Palo Alto Cortex XDR Integration
editPalo Alto Cortex XDR Integration
editVersion |
1.31.0 (View all) |
Compatible Kibana version(s) |
8.13.0 or higher |
Supported Serverless project types |
Security |
Subscription level |
Basic |
Level of support |
Elastic |
The PANW XDR integration collects alerts with multiple events from the Cortex XDR Alerts API and incidents from Cortex XDR Incidents API.
Logs
editAlerts
editThe Cortex XDR Alerts API is used to retrieve alerts generated by Cortex XDR based on raw endpoint data. A single alert might include one or more local endpoint events, each event generating its own document on Elasticsearch.
The Palo Alto XDR integration requires both an API key and API key ID, both which can be retrieved from the Cortex XDR UI. See: Get Started with Cortex XDR API
Example
An example event for alerts looks as following:
{
"@timestamp": "2020-10-21T11:31:28.980Z",
"agent": {
"ephemeral_id": "d1f9377a-0b86-44ab-8ba3-2be0e35e75fc",
"id": "6245802f-8bd9-4634-b1db-411601495ab1",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.9.0"
},
"data_stream": {
"dataset": "panw_cortex_xdr.alerts",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "6245802f-8bd9-4634-b1db-411601495ab1",
"snapshot": false,
"version": "8.9.0"
},
"event": {
"action": "BLOCKED",
"agent_id_status": "verified",
"category": [
"malware"
],
"created": "2020-10-21T11:31:28.980Z",
"dataset": "panw_cortex_xdr.alerts",
"id": "800800",
"ingested": "2023-08-17T06:15:07Z",
"kind": "alert",
"original": "{\"action\":\"BLOCKED\",\"action_pretty\":\"Prevented (Blocked)\",\"agent_data_collection_status\":true,\"agent_device_domain\":null,\"agent_fqdn\":\"test\",\"agent_is_vdi\":null,\"agent_os_sub_type\":\"XP\",\"agent_os_type\":\"Windows\",\"agent_version\":\"1.2.3.4\",\"alert_id\":\"1001\",\"attempt_counter\":55,\"bioc_category_enum_key\":null,\"bioc_indicator\":null,\"category\":\"Exploit\",\"deduplicate_tokens\":null,\"description\":\"Local privilege escalation prevented\",\"detection_timestamp\":1603279888980,\"end_match_attempt_ts\":1603552062824,\"endpoint_id\":\"12345678\",\"events\":{\"action_country\":\"UNKNOWN\",\"action_external_hostname\":null,\"action_file_macro_sha256\":null,\"action_file_md5\":null,\"action_file_name\":null,\"action_file_path\":null,\"action_file_sha256\":null,\"action_local_ip\":null,\"action_local_port\":null,\"action_process_causality_id\":null,\"action_process_image_command_line\":null,\"action_process_image_name\":null,\"action_process_image_sha256\":null,\"action_process_instance_id\":null,\"action_process_signature_status\":\"N/A\",\"action_process_signature_vendor\":null,\"action_registry_data\":null,\"action_registry_full_key\":null,\"action_registry_key_name\":null,\"action_registry_value_name\":null,\"action_remote_ip\":null,\"action_remote_port\":null,\"actor_causality_id\":null,\"actor_process_causality_id\":null,\"actor_process_command_line\":\"c:\\\\\tmp\\\\\virus.exe\",\"actor_process_image_md5\":null,\"actor_process_image_name\":\"virus.exe\",\"actor_process_image_path\":\"c:\\\\\tmp\\\\\virus.exe\",\"actor_process_image_sha256\":\"133ee989293f92736301280c6f14c89d521200c17dcdcecca30cd20705332d44\",\"actor_process_instance_id\":\"1234\",\"actor_process_os_pid\":1234,\"actor_process_signature_status\":\"N/A\",\"actor_process_signature_vendor\":null,\"actor_thread_thread_id\":null,\"agent_host_boot_time\":null,\"agent_install_type\":\"NA\",\"association_strength\":null,\"causality_actor_causality_id\":null,\"causality_actor_process_command_line\":null,\"causality_actor_process_execution_time\":null,\"causality_actor_process_image_md5\":null,\"causality_actor_process_image_name\":null,\"causality_actor_process_image_path\":null,\"causality_actor_process_image_sha256\":null,\"causality_actor_process_signature_status\":\"N/A\",\"causality_actor_process_signature_vendor\":null,\"dns_query_name\":null,\"dst_action_country\":null,\"dst_action_external_hostname\":null,\"dst_action_external_port\":null,\"dst_agent_id\":null,\"dst_association_strength\":null,\"dst_causality_actor_process_execution_time\":null,\"event_id\":null,\"event_sub_type\":null,\"event_timestamp\":1603279888980,\"event_type\":\"Process