Palo Alto Cortex XDR

Collect logs from Palo Alto Cortex XDR with Elastic Agent.

Version
1.29.0 (View all)
Compatible Kibana version(s)
8.13.0 or higher
Supported Serverless project types

Security
Observability
Subscription level
Basic
Level of support
Elastic

The PANW XDR integration collects alerts with multiple events from the Cortex XDR Alerts API and incidents from Cortex XDR Incidents API.

Logs

Alerts

The Cortex XDR Alerts API is used to retrieve alerts generated by Cortex XDR based on raw endpoint data. A single alert might include one or more local endpoint events, each event generating its own document on Elasticsearch.

The Palo Alto XDR integration requires both an API key and API key ID, both which can be retrieved from the Cortex XDR UI. See: Get Started with Cortex XDR API

An example event for alerts looks as following:

{
    "@timestamp": "2020-10-21T11:31:28.980Z",
    "agent": {
        "ephemeral_id": "d1f9377a-0b86-44ab-8ba3-2be0e35e75fc",
        "id": "6245802f-8bd9-4634-b1db-411601495ab1",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.9.0"
    },
    "data_stream": {
        "dataset": "panw_cortex_xdr.alerts",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "6245802f-8bd9-4634-b1db-411601495ab1",
        "snapshot": false,
        "version": "8.9.0"
    },
    "event": {
        "action": "BLOCKED",
        "agent_id_status": "verified",
        "category": [
            "malware"
        ],
        "created": "2020-10-21T11:31:28.980Z",
        "dataset": "panw_cortex_xdr.alerts",
        "id": "800800",
        "ingested": "2023-08-17T06:15:07Z",
        "kind": "alert",
        "original": "{\"action\":\"BLOCKED\",\"action_pretty\":\"Prevented (Blocked)\",\"agent_data_collection_status\":true,\"agent_device_domain\":null,\"agent_fqdn\":\"test\",\"agent_is_vdi\":null,\"agent_os_sub_type\":\"XP\",\"agent_os_type\":\"Windows\",\"agent_version\":\"1.2.3.4\",\"alert_id\":\"1001\",\"attempt_counter\":55,\"bioc_category_enum_key\":null,\"bioc_indicator\":null,\"category\":\"Exploit\",\"deduplicate_tokens\":null,\"description\":\"Local privilege escalation prevented\",\"detection_timestamp\":1603279888980,\"end_match_attempt_ts\":1603552062824,\"endpoint_id\":\"12345678\",\"events\":{\"action_country\":\"UNKNOWN\",\"action_external_hostname\":null,\"action_file_macro_sha256\":null,\"action_file_md5\":null,\"action_file_name\":null,\"action_file_path\":null,\"action_file_sha256\":null,\"action_local_ip\":null,\"action_local_port\":null,\"action_process_causality_id\":null,\"action_process_image_command_line\":null,\"action_process_image_name\":null,\"action_process_image_sha256\":null,\"action_process_instance_id\":null,\"action_process_signature_status\":\"N/A\",\"action_process_signature_vendor\":null,\"action_registry_data\":null,\"action_registry_full_key\":null,\"action_registry_key_name\":null,\"action_registry_value_name\":null,\"action_remote_ip\":null,\"action_remote_port\":null,\"actor_causality_id\":null,\"actor_process_causality_id\":null,\"actor_process_command_line\":\"c:\\\\tmp\\\\virus.exe\",\"actor_process_image_md5\":null,\"actor_process_image_name\":\"virus.exe\",\"actor_process_image_path\":\"c:\\\\tmp\\\\virus.exe\",\"actor_process_image_sha256\":\"133ee989293f92736301280c6f14c89d521200c17dcdcecca30cd20705332d44\",\"actor_process_instance_id\":\"1234\",\"actor_process_os_pid\":1234,\"actor_process_signature_status\":\"N/A\",\"actor_process_signature_vendor\":null,\"actor_thread_thread_id\":null,\"agent_host_boot_time\":null,\"agent_install_type\":\"NA\",\"association_strength\":null,\"causality_actor_causality_id\":null,\"causality_actor_process_command_line\":null,\"causality_actor_process_execution_time\":null,\"causality_actor_process_image_md5\":null,\"causality_actor_process_image_name\":null,\"causality_actor_process_image_path\":null,\"causality_actor_process_image_sha256\":null,\"causality_actor_process_signature_status\":\"N/A\",\"causality_actor_process_signature_vendor\":null,\"dns_query_name\":null,\"dst_action_country\":null,\"dst_action_external_hostname\":null,\"dst_action_external_port\":null,\"dst_agent_id\":null,\"dst_association_strength\":null,\"dst_causality_actor_process_execution_time\":null,\"event_id\":null,\"event_sub_type\":null,\"event_timestamp\":1603279888980,\"event_type\":\"Process