Palo Alto Cortex XDR

Collect logs from Palo Alto Cortex XDR with Elastic Agent.


Version	1.28.0 (View all)
Compatible Kibana version(s)	8.13.0 or higher
Supported Serverless project types What's this?	Security Observability
Subscription level What's this?	Basic
Level of support What's this?	Elastic

The PANW XDR integration collects alerts with multiple events from the Cortex XDR Alerts API and incidents from Cortex XDR Incidents API.

Logs

Alerts

The Cortex XDR Alerts API is used to retrieve alerts generated by Cortex XDR based on raw endpoint data. A single alert might include one or more local endpoint events, each event generating its own document on Elasticsearch.

The Palo Alto XDR integration requires both an API key and API key ID, both which can be retrieved from the Cortex XDR UI. See: Get Started with Cortex XDR API

An example event for alerts looks as following:

{
    "@timestamp": "2020-10-21T11:31:28.980Z",
    "agent": {
        "ephemeral_id": "d1f9377a-0b86-44ab-8ba3-2be0e35e75fc",
        "id": "6245802f-8bd9-4634-b1db-411601495ab1",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.9.0"
    },
    "data_stream": {
        "dataset": "panw_cortex_xdr.alerts",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "6245802f-8bd9-4634-b1db-411601495ab1",
        "snapshot": false,
        "version": "8.9.0"
    },
    "event": {
        "action": "BLOCKED",
        "agent_id_status": "verified",
        "category": [
            "malware"
        ],
        "created": "2020-10-21T11:31:28.980Z",
        "dataset": "panw_cortex_xdr.alerts",
        "id": "800800",
        "ingested": "2023-08-17T06:15:07Z",
        "kind": "alert",
        "original": "{\"action\":\"BLOCKED\",\"action_pretty\":\"Prevented (Blocked)\",\"agent_data_collection_status\":true,\"agent_device_domain\":null,\"agent_fqdn\":\"test\",\"agent_is_vdi\":null,\"agent_os_sub_type\":\"XP\",\"agent_os_type\":\"Windows\",\"agent_version\":\"1.2.3.4\",\"alert_id\":\"1001\",\"attempt_counter\":55,\"bioc_category_enum_key\":null,\"bioc_indicator\":null,\"category\":\"Exploit\",\"deduplicate_tokens\":null,\"description\":\"Local privilege escalation prevented\",\"detection_timestamp\":1603279888980,\"end_match_attempt_ts\":1603552062824,\"endpoint_id\":\"12345678\",\"events\":{\"action_country\":\"UNKNOWN\",\"action_external_hostname\":null,\"action_file_macro_sha256\":null,\"action_file_md5\":null,\"action_file_name\":null,\"action_file_path\":null,\"action_file_sha256\":null,\"action_local_ip\":null,\"action_local_port\":null,\"action_process_causality_id\":null,\"action_process_image_command_line\":null,\"action_process_image_name\":null,\"action_process_image_sha256\":null,\"action_process_instance_id\":null,\"action_process_signature_status\":\"N/A\",\"action_process_signature_vendor\":null,\"action_registry_data\":null,\"action_registry_full_key\":null,\"action_registry_key_name\":null,\"action_registry_value_name\":null,\"action_remote_ip\":null,\"action_remote_port\":null,\"actor_causality_id\":null,\"actor_process_causality_id\":null,\"actor_process_command_line\":\"c:\\\\tmp\\\\virus.exe\",\"actor_process_image_md5\":null,\"actor_process_image_name\":\"virus.exe\",\"actor_process_image_path\":\"c:\\\\tmp\\\\virus.exe\",\"actor_process_image_sha256\":\"133ee989293f92736301280c6f14c89d521200c17dcdcecca30cd20705332d44\",\"actor_process_instance_id\":\"1234\",\"actor_process_os_pid\":1234,\"actor_process_signature_status\":\"N/A\",\"actor_process_signature_vendor\":null,\"actor_thread_thread_id\":null,\"agent_host_boot_time\":null,\"agent_install_type\":\"NA\",\"association_strength\":null,\"causality_actor_causality_id\":null,\"causality_actor_process_command_line\":null,\"causality_actor_process_execution_time\":null,\"causality_actor_process_image_md5\":null,\"causality_actor_process_image_name\":null,\"causality_actor_process_image_path\":null,\"causality_actor_process_image_sha256\":null,\"causality_actor_process_signature_status\":\"N/A\",\"causality_actor_process_signature_vendor\":null,\"dns_query_name\":null,\"dst_action_country\":null,\"dst_action_external_hostname\":null,\"dst_action_external_port\":null,\"dst_agent_id\":null,\"dst_association_strength\":null,\"dst_causality_actor_process_execution_time\":null,\"event_id\":null,\"event_sub_type\":null,\"event_timestamp\":1603279888980,\"event_type\":\"Process