Execution\",\"fw_app_category\":null,\"fw_app_id\":null,\"fw_app_subcategory\":null,\"fw_app_technology\":null,\"fw_device_name\":null,\"fw_email_recipient\":null,\"fw_email_sender\":null,\"fw_email_subject\":null,\"fw_interface_from\":null,\"fw_interface_to\":null,\"fw_is_phishing\":\"N/A\",\"fw_misc\":null,\"fw_rule\":null,\"fw_rule_id\":null,\"fw_serial_number\":null,\"fw_url_domain\":null,\"fw_vsys\":null,\"fw_xff\":null,\"module_id\":\"Privilege Escalation Protection\",\"os_actor_causality_id\":null,\"os_actor_effective_username\":null,\"os_actor_process_causality_id\":null,\"os_actor_process_command_line\":null,\"os_actor_process_image_name\":null,\"os_actor_process_image_path\":null,\"os_actor_process_image_sha256\":null,\"os_actor_process_instance_id\":null,\"os_actor_process_os_pid\":null,\"os_actor_process_signature_status\":\"N/A\",\"os_actor_process_signature_vendor\":null,\"os_actor_thread_thread_id\":null,\"story_id\":null,\"user_name\":null},\"external_id\":\"800800\",\"filter_rule_id\":null,\"host_ip\":[\"10.0.255.20\"],\"host_name\":\"Test\",\"is_whitelisted\":false,\"local_insert_ts\":1603279967500,\"mac\":null,\"mac_address\":[\"00:11:22:33:44:55\"],\"matching_service_rule_id\":null,\"matching_status\":\"FAILED\",\"mitre_tactic_id_and_name\":[\"\"],\"mitre_technique_id_and_name\":[\"\"],\"name\":\"Kernel Privilege Escalation\",\"severity\":\"high\",\"source\":\"XDR Agent\",\"starred\":false}",
"reason": "Local privilege escalation prevented",
"severity": 4,
"type": [
"info"
]
},
"host": {
"hostname": "test",
"id": "12345678",
"ip": [
"10.0.255.20"
],
"name": "test",
"os": {
"name": "Windows",
"version": "XP"
}
},
"input": {
"type": "httpjson"
},
"message": "Kernel Privilege Escalation",
"panw_cortex": {
"xdr": {
"action_pretty": "Prevented (Blocked)",
"agent_data_collection_status": true,
"agent_version": "1.2.3.4",
"alert_id": "1001",
"attempt_counter": 55,
"category": "Exploit",
"end_match_attempt_ts": "2020-10-24T15:07:42.824Z",
"events": {
"actor_process_signature_status": "N/A",
"agent_install_type": "NA",
"event_type": "Process Execution",
"fw_is_phishing": "N/A",
"module_id": "Privilege Escalation Protection",
"os_actor_process_signature_status": "N/A"
},
"is_whitelisted": false,
"local_insert_ts": "2020-10-21T11:32:47.500Z",
"mac_address": [
"00:11:22:33:44:55"
],
"matching_status": "FAILED",
"source": "XDR Agent",
"starred": false
}
},
"process": {
"code_signature": {
"status": "N/A"
},
"command_line": "c:\\tmp\\virus.exe",
"entity_id": "1234",
"executable": "c:\\tmp\\virus.exe",
"hash": {
"sha256": "133ee989293f92736301280c6f14c89d521200c17dcdcecca30cd20705332d44"
},
"name": "virus.exe",
"parent": {
"code_signature": {
"status": "N/A"
}
},
"pid": 1234
},
"related": {
"hash": [
"133ee989293f92736301280c6f14c89d521200c17dcdcecca30cd20705332d44"
]
},
"tags": [
"preserve_original_event",
"forwarded",
"panw_cortex_xdr"
]
}
Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp |
Event timestamp. |
date |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
data_stream.dataset |
Data stream dataset name. |
constant_keyword |
data_stream.namespace |
Data stream namespace. |
constant_keyword |
data_stream.type |
Data stream type. |
constant_keyword |
event.dataset |
Event dataset |
constant_keyword |