Execution\",\"fw_app_category\":null,\"fw_app_id\":null,\"fw_app_subcategory\":null,\"fw_app_technology\":null,\"fw_device_name\":null,\"fw_email_recipient\":null,\"fw_email_sender\":null,\"fw_email_subject\":null,\"fw_interface_from\":null,\"fw_interface_to\":null,\"fw_is_phishing\":\"N/A\",\"fw_misc\":null,\"fw_rule\":null,\"fw_rule_id\":null,\"fw_serial_number\":null,\"fw_url_domain\":null,\"fw_vsys\":null,\"fw_xff\":null,\"module_id\":\"Privilege Escalation Protection\",\"os_actor_causality_id\":null,\"os_actor_effective_username\":null,\"os_actor_process_causality_id\":null,\"os_actor_process_command_line\":null,\"os_actor_process_image_name\":null,\"os_actor_process_image_path\":null,\"os_actor_process_image_sha256\":null,\"os_actor_process_instance_id\":null,\"os_actor_process_os_pid\":null,\"os_actor_process_signature_status\":\"N/A\",\"os_actor_process_signature_vendor\":null,\"os_actor_thread_thread_id\":null,\"story_id\":null,\"user_name\":null},\"external_id\":\"800800\",\"filter_rule_id\":null,\"host_ip\":[\"10.0.255.20\"],\"host_name\":\"Test\",\"is_whitelisted\":false,\"local_insert_ts\":1603279967500,\"mac\":null,\"mac_address\":[\"00:11:22:33:44:55\"],\"matching_service_rule_id\":null,\"matching_status\":\"FAILED\",\"mitre_tactic_id_and_name\":[\"\"],\"mitre_technique_id_and_name\":[\"\"],\"name\":\"Kernel Privilege Escalation\",\"severity\":\"high\",\"source\":\"XDR Agent\",\"starred\":false}",
        "reason": "Local privilege escalation prevented",
        "severity": 4,
        "type": [
            "info"
        ]
    },
    "host": {
        "hostname": "test",
        "id": "12345678",
        "ip": [
            "10.0.255.20"
        ],
        "name": "test",
        "os": {
            "name": "Windows",
            "version": "XP"
        }
    },
    "input": {
        "type": "httpjson"
    },
    "message": "Kernel Privilege Escalation",
    "panw_cortex": {
        "xdr": {
            "action_pretty": "Prevented (Blocked)",
            "agent_data_collection_status": true,
            "agent_version": "1.2.3.4",
            "alert_id": "1001",
            "attempt_counter": 55,
            "category": "Exploit",
            "end_match_attempt_ts": "2020-10-24T15:07:42.824Z",
            "events": {
                "actor_process_signature_status": "N/A",
                "agent_install_type": "NA",
                "event_type": "Process Execution",
                "fw_is_phishing": "N/A",
                "module_id": "Privilege Escalation Protection",
                "os_actor_process_signature_status": "N/A"
            },
            "is_whitelisted": false,
            "local_insert_ts": "2020-10-21T11:32:47.500Z",
            "mac_address": [
                "00:11:22:33:44:55"
            ],
            "matching_status": "FAILED",
            "source": "XDR Agent",
            "starred": false
        }
    },
    "process": {
        "code_signature": {
            "status": "N/A"
        },
        "command_line": "c:\\tmp\\virus.exe",
        "entity_id": "1234",
        "executable": "c:\\tmp\\virus.exe",
        "hash": {
            "sha256": "133ee989293f92736301280c6f14c89d521200c17dcdcecca30cd20705332d44"
        },
        "name": "virus.exe",
        "parent": {
            "code_signature": {
                "status": "N/A"
            }
        },
        "pid": 1234
    },
    "related": {
        "hash": [
            "133ee989293f92736301280c6f14c89d521200c17dcdcecca30cd20705332d44"
        ]
    },
    "tags": [
        "preserve_original_event",
        "forwarded",
        "panw_cortex_xdr"
    ]
}

