These are the fields displayed in these tables:

edr.paloalto.cortex_xdr
edr.paloalto.cortex_xdr_agent
edr.paloalto.traps

edr.paloalto.cortex_xdr

Field	Type	Extra fields

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
cefTag	`str`
cefVersion	`str`
embDeviceVendor	`str`
embDeviceProduct	`str`
deviceVersion	`str`
signatureID	`str`
name	`str`
severity	`str`
act	`str`
app	`str`
cat	`str`
cs1Label	`str`
cs1	`str`
cs2Label	`str`
cs2	`str`
cs3Label	`str`
cs3	`str`
cs4Label	`str`
cs4	`str`
cs5Label	`str`
cs5	`str`
cs6Label	`str`
cs6	`str`
dpt	`int4`
dst	`ip4`
end	`timestamp`
deviceFacility	`str`
externalId	`str`
fileHash	`str`
filePath	`str`
msg	`str`
request	`str`
shost	`str`
spt	`int4`
src	`ip4`
suser	`str`
cgoSha256	`str`
tenantname	`str`
tenantCDLid	`str`
targetprocessname	`str`
targetprocesscmd	`str`
targetprocesssha256	`str`
targetprocesssignature	`str`
mitreTactic	`str`
mitreTechnique	`str`
initiatorSha256	`str`
initiatorPath	`str`
osParentName	`str`
osParentCmd	`str`
osParentSha256	`str`
osParentSigner	`str`
osParentSignature	`str`
CSPaccountname	`str`
incident	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`

edr.paloalto.cortex_xdr_agent

Field	Type	Extra fields

Field	Type	Extra fields
eventdate	`timestamp`
hostname	`str`
cefTag	`str`
cefVersion	`str`
embDeviceVendor	`str`
embDeviceProduct	`str`
deviceVersion	`str`
signatureID	`str`
name	`str`
severity	`str`
cat	`str`
cs1Label	`str`
cs1	`str`
cs2Label	`str`
cs2	`str`
cs3Label	`str`
cs3	`str`
cs4Label	`str`
cs4	`str`
dvchost	`str`
end	`timestamp`
msg	`str`
rt	`timestamp`
shost	`str`
tenantname	`str`
tenantCDLid	`str`
CSPaccountname	`str`
hostchain	`str`	✓
tag	`str`	✓
rawMessage	`str`	✓

edr.paloalto.traps

Field	Type	Extra fields

Field	Type	Extra fields
eventdate	`timestamp`
cefTag	`str`
cefVersion	`str`
embDeviceVendor	`str`
embDeviceProduct	`str`
deviceVersion	`str`
signatureID	`str`
name	`str`
severity	`str`
eventId	`str`
msg	`str`
art	`str`
deviceSeverity	`str`
rt	`timestamp`
dhost	`str`
duser	`str`
fileHash	`str`
cs2	`str`
cs3	`str`
cs5	`str`
cs2Label	`str`
cs3Label	`str`
cs5Label	`str`
ahost	`ip4`
agt	`ip4`
agentZoneURI	`str`
amac	`str`
av	`str`
atz	`str`
at	`str`
dvchost	`str`
dvc	`ip4`
deviceZoneURI	`str`
dtz	`str`
deviceProcessName	`str`
_cefVer	`str`
aid	`str`
rawMessage	`str`	✓
hostchain	`str`	✓