Cortex XDR

Overview

Table name: pan_edr_raw_logs

PAN EDR Raw Logs are unfiltered, detailed records generated by Palo Alto Networks' Endpoint Detection and Response (EDR) solution. These logs capture endpoint activities, including process executions, file modifications, network connections, and security events, providing deep visibility into potential threats and anomalies. Security teams use these raw logs for threat hunting, forensic investigations, and real-time monitoring to detect and respond to advanced cyber threats. By analyzing PAN EDR Raw Logs, organizations can identify suspicious behavior, track attack patterns, and strengthen their overall endpoint security posture.

Send data to Hunters

PAN EDR Raw Logs are automatically exported by Palo Alto to a GCP bucket, as detailed in this document.

⚠️ PAN EDR Licensing

This feature requires a Cortex XDR Pro license and an Event Forwarding add-on license. Only Administrators have access to this screen.

To connect PAN EDR raw logs:

1. Set up and validate the routing of logs to GCP.

2. Once done, follow the instructions on this guide to connect your GCP bucket to Hunters.
   

   📘Note

   When performing the last part of the process (Provide information to Hunters), follow these steps:

   1. Navigate to Data > Data Sources, and then click + Connect Data Sources.

   2. Search for Palo Alto Networks and click Connect.

   3. From the side-menu, click + More Integrations and then select Palo Alto Cortex XDR via GCP Bucket.
      

   📘Note

   When setting up the connection on the Hunters platform, in the Bucket name field insert the Storage path provided in the Cortex console, without the gs:// prefix.

   For example, if the storage path value on your Cortex console is:

   gs://xdr-de-abcdefghijk-event-forwarding

   then you should enter

   xdr-de-abcdefghijk-event-forwarding

   into the Bucket name field on the Hunters portal.

   

Expected format

Logs are expected in JSON format.

{"event_type":1,"event_sub_type":2,"event_version":25,"event_timestamp":1660662314528,"event_id":"AAABgqcv9ZRZr+/HANrN9A==","os_actor_process_instance_id":"AQAAAAEAAAC3O+zlReYFAA==","os_actor_thread_thread_id":1,"action_process_os_pid":88021,"action_process_user_sid":"0","action_process_username":"root","action_process_instance_id":"1VcBAKtfHQB//VYTXeYFAA==","action_process_termination_date":1660662314528,"action_process_instance_execution_time":1660662314508,"action_process_termination_code":0,"os_actor_process_image_path":"/sbin/launchd","os_actor_process_image_name":"launchd","os_actor_process_command_line":"/sbin/launchd","os_actor_process_signature_status":1,"os_actor_process_image_md5":"0bb29b60e255ff4dbfbf80351511558e","os_actor_process_image_sha256":"69dcc2d68a8a6c8902630e3eeb884131c120f4b7d21b86642dd5fd52740b4c12","os_actor_process_logon_id":"18446744073709551615","os_actor_process_os_pid":1,"os_actor_primary_user_sid":"0","os_actor_primary_username":"root","uuid":"AAABgqcv9ZRZr+/HANrN9A==","agent_content_version":"640-99708","agent_hostname":"SCRAMC02ZG0M2LVDM","agent_os_sub_type":"OS X 12.5.0","agent_os_type":2,"agent_version":"7.7.2.2362","agent_id":"b1638e85b7ac4117a036be03c55ab1c2","agent_ip_addresses":"100.113.15.104,192.168.1.40","agent_ip_addresses_v6":"fd7a:115c:a1e0:ab12:4843:cd96:6271:f68"}

Overview

Table name: pan_cortex_xdr_alerts

Cortex XDR Alerts are security notifications generated by Palo Alto Networks' Cortex XDR platform to detect and respond to advanced threats across endpoints, networks, and cloud environments. These alerts provide detailed insights into suspicious activities, including behavioral anomalies, malware infections, and exploit attempts. By correlating data from multiple sources, Cortex XDR enhances threat detection and reduces false positives, enabling security teams to investigate and mitigate incidents more effectively. With real-time visibility and automated response capabilities, Cortex XDR Alerts help organizations strengthen their security posture and prevent cyberattacks.

Send data to Hunters

Hunters supports the collection of Cortex XDR Alerts using API.