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cloud.image.id
Image ID for the cloud instance.
keyword
data_stream.dataset
Data stream dataset name.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
event.dataset
Event dataset
constant_keyword
event.module
Event module
constant_keyword
host.containerized
If the host is a container.
boolean
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
input.type
Type of Filebeat input.
keyword
log.flags
Flags for the log file.
keyword
log.offset
Offset of the entry in the log file.
long
panw_cortex.xdr.action_pretty
Pretty description of the action type.
keyword
panw_cortex.xdr.agent_data_collection_status
Collection status of the agent.
boolean
panw_cortex.xdr.agent_ip_addresses_v6
Agent ipv6 address
ip
panw_cortex.xdr.agent_is_vdi
If agent is running inside a Virtual Desktop.
keyword
panw_cortex.xdr.agent_version
Version of the XDR Endpoint agent.
keyword
panw_cortex.xdr.alert_id
The ID of the alert.
keyword
panw_cortex.xdr.alert_type
The type of the alert.
keyword
panw_cortex.xdr.attempt_counter
Attempts to block or stop the malicious process.
long
panw_cortex.xdr.bioc_category_enum_key
Behavior Indicator type key.
keyword
panw_cortex.xdr.bioc_description
A description of the related bioc event.
flattened
panw_cortex.xdr.bioc_indicator
The Behavioral Indicator type matching to the event.
keyword
panw_cortex.xdr.category
The Alert category.
keyword
panw_cortex.xdr.deduplicate_tokens
keyword
panw_cortex.xdr.description
A description of the related event.
keyword
panw_cortex.xdr.end_match_attempt_ts
date
panw_cortex.xdr.endpoint_id
The unique ID of the endpoint.
keyword
panw_cortex.xdr.events.action_country
keyword
panw_cortex.xdr.events.action_external_hostname
Any external hostname related to the specific event action.
keyword
panw_cortex.xdr.events.action_file_macro_sha256
keyword
panw_cortex.xdr.events.action_process_causality_id
The parent processor ID related to the action.
keyword
panw_cortex.xdr.events.actor_causality_id
The parent process ID of the actor process.
keyword
panw_cortex.xdr.events.actor_process_causality_id
The parent processor ID related to the actor.
keyword
panw_cortex.xdr.events.actor_process_command_line
Actor full command line.
keyword
panw_cortex.xdr.events.actor_process_image_name
Actor binary name.
keyword
panw_cortex.xdr.events.actor_process_image_sha256
SHA256 hash indentifier of the actor.
keyword
panw_cortex.xdr.events.actor_process_instance_id
The process ID related to the actor.
keyword
panw_cortex.xdr.events.actor_process_signature_status
The signature of the actor process.
keyword
panw_cortex.xdr.events.actor_process_signature_vendor
The signature vendor of the actor process.
keyword
panw_cortex.xdr.events.agent_host_boot_time
Uptime of the host.
date
panw_cortex.xdr.events.agent_install_type
Display name of the actor.
keyword
panw_cortex.xdr.events.association_strength
long
panw_cortex.xdr.events.contains_featured_host
keyword
panw_cortex.xdr.events.contains_featured_ip
keyword
panw_cortex.xdr.events.contains_featured_user
keyword
panw_cortex.xdr.events.dns_query_name
The related DNS query for the event.
keyword
panw_cortex.xdr.events.dst_action_country
The country related to the destination.
keyword
panw_cortex.xdr.events.dst_action_external_hostname
The external hostname of the destination.
keyword
panw_cortex.xdr.events.dst_action_external_port
The external (NAT) port of the destination.
keyword
panw_cortex.xdr.events.dst_agent_id
The endpoint ID of a destination agent.
keyword