event.module |
Event module |
constant_keyword |
host.containerized |
If the host is a container. |
boolean |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
panw_cortex.xdr.action_pretty |
Pretty description of the action type. |
keyword |
panw_cortex.xdr.agent_data_collection_status |
Collection status of the agent. |
boolean |
panw_cortex.xdr.agent_ip_addresses_v6 |
Agent ipv6 address |
ip |
panw_cortex.xdr.agent_is_vdi |
If agent is running inside a Virtual Desktop. |
keyword |
panw_cortex.xdr.agent_version |
Version of the XDR Endpoint agent. |
keyword |
panw_cortex.xdr.alert_id |
The ID of the alert. |
keyword |
panw_cortex.xdr.alert_type |
The type of the alert. |
keyword |
panw_cortex.xdr.attempt_counter |
Attempts to block or stop the malicious process. |
long |
panw_cortex.xdr.bioc_category_enum_key |
Behavior Indicator type key. |
keyword |
panw_cortex.xdr.bioc_description |
A description of the related bioc event. |
flattened |
panw_cortex.xdr.bioc_indicator |
The Behavioral Indicator type matching to the event. |
keyword |
panw_cortex.xdr.category |
The Alert category. |
keyword |
panw_cortex.xdr.deduplicate_tokens |
keyword |
|
panw_cortex.xdr.description |
A description of the related event. |
keyword |
panw_cortex.xdr.end_match_attempt_ts |
date |
|
panw_cortex.xdr.endpoint_id |
The unique ID of the endpoint. |
keyword |
panw_cortex.xdr.events.action_country |
keyword |
|
panw_cortex.xdr.events.action_external_hostname |
Any external hostname related to the specific event action. |
keyword |
panw_cortex.xdr.events.action_file_macro_sha256 |
keyword |
|
panw_cortex.xdr.events.action_process_causality_id |
The parent processor ID related to the action. |
keyword |
panw_cortex.xdr.events.actor_causality_id |
The parent process ID of the actor process. |
keyword |
panw_cortex.xdr.events.actor_process_causality_id |
The parent processor ID related to the actor. |
keyword |
panw_cortex.xdr.events.actor_process_command_line |
Actor full command line. |
keyword |
panw_cortex.xdr.events.actor_process_image_name |
Actor binary name. |
keyword |
panw_cortex.xdr.events.actor_process_image_sha256 |
SHA256 hash indentifier of the actor. |
keyword |
panw_cortex.xdr.events.actor_process_instance_id |
The process ID related to the actor. |
keyword |
panw_cortex.xdr.events.actor_process_signature_status |
The signature of the actor process. |
keyword |
panw_cortex.xdr.events.actor_process_signature_vendor |
The signature vendor of the actor process. |
keyword |
panw_cortex.xdr.events.agent_host_boot_time |
Uptime of the host. |
date |
panw_cortex.xdr.events.agent_install_type |
Display name of the actor. |
keyword |
panw_cortex.xdr.events.association_strength |
long |
|
panw_cortex.xdr.events.contains_featured_host |
keyword |
|
panw_cortex.xdr.events.contains_featured_ip |
keyword |
|
panw_cortex.xdr.events.contains_featured_user |
keyword |
|
panw_cortex.xdr.events.dns_query_name |
The related DNS query for the event. |
keyword |
panw_cortex.xdr.events.dst_action_country |
The country related to the destination. |
keyword |
panw_cortex.xdr.events.dst_action_external_hostname |
The external hostname of the destination. |
keyword |
panw_cortex.xdr.events.dst_action_external_port |
The external (NAT) port of the destination. |
keyword |
panw_cortex.xdr.events.dst_agent_id |
The endpoint ID of a destination agent. |
keyword |
panw_cortex.xdr.events.dst_association_strength |
long |
|
panw_cortex.xdr.events.dst_causality_actor_process_execution_time |
The process execution time of the destination process. |
keyword |
panw_cortex.xdr.events.event_id |
The ID unique to the underlying event related to the alert. |
keyword |
panw_cortex.xdr.events.event_sub_type |
