Cortex XDR Alerts
Security alerts generated by Cortex XDR analytics engines, BIOC rules, and behavioral threat detection including malware, exploits, and suspicious activities
Quick Facts
Default Path (Linux)
Cortex XDR Console > AlertsDocker
N/A - Cloud-basedDefault Format
JSON (via API) / CEF (via SIEM forwarding)
JSON Native
Yes
Rotation
Cloud-based retention (configurable)
Log Example
Default format: JSON Format (API)
Example Log Entrylog
{
"alert_id": "12345",
"external_id": "ALERT-2026-001",
"severity": "HIGH",
"name": "Behavioral Threat - Credential Dumping",
"category": "Credential Access",
"description": "Process attempted to access LSASS memory",
"host_name": "WORKSTATION-01",
"host_ip": "192.168.1.100",
"user_name": "jsmith",
"action_status": "BLOCKED",
"detection_timestamp": 1704200000000,
"mitre_tactic_id": "TA0006",
"mitre_technique_id": "T1003.001",
"causality_actor_process_image_name": "mimikatz.exe",
"causality_actor_process_command_line": "mimikatz.exe sekurlsa::logonpasswords",
"starred": false,
"resolution_status": "NEW"
}Structure:
Nested JSON with alert details, evidence, and related eventsPaths by Platform
Available Formats
JSON Format (API)
Default
Example:
{
"alert_id": "12345",
"external_id": "ALERT-2026-001",
"severity": "HIGH",
"name": "Behavioral Threat - Credential Dumping",
"category": "Credential Access",
"description": "Process attempted to access LSASS memory",
"host_name": "WORKSTATION-01",
"host_ip": "192.168.1.100",
"user_name": "jsmith",
"action_status": "BLOCKED",
"detection_timestamp": 1704200000000,
"mitre_tactic_id": "TA0006",
"mitre_technique_id": "T1003.001",
"causality_actor_process_image_name": "mimikatz.exe",
"causality_actor_process_command_line": "mimikatz.exe sekurlsa::logonpasswords",
"starred": false,
"resolution_status": "NEW"
}Structure:
Nested JSON with alert details, evidence, and related eventsFields Reference
| Field | Type | Description | Example |
|---|---|---|---|
alert_id | string | Unique identifier for the alert | 12345 |
external_id | string | Human-readable alert reference | ALERT-2026-001 |
severity | string | Alert severity level | HIGH |
name | string | Alert name/title | Behavioral Threat - Credential Dumping |
category | string | MITRE ATT&CK tactic category | Credential Access |
description | string | Detailed description of the alert | Process attempted to access LSASS memory |
host_name | string | Affected endpoint hostname | WORKSTATION-01 |
host_ip | ip | IP address of affected endpoint | 192.168.1.100 |
user_name | string | User associated with the alert | jsmith |
action_status | string | Action taken by XDR agent | BLOCKED |
detection_timestamp | integer (milliseconds) | Time the alert was generated | 1704200000000 |
mitre_tactic_id | string | MITRE ATT&CK tactic identifier | TA0006 |
mitre_technique_id | string | MITRE ATT&CK technique identifier | T1003.001 |
resolution_status | string | Current investigation status | NEW |
Parsing Patterns
Collector Configurations
splunkyaml
1# Cortex XDR Alerts in Splunk2index=cortex_xdr sourcetype="cortex:xdr:alerts"3| stats count by severity, category, action_status4| sort -countConfiguration
Enable Logging
Alerts are automatically generated based on detection rules
# Configure alert forwarding
# Settings > Integrations > External Applications > Syslog
# Forward alerts to SIEM:
1. Create new Syslog integration
2. Select "Alerts" as data type
3. Configure SIEM destinationUse Cases
Alert volume monitoring
Track daily alert counts and trends
severity
detection_timestamp
category
stats count by severity, category | timechartTroubleshooting
Tested On
v8.2 on Cortex XDR
admin - 2026-01-03
Last updated: 2026-01-03 by admin
1 contributor
Community Discussions
Help improve this documentation
Found an error or want to add more examples? Contributions are welcome!