panw_cortex.xdr.events.dst_association_strength
long
panw_cortex.xdr.events.dst_causality_actor_process_execution_time
The process execution time of the destination process.
keyword
panw_cortex.xdr.events.event_id
The ID unique to the underlying event related to the alert.
keyword
panw_cortex.xdr.events.event_sub_type
Sub type of the event related to the alert.
integer
panw_cortex.xdr.events.event_type
Event type
keyword
panw_cortex.xdr.events.fw_app_category
Layer 7 application category related to the firewall event.
keyword
panw_cortex.xdr.events.fw_app_id
The layer 7 application ID from the firewall event.
keyword
panw_cortex.xdr.events.fw_app_subcategory
Layer 7 application subcategory related to the firewall event.
keyword
panw_cortex.xdr.events.fw_app_technology
Layer 7 application type related to the firewall event.
keyword
panw_cortex.xdr.events.fw_device_name
Related firewall device.
keyword
panw_cortex.xdr.events.fw_email_recipient
keyword
panw_cortex.xdr.events.fw_email_sender
keyword
panw_cortex.xdr.events.fw_email_subject
keyword
panw_cortex.xdr.events.fw_is_phishing
If event is related to a phishing campaign.
keyword
panw_cortex.xdr.events.fw_misc
Additional information related to the firewall event.
keyword
panw_cortex.xdr.events.fw_url_domain
Related domain to the firewall event.
keyword
panw_cortex.xdr.events.fw_vsys
The related VSYS name if applicable.
keyword
panw_cortex.xdr.events.fw_xff
keyword
panw_cortex.xdr.events.module_id
The ID of the module that caught the event.
keyword
panw_cortex.xdr.events.os_actor_causality_id
The ID of the OS actor process
keyword
panw_cortex.xdr.events.os_actor_effective_username
Username related to the OS actor.
keyword
panw_cortex.xdr.events.os_actor_process_causality_id
The ID of the parent process related to the OS actor.
keyword
panw_cortex.xdr.events.os_actor_process_command_line
OS actor full command line example.
keyword
panw_cortex.xdr.events.os_actor_process_image_name
OS actor binary name.
keyword
panw_cortex.xdr.events.os_actor_process_image_path
OS actor binary path.
keyword
panw_cortex.xdr.events.os_actor_process_image_sha256
SHA256 hash indentifier of the OS actor process.
keyword
panw_cortex.xdr.events.os_actor_process_instance_id
The process ID related to the OS actor.
keyword
panw_cortex.xdr.events.os_actor_process_os_pid
The OS PID related to the related process.
integer
panw_cortex.xdr.events.os_actor_process_signature_status
Signature of the OS actor process.
keyword
panw_cortex.xdr.events.os_actor_process_signature_vendor
Signature vendor of the OS actor process.
keyword
panw_cortex.xdr.events.os_actor_thread_thread_id
The thread ID related to the related OS actor process.
integer
panw_cortex.xdr.events.story_id
keyword
panw_cortex.xdr.external_id
External ID related to the Alert itself.
keyword
panw_cortex.xdr.filter_rule_id
ID of the filter rule.
keyword
panw_cortex.xdr.is_pcap
If alert contains pcap.
boolean
panw_cortex.xdr.is_whitelisted
If process is whitelisted.
boolean
panw_cortex.xdr.local_insert_ts
date
panw_cortex.xdr.mac
Main MAC address of the agent.
keyword
panw_cortex.xdr.mac_address
Array of all the MAC addresses related to the agent.
keyword
panw_cortex.xdr.matching_service_rule_id
keyword
panw_cortex.xdr.matching_status
Matching status of the endpoint group.
keyword
panw_cortex.xdr.original_tags
Original tags for the asset.
keyword
panw_cortex.xdr.resolution_comment
keyword
panw_cortex.xdr.resolution_status
keyword
panw_cortex.xdr.source
keyword
panw_cortex.xdr.starred
If alert type is prioritized (starred).
boolean