Sub type of the event related to the alert. |
integer |
panw_cortex.xdr.events.event_type |
Event type |
keyword |
panw_cortex.xdr.events.fw_app_category |
Layer 7 application category related to the firewall event. |
keyword |
panw_cortex.xdr.events.fw_app_id |
The layer 7 application ID from the firewall event. |
keyword |
panw_cortex.xdr.events.fw_app_subcategory |
Layer 7 application subcategory related to the firewall event. |
keyword |
panw_cortex.xdr.events.fw_app_technology |
Layer 7 application type related to the firewall event. |
keyword |
panw_cortex.xdr.events.fw_device_name |
Related firewall device. |
keyword |
panw_cortex.xdr.events.fw_email_recipient |
keyword |
|
panw_cortex.xdr.events.fw_email_sender |
keyword |
|
panw_cortex.xdr.events.fw_email_subject |
keyword |
|
panw_cortex.xdr.events.fw_is_phishing |
If event is related to a phishing campaign. |
keyword |
panw_cortex.xdr.events.fw_misc |
Additional information related to the firewall event. |
keyword |
panw_cortex.xdr.events.fw_url_domain |
Related domain to the firewall event. |
keyword |
panw_cortex.xdr.events.fw_vsys |
The related VSYS name if applicable. |
keyword |
panw_cortex.xdr.events.fw_xff |
keyword |
|
panw_cortex.xdr.events.module_id |
The ID of the module that caught the event. |
keyword |
panw_cortex.xdr.events.os_actor_causality_id |
The ID of the OS actor process |
keyword |
panw_cortex.xdr.events.os_actor_effective_username |
Username related to the OS actor. |
keyword |
panw_cortex.xdr.events.os_actor_process_causality_id |
The ID of the parent process related to the OS actor. |
keyword |
panw_cortex.xdr.events.os_actor_process_command_line |
OS actor full command line example. |
keyword |
panw_cortex.xdr.events.os_actor_process_image_name |
OS actor binary name. |
keyword |
panw_cortex.xdr.events.os_actor_process_image_path |
OS actor binary path. |
keyword |
panw_cortex.xdr.events.os_actor_process_image_sha256 |
SHA256 hash indentifier of the OS actor process. |
keyword |
panw_cortex.xdr.events.os_actor_process_instance_id |
The process ID related to the OS actor. |
keyword |
panw_cortex.xdr.events.os_actor_process_os_pid |
The OS PID related to the related process. |
integer |
panw_cortex.xdr.events.os_actor_process_signature_status |
Signature of the OS actor process. |
keyword |
panw_cortex.xdr.events.os_actor_process_signature_vendor |
Signature vendor of the OS actor process. |
keyword |
panw_cortex.xdr.events.os_actor_thread_thread_id |
The thread ID related to the related OS actor process. |
integer |
panw_cortex.xdr.events.story_id |
keyword |
|
panw_cortex.xdr.external_id |
External ID related to the Alert itself. |
keyword |
panw_cortex.xdr.filter_rule_id |
ID of the filter rule. |
keyword |
panw_cortex.xdr.is_pcap |
If alert contains pcap. |
boolean |
panw_cortex.xdr.is_whitelisted |
If process is whitelisted. |
boolean |
panw_cortex.xdr.local_insert_ts |
date |
|
panw_cortex.xdr.mac |
Main MAC address of the agent. |
keyword |
panw_cortex.xdr.mac_address |
Array of all the MAC addresses related to the agent. |
keyword |
panw_cortex.xdr.matching_service_rule_id |
keyword |
|
panw_cortex.xdr.matching_status |
Matching status of the endpoint group. |
keyword |
panw_cortex.xdr.original_tags |
Original tags for the asset. |
keyword |
panw_cortex.xdr.resolution_comment |
keyword |
|
panw_cortex.xdr.resolution_status |
keyword |
|
panw_cortex.xdr.source |
keyword |
|
panw_cortex.xdr.starred |
If alert type is prioritized (starred). |
boolean |
Incidents
editThe Cortex XDR Incidents API is used to retrieve incidents generated by Cortex XDR based on raw endpoint data. A single incident might include one or more local endpoint events, each event generating its own document on Elasticsearch.