To connect Cortex XDR Alerts:

1. Follow these guidelines to acquire the following API keys from PAN Cortex XDR:

   • Host - your account's host URL (without http://). For example: api-{fqdn}.

   • API key ID

   • API key

     📘 Note

     When generating API keys, make sure you select the Viewer role.

2. Navigate to Data > Data Sources, and then click + Connect Data Sources.

3. Search for Palo Alto Networks and click Connect.

4. From the side-menu, click + More Integrations and then select Palo Alto Cortex API.
   

5. Provide the information you’ve acquired from PAN Cortex XDR and complete the connection process.

Expected format

Logs are expected in JSON format.

{"external_id": "83445324b2483445324b2483445324b24", "severity": "high", "matching_status": "MATCHED", "end_match_attempt_ts": null, "local_insert_ts": 1690451639692, "last_modified_ts": 1690457236999, "bioc_indicator": null, "matching_service_rule_id": null, "attempt_counter": 0, "bioc_category_enum_key": null, "case_id": 2, "is_whitelisted": false, "starred": false, "deduplicate_tokens": null, "filter_rule_id": null, "mitre_technique_id_and_name": ["T1070.001 - Indicator Removal: Clear Windows Event Logs", "T1112 - Modify Registry"], "mitre_tactic_id_and_name": ["TA0005 - Defense Evasion"], "agent_version": "8.0.1.33809", "agent_ip_addresses_v6": null, "agent_device_domain": "WORKGROUP", "agent_fqdn": "TEST-XDR-TEST.WORKGROUP", "agent_os_type": "Windows", "agent_os_sub_type": "10.0.19045", "agent_data_collection_status": true, "agent_is_vdi": 0, "agent_install_type": "STANDARD", "agent_host_boot_time": [0], "event_sub_type": null, "module_id": ["Behavioral Threat Protection"], "association_strength": [50], "dst_association_strength": null, "story_id": null, "event_id": null, "event_type": ["Process Execution"], "event_timestamp": [1690451634995], "actor_process_instance_id": ["Adm6O8UhrZ8AABMwAAAAAA=="], "actor_process_image_path": ["C:\\Windows\\regedit.exe"], "actor_process_image_name": ["regedit.exe"], "actor_process_command_line": ["\"C:\\Windows\\regedit.exe\" "], "actor_process_signature_status": ["Signed"], "actor_process_signature_vendor": ["Microsoft Corporation"], "actor_process_image_sha256": ["92f24fed2ba2927173aad58981f6e0643c6b89815b117e8a7c4a0988ac918170"], "actor_process_image_md5": ["999a30979f6195bf562068639ffc4426"], "actor_process_causality_id": ["Adm6O8UhrZ8AABMwAAAAAA=="], "actor_causality_id": null, "actor_process_os_pid": [4912], "actor_thread_thread_id": null, "causality_actor_process_image_name": ["regedit.exe"], "causality_actor_process_command_line": ["\"C:\\Windows\\regedit.exe\" "], "causality_actor_process_image_path": ["C:\\Windows\\regedit.exe"], "causality_actor_process_signature_vendor": ["Microsoft Corporation"], "causality_actor_process_signature_status": ["Signed"], "causality_actor_causality_id": ["Adm6O8UhrZ8AABMwAAAAAA=="], "causality_actor_process_execution_time": [1689769385728], "causality_actor_process_image_md5": null, "causality_actor_process_image_sha256": ["92f24fed2ba2927173aad58981f6e0643c6b89815b117e8a7c4a0988ac918170"], "action_file_path": null, "action_file_name": null, "action_file_md5": null, "action_file_sha256": null, "action_file_macro_sha256": null, "action_registry_data": null, "action_registry_key_name": null, "action_registry_value_name": null, "action_registry_full_key": null, "action_local_ip": null, "action_local_ip_v6": null, "action_local_port": null, "action_remote_ip": null, "action_remote_ip_v6": null, "action_remote_port": null, "action_external_hostname": null, "action_country": ["UNKNOWN"], "action_process_instance_id": null, "action_process_causality_id": null, "action_process_image_name": null, "action_process_image_sha256": null, "action_process_image_command_line": null, "action_process_signature_status": ["N/A"], "action_process_signature_vendor": null, "os_actor_effective_username": null, "os_actor_process_instance_id": null, "os_actor_process_image_path": null, "os_actor_process_image_name": null, "os_actor_process_command_line": null, "os_actor_process_signature_status": ["N/A"], "os_actor_process_signature_vendor": null, "os_actor_process_image_sha256": null, "os_actor_process_causality_id": null, "os_actor_causality_id": null, "os_actor_process_os_pid": null, "os_actor_thread_thread_id": [3584], "fw_app_id": null, "fw_interface_from": null, "fw_interface_to": null, "fw_rule": null, "fw_rule_id": null, "fw_device_name": null, "fw_serial_number": null, "fw_url_domain": null, "fw_email_subject": null, "fw_email_sender": null, "fw_email_recipient": null, "fw_app_subcategory": null, "fw_app_category": null, "fw_app_technology": null, "fw_vsys": null, "fw_xff": null, "fw_misc": null, "fw_is_phishing": ["N/A"], "dst_agent_id": null, "dst_causality_actor_process_execution_time": null, "dns_query_name": null, "dst_action_external_hostname": null, "dst_action_country": null, "dst_action_external_port": null, "is_pcap": false, "contains_featured_host": ["NO"], "contains_featured_user": ["NO"], "contains_featured_ip": ["NO"], "image_name": null, "container_id": null, "cluster_name": null, "referenced_resource": null, "operation_name": null, "identity_sub_type": null, "identity_type": null, "project": null, "cloud_provider": null, "resource_type": null, "resource_sub_type": null, "user_agent": null, "alert_type": "Unclassified", "resolution_status": "STATUS_080_RESOLVED_AUTO", "resolution_comment": "resolve as part of incident 2", "dynamic_fields": null, "tags": ["DS:PANW/XDR Agent"], "malicious_urls": null, "alert_id": "4", "detection_timestamp": 1690451634995, "name": "SYNC - Tampering Attempt - 2580961812", "category": "Malware", "endpoint_id": "a3b79c7a3b79c7a3b79c7a3b79c7", "description": "Tampering attempt of the XDR agent", "host_ip": ["192.1.1.2"], "host_name": "TEST-XDR-TEST", "action": "BLOCKED", "original_tags": ["DS:PANW/XDR Agent"], "user_name": ["N/A\\John XDR Test"], "mac_addresses": "eb:40:9d:eb:40:9d", "source": null, "action_pretty": "Prevented (Blocked)"}