Incidents

The Cortex XDR Incidents API is used to retrieve incidents generated by Cortex XDR based on raw endpoint data. A single incident might include one or more local endpoint events, each event generating its own document on Elasticsearch.

The Palo Alto XDR integration requires both an API key and API key ID, both which can be retrieved from the Cortex XDR UI. See: Get Started with Cortex XDR API

When a Cortex XDR Incident is modified in the Cortex XDR UI (e.g. severity or status changed, additional alerts linked) it will be indexed as a new document with the new values.

An example event for incidents looks as following:

{
    "@timestamp": "2023-08-14T01:20:00.230Z",
    "agent": {
        "ephemeral_id": "02205f80-afa5-4cf8-a320-018c29c153fe",
        "id": "6245802f-8bd9-4634-b1db-411601495ab1",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.9.0"
    },
    "data_stream": {
        "dataset": "panw_cortex_xdr.incidents",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "6245802f-8bd9-4634-b1db-411601495ab1",
        "snapshot": false,
        "version": "8.9.0"
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "malware"
        ],
        "created": "2023-08-17T06:15:40.867Z",
        "dataset": "panw_cortex_xdr.incidents",
        "id": "893",
        "ingested": "2023-08-17T06:15:43Z",
        "kind": "alert",
        "original": "{\"aggregated_score\":5,\"alert_categories\":[\"Exfiltration\"],\"alert_count\":1,\"alerts_grouping_status\":\"Enabled\",\"assigned_user_mail\":null,\"assigned_user_pretty_name\":null,\"creation_time\":1691976000230,\"critical_severity_alert_count\":0,\"description\":\"'Large Upload (Generic)' generated by XDR Analytics detected on host test1234 involving user nt authority\\\\system\",\"detection_time\":null,\"high_severity_alert_count\":0,\"host_count\":1,\"hosts\":[\"test1234:b567c1a651e66999158aef5d864dad25\"],\"incident_id\":\"893\",\"incident_name\":null,\"incident_sources\":[\"XDR Analytics\"],\"low_severity_alert_count\":1,\"manual_description\":null,\"manual_score\":null,\"manual_severity\":null,\"med_severity_alert_count\":0,\"mitre_tactics_ids_and_names\":[\"TA0010 - Exfiltration\"],\"mitre_techniques_ids_and_names\":[\"T1048 - Exfiltration Over Alternative Protocol\"],\"modification_time\":1691976000230,\"notes\":null,\"original_tags\":[\"DS:PANW/XDR Agent\",\"EG:win-server-ex-ransomeware_report\",\"EG:win-server-default\"],\"predicted_score\":5,\"resolve_comment\":null,\"resolved_timestamp\":null,\"rule_based_score\":null,\"severity\":\"low\",\"starred\":false,\"status\":\"new\",\"tags\":[\"DS:PANW/XDR Agent\",\"EG:win-server-default\",\"EG:win-server-ex-ransomeware_report\"],\"user_count\":1,\"users\":[\"nt authority\\\\system\"],\"wildfire_hits\":0,\"xdr_url\":\"https://test.xdr.eu.paloaltonetworks.com/incident-view?caseId=893\"}",