The Palo Alto XDR integration requires both an API key and API key ID, both which can be retrieved from the Cortex XDR UI. See: Get Started with Cortex XDR API
When a Cortex XDR Incident is modified in the Cortex XDR UI (e.g. severity or status changed, additional alerts linked) it will be indexed as a new document with the new values.
Example
An example event for incidents looks as following:
{
"@timestamp": "2023-08-14T01:20:00.230Z",
"agent": {
"ephemeral_id": "02205f80-afa5-4cf8-a320-018c29c153fe",
"id": "6245802f-8bd9-4634-b1db-411601495ab1",
"name": "docker-fleet-agent",
"type": "filebeat",
"version": "8.9.0"
},
"data_stream": {
"dataset": "panw_cortex_xdr.incidents",
"namespace": "ep",
"type": "logs"
},
"ecs": {
"version": "8.11.0"
},
"elastic_agent": {
"id": "6245802f-8bd9-4634-b1db-411601495ab1",
"snapshot": false,
"version": "8.9.0"
},
"event": {
"agent_id_status": "verified",
"category": [
"malware"
],
"created": "2023-08-17T06:15:40.867Z",
"dataset": "panw_cortex_xdr.incidents",
"id": "893",
"ingested": "2023-08-17T06:15:43Z",
"kind": "alert",
"original": "{\"aggregated_score\":5,\"alert_categories\":[\"Exfiltration\"],\"alert_count\":1,\"alerts_grouping_status\":\"Enabled\",\"assigned_user_mail\":null,\"assigned_user_pretty_name\":null,\"creation_time\":1691976000230,\"critical_severity_alert_count\":0,\"description\":\"'Large Upload (Generic)' generated by XDR Analytics detected on host test1234 involving user nt authority\\\\\system\",\"detection_time\":null,\"high_severity_alert_count\":0,\"host_count\":1,\"hosts\":[\"test1234:b567c1a651e66999158aef5d864dad25\"],\"incident_id\":\"893\",\"incident_name\":null,\"incident_sources\":[\"XDR Analytics\"],\"low_severity_alert_count\":1,\"manual_description\":null,\"manual_score\":null,\"manual_severity\":null,\"med_severity_alert_count\":0,\"mitre_tactics_ids_and_names\":[\"TA0010 - Exfiltration\"],\"mitre_techniques_ids_and_names\":[\"T1048 - Exfiltration Over Alternative Protocol\"],\"modification_time\":1691976000230,\"notes\":null,\"original_tags\":[\"DS:PANW/XDR Agent\",\"EG:win-server-ex-ransomeware_report\",\"EG:win-server-default\"],\"predicted_score\":5,\"resolve_comment\":null,\"resolved_timestamp\":null,\"rule_based_score\":null,\"severity\":\"low\",\"starred\":false,\"status\":\"new\",\"tags\":[\"DS:PANW/XDR Agent\",\"EG:win-server-default\",\"EG:win-server-ex-ransomeware_report\"],\"user_count\":1,\"users\":[\"nt authority\\\\\system\"],\"wildfire_hits\":0,\"xdr_url\":\"https://test.xdr.eu.paloaltonetworks.com/incident-view?caseId=893\"}",
"reason": "'Large Upload (Generic)' generated by XDR Analytics detected on host test1234 involving user nt authority\\system",
"severity": 2,
"type": [
"info"
]
},
"input": {
"type": "httpjson"
},
"panw_cortex": {
"xdr": {
"aggregated_score": 5,
"alert_categories": [
"Exfiltration"
],
"alert_count": 1,
"alerts_grouping_status": "Enabled",
"creation_time": "2023-08-14T01:20:00.230Z",
"critical_severity_alert_count": 0,
"high_severity_alert_count": 0,
"host_count": 1,
"hosts": [
"test1234:b567c1a651e66999158aef5d864dad25"
],
"incident_sources": [
"XDR Analytics"
],
"low_severity_alert_count": 1,
"med_severity_alert_count": 0,
"mitre_tactics_ids_and_names": [
"TA0010 - Exfiltration"
],
"mitre_techniques_ids_and_names": [
"T1048 - Exfiltration Over Alternative Protocol"
],
"modification_time": "2023-08-14T01:20:00.230Z",
"original_tags": [
"DS:PANW/XDR Agent",
"EG:win-server-ex-ransomeware_report",
"EG:win-server-default"
],
"predicted_score": 5,
"starred": false,
"status": "new",
"user_count": 1,
"users": [
"nt authority\\system"
],
"wildfire_hits": 0,