Execution\",\"fw_app_category\":null,\"fw_app_id\":null,\"fw_app_subcategory\":null,\"fw_app_technology\":null,\"fw_device_name\":null,\"fw_email_recipient\":null,\"fw_email_sender\":null,\"fw_email_subject\":null,\"fw_interface_from\":null,\"fw_interface_to\":null,\"fw_is_phishing\":\"N/A\",\"fw_misc\":null,\"fw_rule\":null,\"fw_rule_id\":null,\"fw_serial_number\":null,\"fw_url_domain\":null,\"fw_vsys\":null,\"fw_xff\":null,\"module_id\":\"Privilege Escalation Protection\",\"os_actor_causality_id\":null,\"os_actor_effective_username\":null,\"os_actor_process_causality_id\":null,\"os_actor_process_command_line\":null,\"os_actor_process_image_name\":null,\"os_actor_process_image_path\":null,\"os_actor_process_image_sha256\":null,\"os_actor_process_instance_id\":null,\"os_actor_process_os_pid\":null,\"os_actor_process_signature_status\":\"N/A\",\"os_actor_process_signature_vendor\":null,\"os_actor_thread_thread_id\":null,\"story_id\":null,\"user_name\":null},\"external_id\":\"800800\",\"filter_rule_id\":null,\"host_ip\":[\"10.0.255.20\"],\"host_name\":\"Test\",\"is_whitelisted\":false,\"local_insert_ts\":1603279967500,\"mac\":null,\"mac_address\":[\"00:11:22:33:44:55\"],\"matching_service_rule_id\":null,\"matching_status\":\"FAILED\",\"mitre_tactic_id_and_name\":[\"\"],\"mitre_technique_id_and_name\":[\"\"],\"name\":\"Kernel Privilege Escalation\",\"severity\":\"high\",\"source\":\"XDR Agent\",\"starred\":false}",
        "reason": "Local privilege escalation prevented",
        "severity": 4,
        "type": [
            "info"
        ]
    },
    "host": {
        "hostname": "test",
        "id": "12345678",
        "ip": [
            "10.0.255.20"
        ],
        "name": "test",
        "os": {
            "name": "Windows",
            "version": "XP"
        }
    },
    "input": {
        "type": "httpjson"
    },
    "message": "Kernel Privilege Escalation",
    "panw_cortex": {
        "xdr": {
            "action_pretty": "Prevented (Blocked)",
            "agent_data_collection_status": true,
            "agent_version": "1.2.3.4",
            "alert_id": "1001",
            "attempt_counter": 55,
            "category": "Exploit",
            "end_match_attempt_ts": "2020-10-24T15:07:42.824Z",
            "events": {
                "actor_process_signature_status": "N/A",
                "agent_install_type": "NA",
                "event_type": "Process Execution",
                "fw_is_phishing": "N/A",
                "module_id": "Privilege Escalation Protection",
                "os_actor_process_signature_status": "N/A"
            },
            "is_whitelisted": false,
            "local_insert_ts": "2020-10-21T11:32:47.500Z",
            "mac_address": [
                "00:11:22:33:44:55"
            ],
            "matching_status": "FAILED",
            "source": "XDR Agent",
            "starred": false
        }
    },
    "process": {
        "code_signature": {
            "status": "N/A"
        },
        "command_line": "c:\\tmp\\virus.exe",
        "entity_id": "1234",
        "executable": "c:\\tmp\\virus.exe",
        "hash": {
            "sha256": "133ee989293f92736301280c6f14c89d521200c17dcdcecca30cd20705332d44"
        },
        "name": "virus.exe",
        "parent": {
            "code_signature": {
                "status": "N/A"
            }
        },
        "pid": 1234
    },
    "related": {
        "hash": [
            "133ee989293f92736301280c6f14c89d521200c17dcdcecca30cd20705332d44"
        ]
    },
    "tags": [
        "preserve_original_event",
        "forwarded",
        "panw_cortex_xdr"
    ]
}