Overview

Table name: pan_cortex_xdr_endpoints

Cortex XDR Endpoints refer to the endpoint protection capabilities within Palo Alto Networks' Cortex XDR platform. These endpoints are monitored and secured using advanced threat detection, behavioral analysis, and AI-driven prevention techniques. Cortex XDR collects and correlates endpoint data with network and cloud telemetry to identify and mitigate sophisticated cyber threats. It provides real-time visibility, automated response actions, and forensic insights to help security teams detect and stop malware, exploits, and other endpoint-based attacks. By leveraging machine learning and analytics, Cortex XDR ensures proactive protection and a stronger security posture for organizations.

Send data to Hunters

Hunters supports the collection of PAN XDR endpoint logs using API.

To connect PAN XDR endpoint logs:

1. Follow these guidelines to acquire the following API keys from PAN Cortex XDR:

   • Host - your account's host URL (without http://). For example: api-{fqdn}.

   • API key ID

   • API key

     📘Note

     When generating API keys, make sure you select the Viewer role.

2. Navigate to Data > Data Sources, and then click + Connect Data Sources.

3. Search for Palo Alto Networks and click Connect.

4. From the side-menu, click + More Integrations and then select Palo Alto Cortex API.
   

5. Provide the information you’ve acquired from PAN Cortex XDR and complete the connection process.

Expected format

Logs are expected in JSON format.

{"last_seen": 1690982705751, "users": [], "agent_status": "DISCONNECTED", "operational_status": "PROTECTED", "tags": {"server_tags": [], "endpoint_tags": []}, "host_name": "WIN-DDDDDDDD", "agent_id": "3080ed3080ed3080ed3080ed", "agent_type": "Server", "ip": ["192.1.1.4"]}