        "reason": "'Large Upload (Generic)' generated by XDR Analytics detected on host test1234 involving user nt authority\\system",
        "severity": 2,
        "type": [
            "info"
        ]
    },
    "input": {
        "type": "httpjson"
    },
    "panw_cortex": {
        "xdr": {
            "aggregated_score": 5,
            "alert_categories": [
                "Exfiltration"
            ],
            "alert_count": 1,
            "alerts_grouping_status": "Enabled",
            "creation_time": "2023-08-14T01:20:00.230Z",
            "critical_severity_alert_count": 0,
            "high_severity_alert_count": 0,
            "host_count": 1,
            "hosts": [
                "test1234:b567c1a651e66999158aef5d864dad25"
            ],
            "incident_sources": [
                "XDR Analytics"
            ],
            "low_severity_alert_count": 1,
            "med_severity_alert_count": 0,
            "mitre_tactics_ids_and_names": [
                "TA0010 - Exfiltration"
            ],
            "mitre_techniques_ids_and_names": [
                "T1048 - Exfiltration Over Alternative Protocol"
            ],
            "modification_time": "2023-08-14T01:20:00.230Z",
            "original_tags": [
                "DS:PANW/XDR Agent",
                "EG:win-server-ex-ransomeware_report",
                "EG:win-server-default"
            ],
            "predicted_score": 5,
            "starred": false,
            "status": "new",
            "user_count": 1,
            "users": [
                "nt authority\\system"
            ],
            "wildfire_hits": 0,
            "xdr_url": "https://test.xdr.eu.paloaltonetworks.com/incident-view?caseId=893"
        }
    },
    "related": {
        "hosts": [
            "test1234"
        ],
        "user": [
            "system"
        ]
    },
    "tags": [
        "preserve_original_event",
        "forwarded",
        "panw_cortex_xdr",
        "DS:PANW/XDR Agent",
        "EG:win-server-default",
        "EG:win-server-ex-ransomeware_report"
    ],
    "threat": {
        "framework": "MITRE ATT&CK",
        "tactic": {
            "id": [
                "TA0010"
            ],
            "name": [
                "Exfiltration"
            ]
        },
        "technique": {
            "id": [
                "T1048"
            ],
            "name": [
                "Exfiltration Over Alternative Protocol"
            ]
        }
    }
}