Exported fields

Field	Description	Type
@timestamp	Event timestamp.	date
cloud.image.id	Image ID for the cloud instance.	keyword
data_stream.dataset	Data stream dataset name.	constant_keyword
data_stream.namespace	Data stream namespace.	constant_keyword
data_stream.type	Data stream type.	constant_keyword
event.dataset	Event dataset	constant_keyword
event.module	Event module	constant_keyword
host.containerized	If the host is a container.	boolean
host.os.build	OS build information.	keyword
host.os.codename	OS codename, if any.	keyword
input.type	Type of Filebeat input.	keyword
log.flags	Flags for the log file.	keyword
log.offset	Offset of the entry in the log file.	long
panw_cortex.xdr.action_pretty	Pretty description of the action type.	keyword
panw_cortex.xdr.agent_data_collection_status	Collection status of the agent.	boolean
panw_cortex.xdr.agent_ip_addresses_v6	Agent ipv6 address	ip
panw_cortex.xdr.agent_is_vdi	If agent is running inside a Virtual Desktop.	keyword
panw_cortex.xdr.agent_version	Version of the XDR Endpoint agent.	keyword
panw_cortex.xdr.alert_id	The ID of the alert.	keyword
panw_cortex.xdr.alert_type	The type of the alert.	keyword
panw_cortex.xdr.attempt_counter	Attempts to block or stop the malicious process.	long
panw_cortex.xdr.bioc_category_enum_key	Behavior Indicator type key.	keyword
panw_cortex.xdr.bioc_description	A description of the related bioc event.	flattened
panw_cortex.xdr.bioc_indicator	The Behavioral Indicator type matching to the event.	keyword
panw_cortex.xdr.category	The Alert category.	keyword
panw_cortex.xdr.deduplicate_tokens		keyword
panw_cortex.xdr.description	A description of the related event.	keyword
panw_cortex.xdr.end_match_attempt_ts		date
panw_cortex.xdr.endpoint_id	The unique ID of the endpoint.	keyword
panw_cortex.xdr.events.action_country		keyword
panw_cortex.xdr.events.action_external_hostname	Any external hostname related to the specific event action.	keyword
panw_cortex.xdr.events.action_file_macro_sha256		keyword
panw_cortex.xdr.events.action_process_causality_id	The parent processor ID related to the action.	keyword
panw_cortex.xdr.events.actor_causality_id	The parent process ID of the actor process.	keyword
panw_cortex.xdr.events.actor_process_causality_id	The parent processor ID related to the actor.	keyword
panw_cortex.xdr.events.actor_process_command_line	Actor full command line.	keyword
panw_cortex.xdr.events.actor_process_image_name	Actor binary name.	keyword
panw_cortex.xdr.events.actor_process_image_sha256	SHA256 hash indentifier of the actor.	keyword
panw_cortex.xdr.events.actor_process_instance_id	The process ID related to the actor.	keyword
panw_cortex.xdr.events.actor_process_signature_status	The signature of the actor process.	keyword
panw_cortex.xdr.events.actor_process_signature_vendor	The signature vendor of the actor process.	keyword
panw_cortex.xdr.events.agent_host_boot_time	Uptime of the host.	date
panw_cortex.xdr.events.agent_install_type	Display name of the actor.	keyword
panw_cortex.xdr.events.association_strength		long
panw_cortex.xdr.events.contains_featured_host		keyword
panw_cortex.xdr.events.contains_featured_ip		keyword
panw_cortex.xdr.events.contains_featured_user		keyword
panw_cortex.xdr.events.dns_query_name	The related DNS query for the event.	keyword
panw_cortex.xdr.events.dst_action_country	The country related to the destination.	keyword
panw_cortex.xdr.events.dst_action_external_hostname	The external hostname of the destination.	keyword
panw_cortex.xdr.events.dst_action_external_port	The external (NAT) port of the destination.	keyword