"xdr_url": "https://test.xdr.eu.paloaltonetworks.com/incident-view?caseId=893"
}
},
"related": {
"hosts": [
"test1234"
],
"user": [
"system"
]
},
"tags": [
"preserve_original_event",
"forwarded",
"panw_cortex_xdr",
"DS:PANW/XDR Agent",
"EG:win-server-default",
"EG:win-server-ex-ransomeware_report"
],
"threat": {
"framework": "MITRE ATT&CK",
"tactic": {
"id": [
"TA0010"
],
"name": [
"Exfiltration"
]
},
"technique": {
"id": [
"T1048"
],
"name": [
"Exfiltration Over Alternative Protocol"
]
}
}
}
Exported fields
| Field | Description | Type |
|---|---|---|
@timestamp |
Event timestamp. |
date |
cloud.image.id |
Image ID for the cloud instance. |
keyword |
data_stream.dataset |
Data stream dataset name. |
constant_keyword |
data_stream.namespace |
Data stream namespace. |
constant_keyword |
data_stream.type |
Data stream type. |
constant_keyword |
event.dataset |
Event dataset |
constant_keyword |
event.module |
Event module |
constant_keyword |
host.containerized |
If the host is a container. |
boolean |
host.os.build |
OS build information. |
keyword |
host.os.codename |
OS codename, if any. |
keyword |
input.type |
Type of Filebeat input. |
keyword |
log.flags |
Flags for the log file. |
keyword |
log.offset |
Offset of the entry in the log file. |
long |
panw_cortex.xdr.aggregated_score |
Aggregated incident score. |
long |
panw_cortex.xdr.alert_categories |
Categories for alerts contained in the incident. |
keyword |
panw_cortex.xdr.alert_count |
Count of alerts. |
long |
panw_cortex.xdr.alerts_grouping_status |
Is alert grouping enabled for this incident. |
keyword |
panw_cortex.xdr.assigned_user_mail |
Email for the assigned user. |
keyword |
panw_cortex.xdr.assigned_user_pretty_name |
Pretty name for the assigned user. |
keyword |
panw_cortex.xdr.creation_time |
Incident creation time. |
date |
panw_cortex.xdr.critical_severity_alert_count |
Count of critical severity alerts for this incident. |
long |
panw_cortex.xdr.detection_time |
Detection time. |
flattened |
panw_cortex.xdr.high_severity_alert_count |
Count of high severity alerts for this incident. |
long |
panw_cortex.xdr.host_count |
Count of hosts related to this incident. |
long |
panw_cortex.xdr.hosts |
Host names and host ID’s related to this incident. |
keyword |
panw_cortex.xdr.incident_id |
Incident ID |
keyword |
panw_cortex.xdr.incident_name |
Incident name |
keyword |
panw_cortex.xdr.incident_sources |
Detection sources for this incident. |
keyword |
panw_cortex.xdr.low_severity_alert_count |
Count of low severity alerts for this incident. |
long |
panw_cortex.xdr.manual_description |
Manual incident description. |
keyword |
panw_cortex.xdr.manual_score |
Manual incident score. |
flattened |
panw_cortex.xdr.manual_severity |
Manual incident severity. |
keyword |
panw_cortex.xdr.med_severity_alert_count |
Count of medium severity alerts for this incident. |
long |
panw_cortex.xdr.mitre_tactics_ids_and_names |
MITRE tactic ID’s and names |
keyword |
panw_cortex.xdr.mitre_techniques_ids_and_names |
MITRE technique ID’s and names |
keyword |
panw_cortex.xdr.modification_time |
Incident modification time. |
date |
panw_cortex.xdr.notes |
Incident notes. |
keyword |
panw_cortex.xdr.original_tags |
Original tags for the asset. |
keyword |
panw_cortex.xdr.predicted_score |
Predicted incident score. |
long |
panw_cortex.xdr.resolve_comment |
Incident resolution comment. |
keyword |
panw_cortex.xdr.resolved_timestamp |
Incident resolution timestamp. |
date |
panw_cortex.xdr.rule_based_score |
Rule based incident score. |
long |
panw_cortex.xdr.starred |
Starred incident. |
boolean |