Exported fields

FieldDescriptionType
@timestamp
Event timestamp.
date
cloud.image.id
Image ID for the cloud instance.
keyword
data_stream.dataset
Data stream dataset name.
constant_keyword
data_stream.namespace
Data stream namespace.
constant_keyword
data_stream.type
Data stream type.
constant_keyword
event.dataset
Event dataset
constant_keyword
event.module
Event module
constant_keyword
host.containerized
If the host is a container.
boolean
host.os.build
OS build information.
keyword
host.os.codename
OS codename, if any.
keyword
input.type
Type of Filebeat input.
keyword
log.flags
Flags for the log file.
keyword
log.offset
Offset of the entry in the log file.
long
panw_cortex.xdr.aggregated_score
Aggregated incident score.
long
panw_cortex.xdr.alert_categories
Categories for alerts contained in the incident.
keyword
panw_cortex.xdr.alert_count
Count of alerts.
long
panw_cortex.xdr.alerts_grouping_status
Is alert grouping enabled for this incident.
keyword
panw_cortex.xdr.assigned_user_mail
Email for the assigned user.
keyword
panw_cortex.xdr.assigned_user_pretty_name
Pretty name for the assigned user.
keyword
panw_cortex.xdr.creation_time
Incident creation time.
date
panw_cortex.xdr.critical_severity_alert_count
Count of critical severity alerts for this incident.
long
panw_cortex.xdr.detection_time
Detection time.
flattened
panw_cortex.xdr.high_severity_alert_count
Count of high severity alerts for this incident.
long
panw_cortex.xdr.host_count
Count of hosts related to this incident.
long
panw_cortex.xdr.hosts
Host names and host ID's related to this incident.
keyword
panw_cortex.xdr.incident_id
Incident ID
keyword
panw_cortex.xdr.incident_name
Incident name
keyword
panw_cortex.xdr.incident_sources
Detection sources for this incident.
keyword
panw_cortex.xdr.low_severity_alert_count
Count of low severity alerts for this incident.
long
panw_cortex.xdr.manual_description
Manual incident description.
keyword
panw_cortex.xdr.manual_score
Manual incident score.
flattened
panw_cortex.xdr.manual_severity
Manual incident severity.
keyword
panw_cortex.xdr.med_severity_alert_count
Count of medium severity alerts for this incident.
long
panw_cortex.xdr.mitre_tactics_ids_and_names
MITRE tactic ID's and names
keyword
panw_cortex.xdr.mitre_techniques_ids_and_names
MITRE technique ID's and names
keyword
panw_cortex.xdr.modification_time
Incident modification time.
date
panw_cortex.xdr.notes
Incident notes.
keyword
panw_cortex.xdr.original_tags
Original tags for the asset.
keyword
panw_cortex.xdr.predicted_score
Predicted incident score.
long
panw_cortex.xdr.resolve_comment
Incident resolution comment.
keyword
panw_cortex.xdr.resolved_timestamp
Incident resolution timestamp.
date
panw_cortex.xdr.rule_based_score
Rule based incident score.
long
panw_cortex.xdr.starred
Starred incident.
boolean
panw_cortex.xdr.status
Incident status.
keyword
panw_cortex.xdr.user_count
Count of users related to the incident.
long
panw_cortex.xdr.users
Usernames related to the incident.
keyword
panw_cortex.xdr.wildfire_hits
Count of Wildfire hits.
long
panw_cortex.xdr.xdr_url
URL to Cortex XDR incident.
keyword

Changelog

VersionDetailsKibana version(s)

1.29.0

Enhancement View pull request
Use Cortex XDR SIEM ingestion time for cursor progression.

8.13.0 or higher

1.28.0

Enhancement View pull request
Modify incident handling to match Defender for Endpoint. Change fingerprint, timestamp, and search cursor to modification_time. Add severity:critical.

8.13.0 or higher

1.27.0

Enhancement View pull request
Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.

8.13.0 or higher

1.26.0

Enhancement View pull request
Improve handling of empty responses.

8.12.0 or higher

1.25.0

Enhancement View pull request
Set sensitive values as secret.

8.12.0 or higher

1.24.2

Bug fix View pull request
Clean up null handling

8.7.1 or higher

1.24.1

Enhancement View pull request
Changed owners

8.7.1 or higher

1.24.0

Enhancement View pull request
Limit request tracer log count to five.

8.7.1 or higher

1.23.0

Enhancement View pull request
ECS version updated to 8.11.0.

8.7.1 or higher

1.22.0

Enhancement View pull request
Improve 'event.original' check to avoid errors if set.

8.7.1 or higher

1.21.1

Bug fix View pull request
Fix mapping of group fields

8.7.1 or higher

1.21.0

Enhancement View pull request
ECS version updated to 8.10.0.

8.7.1 or higher

1.20.0

Enhancement View pull request
The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest.

8.7.1 or higher

1.19.0

Enhancement View pull request
Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.

8.7.1 or higher

1.18.0

Enhancement View pull request
Add incident type events

8.7.1 or higher

1.17.0

Enhancement View pull request
Update package-spec to 2.9.0.

8.7.1 or higher

1.16.0

Enhancement View pull request
Update package to ECS 8.9.0.

8.7.1 or higher

1.15.0

Enhancement View pull request
Document SSL options

8.7.1 or higher

1.14.0

Enhancement View pull request
Document duration units.