panw_cortex.xdr.events.dst_agent_id	The endpoint ID of a destination agent.	keyword
panw_cortex.xdr.events.dst_association_strength		long
panw_cortex.xdr.events.dst_causality_actor_process_execution_time	The process execution time of the destination process.	keyword
panw_cortex.xdr.events.event_id	The ID unique to the underlying event related to the alert.	keyword
panw_cortex.xdr.events.event_sub_type	Sub type of the event related to the alert.	integer
panw_cortex.xdr.events.event_type	Event type	keyword
panw_cortex.xdr.events.fw_app_category	Layer 7 application category related to the firewall event.	keyword
panw_cortex.xdr.events.fw_app_id	The layer 7 application ID from the firewall event.	keyword
panw_cortex.xdr.events.fw_app_subcategory	Layer 7 application subcategory related to the firewall event.	keyword
panw_cortex.xdr.events.fw_app_technology	Layer 7 application type related to the firewall event.	keyword
panw_cortex.xdr.events.fw_device_name	Related firewall device.	keyword
panw_cortex.xdr.events.fw_email_recipient		keyword
panw_cortex.xdr.events.fw_email_sender		keyword
panw_cortex.xdr.events.fw_email_subject		keyword
panw_cortex.xdr.events.fw_is_phishing	If event is related to a phishing campaign.	keyword
panw_cortex.xdr.events.fw_misc	Additional information related to the firewall event.	keyword
panw_cortex.xdr.events.fw_url_domain	Related domain to the firewall event.	keyword
panw_cortex.xdr.events.fw_vsys	The related VSYS name if applicable.	keyword
panw_cortex.xdr.events.fw_xff		keyword
panw_cortex.xdr.events.module_id	The ID of the module that caught the event.	keyword
panw_cortex.xdr.events.os_actor_causality_id	The ID of the OS actor process	keyword
panw_cortex.xdr.events.os_actor_effective_username	Username related to the OS actor.	keyword
panw_cortex.xdr.events.os_actor_process_causality_id	The ID of the parent process related to the OS actor.	keyword
panw_cortex.xdr.events.os_actor_process_command_line	OS actor full command line example.	keyword
panw_cortex.xdr.events.os_actor_process_image_name	OS actor binary name.	keyword
panw_cortex.xdr.events.os_actor_process_image_path	OS actor binary path.	keyword
panw_cortex.xdr.events.os_actor_process_image_sha256	SHA256 hash indentifier of the OS actor process.	keyword
panw_cortex.xdr.events.os_actor_process_instance_id	The process ID related to the OS actor.	keyword
panw_cortex.xdr.events.os_actor_process_os_pid	The OS PID related to the related process.	integer
panw_cortex.xdr.events.os_actor_process_signature_status	Signature of the OS actor process.	keyword
panw_cortex.xdr.events.os_actor_process_signature_vendor	Signature vendor of the OS actor process.	keyword
panw_cortex.xdr.events.os_actor_thread_thread_id	The thread ID related to the related OS actor process.	integer
panw_cortex.xdr.events.story_id		keyword
panw_cortex.xdr.external_id	External ID related to the Alert itself.	keyword
panw_cortex.xdr.filter_rule_id	ID of the filter rule.	keyword
panw_cortex.xdr.is_pcap	If alert contains pcap.	boolean
panw_cortex.xdr.is_whitelisted	If process is whitelisted.	boolean
panw_cortex.xdr.local_insert_ts		date
panw_cortex.xdr.mac	Main MAC address of the agent.	keyword
panw_cortex.xdr.mac_address	Array of all the MAC addresses related to the agent.	keyword
panw_cortex.xdr.matching_service_rule_id		keyword
panw_cortex.xdr.matching_status	Matching status of the endpoint group.	keyword
panw_cortex.xdr.original_tags	Original tags for the asset.	keyword
panw_cortex.xdr.resolution_comment		keyword
panw_cortex.xdr.resolution_status		keyword
panw_cortex.xdr.source		keyword
panw_cortex.xdr.starred	If alert type is prioritized (starred).	boolean