panw_cortex.xdr.status |
Incident status. |
keyword |
panw_cortex.xdr.user_count |
Count of users related to the incident. |
long |
panw_cortex.xdr.users |
Usernames related to the incident. |
keyword |
panw_cortex.xdr.wildfire_hits |
Count of Wildfire hits. |
long |
panw_cortex.xdr.xdr_url |
URL to Cortex XDR incident. |
keyword |
Changelog
editChangelog
| Version | Details | Kibana version(s) |
|---|---|---|
1.31.0 |
Enhancement (View pull request) |
8.13.0 or higher |
1.30.0 |
Enhancement (View pull request) |
8.13.0 or higher |
1.29.0 |
Enhancement (View pull request) |
8.13.0 or higher |
1.28.0 |
Enhancement (View pull request) |
8.13.0 or higher |
1.27.0 |
Enhancement (View pull request) |
8.13.0 or higher |
1.26.0 |
Enhancement (View pull request) |
8.12.0 or higher |
1.25.0 |
Enhancement (View pull request) |
8.12.0 or higher |
1.24.2 |
Bug fix (View pull request) |
8.7.1 or higher |
1.24.1 |
Enhancement (View pull request) |
8.7.1 or higher |
1.24.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.23.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.22.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.21.1 |
Bug fix (View pull request) |
8.7.1 or higher |
1.21.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.20.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.19.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.18.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.17.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.16.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.15.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.14.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.13.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.12.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.11.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.10.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.9.0 |
Enhancement (View pull request) |
8.7.1 or higher |
1.8.2 |
Enhancement (View pull request) |
7.15.0 or higher |
1.8.1 |
Enhancement (View pull request) |
7.15.0 or higher |
1.8.0 |
Enhancement (View pull request) |
7.15.0 or higher |
1.7.1 |
Enhancement (View pull request) |
7.15.0 or higher |
1.7.0 |
Enhancement (View pull request) |
7.15.0 or higher |
1.6.0 |
Enhancement (View pull request) |
7.15.0 or higher |
1.5.2 |
Bug fix (View pull request) |
7.15.0 or higher |
1.5.1 |
Bug fix (View pull request) Bug fix (View pull request) |
7.15.0 or higher |
1.5.0 |
Enhancement (View pull request) |
7.15.0 or higher |
1.4.2 |
Enhancement (View pull request) |
7.15.0 or higher |
1.4.1 |
Enhancement (View pull request) |
7.15.0 or higher |
1.4.0 |
Enhancement (View pull request) |
7.15.0 or higher |
1.3.3 |
Bug fix (View pull request) |
7.15.0 or higher |
1.3.2 |
Enhancement (View pull request) |
7.15.0 or higher |
1.3.1 |
Bug fix (View pull request) |
7.15.0 or higher |
1.3.0 |
Enhancement (View pull request) |
7.15.0 or higher |
1.2.1 |
Enhancement (View pull request) |
7.15.0 or higher |
1.2.0 |
Enhancement (View pull request) |
7.15.0 or higher |
1.1.1 |
Enhancement (View pull request) |
7.15.0 or higher |
1.1.0 |
Enhancement (View pull request) |
7.15.0 or higher |
1.0.0 |
Enhancement (View pull request) |
7.15.0 or higher |
0.3.0 |
Enhancement (View pull request) |
— |
0.2.6 |
Bug fix (View pull request) |
— |
0.2.5 |
Bug fix (View pull request) |
— |
0.2.4 |
Enhancement (View pull request) |
— |
0.2.3 |
Enhancement (View pull request) |
— |
0.2.2 |
Bug fix (View pull request) |
— |
0.2.1 |
Bug fix (View pull request) |
— |
0.2.0 |
Enhancement (View pull request) |
— |
0.1.0 |
Enhancement (View pull request) |
— |