8.7.1 or higher

1.13.0

Enhancement View pull request
Document valid duration units.

8.7.1 or higher

1.12.0

Enhancement View pull request
Ensure event.kind is correctly set for pipeline errors.

8.7.1 or higher

1.11.0

Enhancement View pull request
Update package to ECS 8.8.0.

8.7.1 or higher

1.10.0

Enhancement View pull request
Lowercase host.name field

8.7.1 or higher

1.9.0

Enhancement View pull request
Add a new flag to enable request tracing

8.7.1 or higher

1.8.2

Enhancement View pull request
Drop empty events

7.15.0 or higher
8.0.0 or higher

1.8.1

Enhancement View pull request
Map Threat ECS fields to Mitre

7.15.0 or higher
8.0.0 or higher

1.8.0

Enhancement View pull request
Update package to ECS 8.7.0.

7.15.0 or higher
8.0.0 or higher

1.7.1

Enhancement View pull request
Added categories and/or subcategories.

7.15.0 or higher
8.0.0 or higher

1.7.0

Enhancement View pull request
Add support for Advanced security level

7.15.0 or higher
8.0.0 or higher

1.6.0

Enhancement View pull request
Update package to ECS 8.6.0.

7.15.0 or higher
8.0.0 or higher

1.5.2

Bug fix View pull request
Conform user fields to ECS standards.

7.15.0 or higher
8.0.0 or higher

1.5.1

Bug fix View pull request
Remove duplicate fields.

Bug fix View pull request
Make mac addresses conform with ECS syntax.

7.15.0 or higher
8.0.0 or higher

1.5.0

Enhancement View pull request
Update package to ECS 8.5.0.

7.15.0 or higher
8.0.0 or higher

1.4.2

Enhancement View pull request
Use ECS geo.location definition.

7.15.0 or higher
8.0.0 or higher

1.4.1

Enhancement View pull request
Bugfix on rename processors with conditionals.

7.15.0 or higher
8.0.0 or higher

1.4.0

Enhancement View pull request
Update package to ECS 8.4.0

7.15.0 or higher
8.0.0 or higher

1.3.3

Bug fix View pull request
Fix possible endless pagination.

7.15.0 or higher
8.0.0 or higher

1.3.2

Enhancement View pull request
Update package name and description to align with standard wording

7.15.0 or higher
8.0.0 or higher

1.3.1

Bug fix View pull request
Fix rate limit.

7.15.0 or higher
8.0.0 or higher

1.3.0

Enhancement View pull request
Update package to ECS 8.3.0.

7.15.0 or higher
8.0.0 or higher

1.2.1

Enhancement View pull request
Updated the links in the file to Palo Alto Cortex XDR documentation

7.15.0 or higher
8.0.0 or higher

1.2.0

Enhancement View pull request
Update to ECS 8.2 to use new email field set.

7.15.0 or higher
8.0.0 or higher

1.1.1

Enhancement View pull request
Add documentation for multi-fields

7.15.0 or higher
8.0.0 or higher

1.1.0

Enhancement View pull request
Update to ECS 8.0

7.15.0 or higher
8.0.0 or higher

1.0.0

Enhancement View pull request
GA integration

7.15.0 or higher
8.0.0 or higher

0.3.0

Enhancement View pull request
Add 8.0.0 version constraint

0.2.6

Bug fix View pull request
Regenerate test files using the new GeoIP database

0.2.5

Bug fix View pull request
Change test public IPs to the supported subset

0.2.4

Enhancement View pull request
Uniform with guidelines

0.2.3

Enhancement View pull request
Update Title and Description.

0.2.2

Bug fix View pull request
Fix duplicate events

0.2.1

Bug fix View pull request
Fix logic that checks for the 'forwarded' tag

0.2.0

Enhancement View pull request
Update to ECS 1.12.0

0.1.0

Enhancement View pull request
initial release

On this page