Incidents

The Cortex XDR Incidents API is used to retrieve incidents generated by Cortex XDR based on raw endpoint data. A single incident might include one or more local endpoint events, each event generating its own document on Elasticsearch.

The Palo Alto XDR integration requires both an API key and API key ID, both which can be retrieved from the Cortex XDR UI. See: Get Started with Cortex XDR API

When a Cortex XDR Incident is modified in the Cortex XDR UI (e.g. severity or status changed, additional alerts linked) it will be indexed as a new document with the new values.

An example event for incidents looks as following:

{
    "@timestamp": "2023-08-14T01:20:00.230Z",
    "agent": {
        "ephemeral_id": "02205f80-afa5-4cf8-a320-018c29c153fe",
        "id": "6245802f-8bd9-4634-b1db-411601495ab1",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.9.0"
    },
    "data_stream": {
        "dataset": "panw_cortex_xdr.incidents",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.11.0"
    },
    "elastic_agent": {
        "id": "6245802f-8bd9-4634-b1db-411601495ab1",
        "snapshot": false,
        "version": "8.9.0"
    },
    "event": {
        "agent_id_status": "verified",
        "category": [
            "malware"
        ],
        "created": "2023-08-17T06:15:40.867Z",
        "dataset": "panw_cortex_xdr.incidents",
        "id": "893",
        "ingested": "2023-08-17T06:15:43Z",
        "kind": "alert",
        "original": "{\"aggregated_score\":5,\"alert_categories\":[\"Exfiltration\"],\"alert_count\":1,\"alerts_grouping_status\":\"Enabled\",\"assigned_user_mail\":null,\"assigned_user_pretty_name\":null,\"creation_time\":1691976000230,\"critical_severity_alert_count\":0,\"description\":\"'Large Upload (Generic)' generated by XDR Analytics detected on host test1234 involving user nt authority\\\\system\",\"detection_time\":null,\"high_severity_alert_count\":0,\"host_count\":1,\"hosts\":[\"test1234:b567c1a651e66999158aef5d864dad25\"],\"incident_id\":\"893\",\"incident_name\":null,\"incident_sources\":[\"XDR Analytics\"],\"low_severity_alert_count\":1,\"manual_description\":null,\"manual_score\":null,\"manual_severity\":null,\"med_severity_alert_count\":0,\"mitre_tactics_ids_and_names\":[\"TA0010 - Exfiltration\"],\"mitre_techniques_ids_and_names\":[\"T1048 - Exfiltration Over Alternative Protocol\"],\"modification_time\":1691976000230,\"notes\":null,\"original_tags\":[\"DS:PANW/XDR Agent\",\"EG:win-server-ex-ransomeware_report\",\"EG:win-server-default\"],\"predicted_score\":5,\"resolve_comment\":null,\"resolved_timestamp\":null,\"rule_based_score\":null,\"severity\":\"low\",\"starred\":false,\"status\":\"new\",\"tags\":[\"DS:PANW/XDR Agent\",\"EG:win-server-default\",\"EG:win-server-ex-ransomeware_report\"],\"user_count\":1,\"users\":[\"nt authority\\\\system\"],\"wildfire_hits\":0,\"xdr_url\":\"https://test.xdr.eu.paloaltonetworks.com/incident-view?caseId=893\"}",
        "reason": "'Large Upload (Generic)' generated by XDR Analytics detected on host test1234 involving user nt authority\\system",
        "severity": 2,
        "type": [
            "info"
        ]
    },
    "input": {
        "type": "httpjson"
    },
    "panw_cortex": {
        "xdr": {
            "aggregated_score": 5,
            "alert_categories": [
                "Exfiltration"
            ],
            "alert_count": 1,
            "alerts_grouping_status": "Enabled",
            "creation_time": "2023-08-14T01:20:00.230Z",
            "critical_severity_alert_count": 0,
            "high_severity_alert_count": 0,
            "host_count": 1,
            "hosts": [
                "test1234:b567c1a651e66999158aef5d864dad25"
            ],
            "incident_sources": [
                "XDR Analytics"
            ],
            "low_severity_alert_count": 1,
            "med_severity_alert_count": 0,
            "mitre_tactics_ids_and_names": [
                "TA0010 - Exfiltration"
            ],
            "mitre_techniques_ids_and_names": [
                "T1048 - Exfiltration Over Alternative Protocol"
            ],
            "modification_time": "2023-08-14T01:20:00.230Z",
            "original_tags": [
                "DS:PANW/XDR Agent",
                "EG:win-server-ex-ransomeware_report",
                "EG:win-server-default"
            ],
            "predicted_score": 5,
            "starred": false,
            "status": "new",
            "user_count": 1,
            "users": [
                "nt authority\\system"
            ],
            "wildfire_hits": 0,
            "xdr_url": "https://test.xdr.eu.paloaltonetworks.com/incident-view?caseId=893"
        }
    },
    "related": {
        "hosts": [
            "test1234"
        ],
        "user": [
            "system"
        ]
    },
    "tags": [
        "preserve_original_event",
        "forwarded",
        "panw_cortex_xdr",
        "DS:PANW/XDR Agent",
        "EG:win-server-default",
        "EG:win-server-ex-ransomeware_report"
    ],
    "threat": {
        "framework": "MITRE ATT&CK",
        "tactic": {
            "id": [
                "TA0010"
            ],
            "name": [
                "Exfiltration"
            ]
        },
        "technique": {
            "id": [
                "T1048"
            ],
            "name": [
                "Exfiltration Over Alternative Protocol"
            ]
        }
    }
}

Exported fields

Field	Description	Type
@timestamp	Event timestamp.	date
cloud.image.id	Image ID for the cloud instance.	keyword
data_stream.dataset	Data stream dataset name.	constant_keyword
data_stream.namespace	Data stream namespace.	constant_keyword
data_stream.type	Data stream type.	constant_keyword
event.dataset	Event dataset	constant_keyword
event.module	Event module	constant_keyword
host.containerized	If the host is a container.	boolean
host.os.build	OS build information.	keyword
host.os.codename	OS codename, if any.	keyword
input.type	Type of Filebeat input.	keyword
log.flags	Flags for the log file.	keyword
log.offset	Offset of the entry in the log file.	long
panw_cortex.xdr.aggregated_score	Aggregated incident score.	long
panw_cortex.xdr.alert_categories	Categories for alerts contained in the incident.	keyword
panw_cortex.xdr.alert_count	Count of alerts.	long
panw_cortex.xdr.alerts_grouping_status	Is alert grouping enabled for this incident.	keyword
panw_cortex.xdr.assigned_user_mail	Email for the assigned user.	keyword
panw_cortex.xdr.assigned_user_pretty_name	Pretty name for the assigned user.	keyword
panw_cortex.xdr.creation_time	Incident creation time.	date
panw_cortex.xdr.critical_severity_alert_count	Count of critical severity alerts for this incident.	long
panw_cortex.xdr.detection_time	Detection time.	flattened
panw_cortex.xdr.high_severity_alert_count	Count of high severity alerts for this incident.	long
panw_cortex.xdr.host_count	Count of hosts related to this incident.	long
panw_cortex.xdr.hosts	Host names and host ID's related to this incident.	keyword
panw_cortex.xdr.incident_id	Incident ID	keyword
panw_cortex.xdr.incident_name	Incident name	keyword
panw_cortex.xdr.incident_sources	Detection sources for this incident.	keyword
panw_cortex.xdr.low_severity_alert_count	Count of low severity alerts for this incident.	long
panw_cortex.xdr.manual_description	Manual incident description.	keyword
panw_cortex.xdr.manual_score	Manual incident score.	flattened
panw_cortex.xdr.manual_severity	Manual incident severity.	keyword
panw_cortex.xdr.med_severity_alert_count	Count of medium severity alerts for this incident.	long
panw_cortex.xdr.mitre_tactics_ids_and_names	MITRE tactic ID's and names	keyword
panw_cortex.xdr.mitre_techniques_ids_and_names	MITRE technique ID's and names	keyword
panw_cortex.xdr.modification_time	Incident modification time.	date
panw_cortex.xdr.notes	Incident notes.	keyword
panw_cortex.xdr.original_tags	Original tags for the asset.	keyword
panw_cortex.xdr.predicted_score	Predicted incident score.	long
panw_cortex.xdr.resolve_comment	Incident resolution comment.	keyword
panw_cortex.xdr.resolved_timestamp	Incident resolution timestamp.	date
panw_cortex.xdr.rule_based_score	Rule based incident score.	long
panw_cortex.xdr.starred	Starred incident.	boolean
panw_cortex.xdr.status	Incident status.	keyword
panw_cortex.xdr.user_count	Count of users related to the incident.	long
panw_cortex.xdr.users	Usernames related to the incident.	keyword
panw_cortex.xdr.wildfire_hits	Count of Wildfire hits.	long
panw_cortex.xdr.xdr_url	URL to Cortex XDR incident.	keyword

Changelog

Version	Details	Kibana version(s)
1.28.0	Enhancement View pull request Modify incident handling to match Defender for Endpoint. Change fingerprint, timestamp, and search cursor to modification_time. Add severity:critical.	8.13.0 or higher
1.27.0	Enhancement View pull request Update the kibana constraint to ^8.13.0. Modified the field definitions to remove ECS fields made redundant by the ecs@mappings component template.	8.13.0 or higher
1.26.0	Enhancement View pull request Improve handling of empty responses.	8.12.0 or higher
1.25.0	Enhancement View pull request Set sensitive values as secret.	8.12.0 or higher
1.24.2	Bug fix View pull request Clean up null handling	8.7.1 or higher
1.24.1	Enhancement View pull request Changed owners	8.7.1 or higher
1.24.0	Enhancement View pull request Limit request tracer log count to five.	8.7.1 or higher
1.23.0	Enhancement View pull request ECS version updated to 8.11.0.	8.7.1 or higher
1.22.0	Enhancement View pull request Improve 'event.original' check to avoid errors if set.	8.7.1 or higher
1.21.1	Bug fix View pull request Fix mapping of group fields	8.7.1 or higher
1.21.0	Enhancement View pull request ECS version updated to 8.10.0.	8.7.1 or higher
1.20.0	Enhancement View pull request The format_version in the package manifest changed from 2.11.0 to 3.0.0. Removed dotted YAML keys from package manifest. Added 'owner.type: elastic' to package manifest.	8.7.1 or higher
1.19.0	Enhancement View pull request Add tags.yml file so that integration's dashboards and saved searches are tagged with "Security Solution" and displayed in the Security Solution UI.	8.7.1 or higher
1.18.0	Enhancement View pull request Add incident type events	8.7.1 or higher
1.17.0	Enhancement View pull request Update package-spec to 2.9.0.	8.7.1 or higher
1.16.0	Enhancement View pull request Update package to ECS 8.9.0.	8.7.1 or higher
1.15.0	Enhancement View pull request Document SSL options	8.7.1 or higher
1.14.0	Enhancement View pull request Document duration units.	8.7.1 or higher
1.13.0	Enhancement View pull request Document valid duration units.	8.7.1 or higher
1.12.0	Enhancement View pull request Ensure event.kind is correctly set for pipeline errors.	8.7.1 or higher
1.11.0	Enhancement View pull request Update package to ECS 8.8.0.	8.7.1 or higher
1.10.0	Enhancement View pull request Lowercase host.name field	8.7.1 or higher
1.9.0	Enhancement View pull request Add a new flag to enable request tracing	8.7.1 or higher
1.8.2	Enhancement View pull request Drop empty events	7.15.0 or higher 8.0.0 or higher
1.8.1	Enhancement View pull request Map Threat ECS fields to Mitre	7.15.0 or higher 8.0.0 or higher
1.8.0	Enhancement View pull request Update package to ECS 8.7.0.	7.15.0 or higher 8.0.0 or higher
1.7.1	Enhancement View pull request Added categories and/or subcategories.	7.15.0 or higher 8.0.0 or higher
1.7.0	Enhancement View pull request Add support for Advanced security level	7.15.0 or higher 8.0.0 or higher
1.6.0	Enhancement View pull request Update package to ECS 8.6.0.	7.15.0 or higher 8.0.0 or higher
1.5.2	Bug fix View pull request Conform user fields to ECS standards.	7.15.0 or higher 8.0.0 or higher
1.5.1	Bug fix View pull request Remove duplicate fields. Bug fix View pull request Make mac addresses conform with ECS syntax.	7.15.0 or higher 8.0.0 or higher
1.5.0	Enhancement View pull request Update package to ECS 8.5.0.	7.15.0 or higher 8.0.0 or higher
1.4.2	Enhancement View pull request Use ECS geo.location definition.	7.15.0 or higher 8.0.0 or higher
1.4.1	Enhancement View pull request Bugfix on rename processors with conditionals.	7.15.0 or higher 8.0.0 or higher
1.4.0	Enhancement View pull request Update package to ECS 8.4.0	7.15.0 or higher 8.0.0 or higher
1.3.3	Bug fix View pull request Fix possible endless pagination.	7.15.0 or higher 8.0.0 or higher
1.3.2	Enhancement View pull request Update package name and description to align with standard wording	7.15.0 or higher 8.0.0 or higher
1.3.1	Bug fix View pull request Fix rate limit.	7.15.0 or higher 8.0.0 or higher
1.3.0	Enhancement View pull request Update package to ECS 8.3.0.	7.15.0 or higher 8.0.0 or higher
1.2.1	Enhancement View pull request Updated the links in the file to Palo Alto Cortex XDR documentation	7.15.0 or higher 8.0.0 or higher
1.2.0	Enhancement View pull request Update to ECS 8.2 to use new email field set.	7.15.0 or higher 8.0.0 or higher
1.1.1	Enhancement View pull request Add documentation for multi-fields	7.15.0 or higher 8.0.0 or higher
1.1.0	Enhancement View pull request Update to ECS 8.0	7.15.0 or higher 8.0.0 or higher
1.0.0	Enhancement View pull request GA integration	7.15.0 or higher 8.0.0 or higher
0.3.0	Enhancement View pull request Add 8.0.0 version constraint	—
0.2.6	Bug fix View pull request Regenerate test files using the new GeoIP database	—
0.2.5	Bug fix View pull request Change test public IPs to the supported subset	—
0.2.4	Enhancement View pull request Uniform with guidelines	—
0.2.3	Enhancement View pull request Update Title and Description.	—
0.2.2	Bug fix View pull request Fix duplicate events	—
0.2.1	Bug fix View pull request Fix logic that checks for the 'forwarded' tag	—
0.2.0	Enhancement View pull request Update to ECS 1.12.0	—
0.1.0	Enhancement View pull request initial release	—

On this page

Article navigation

Logs

Alerts

Incidents

Changelog