LogsDBLogsDB
Cortex XDR logo

Cortex XDR Endpoint Events

Rich endpoint telemetry collected by Cortex XDR agents including process executions, file operations, network connections, registry modifications, and behavioral data for threat detection and forensic investigation

View SamplesEdit

Quick Facts

Default Path (Linux)
Cortex XDR Console > Investigation > Query Center
Docker
N/A - Agent-based collection
Default Format
JSON (via API) / CEF (via SIEM forwarding)
JSON Native
Yes
Rotation
Cloud-based retention (configurable 30-180 days)

Log Example

Default format: JSON Format (API/XQL)

Example Log Entrylog
{
  "event_id": "abc123def456",
  "event_type": "PROCESS",
  "event_sub_type": "PROCESS_START",
  "event_timestamp": 1704200000000,
  "endpoint_id": "e1f2a3b4c5d6",
  "endpoint_name": "WORKSTATION-01",
  "endpoint_domain": "corp.local",
  "endpoint_os": "Windows 10",
  "agent_version": "8.2.0.12345",
  "action_process_image_name": "powershell.exe",
  "action_process_image_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
  "action_process_image_sha256": "a1b2c3d4e5f6...",
  "action_process_command_line": "powershell.exe -ExecutionPolicy Bypass -File script.ps1",
  "action_process_signature_vendor": "Microsoft Corporation",
  "action_process_signature_status": "SIGNED",
  "actor_process_image_name": "cmd.exe",
  "actor_process_image_path": "C:\\Windows\\System32\\cmd.exe",
  "actor_process_pid": 4532,
  "actor_primary_user_sid": "S-1-5-21-...",
  "actor_primary_username": "jsmith",
  "causality_actor_process_image_name": "explorer.exe",
  "causality_actor_causality_id": "xyz789"
}

Structure:

Nested JSON with event-specific fields based on event type

Paths by Platform

Agent Logs
/var/log/traps/

Available Formats

JSON Format (API/XQL)

Default

Example:

{
  "event_id": "abc123def456",
  "event_type": "PROCESS",
  "event_sub_type": "PROCESS_START",
  "event_timestamp": 1704200000000,
  "endpoint_id": "e1f2a3b4c5d6",
  "endpoint_name": "WORKSTATION-01",
  "endpoint_domain": "corp.local",
  "endpoint_os": "Windows 10",
  "agent_version": "8.2.0.12345",
  "action_process_image_name": "powershell.exe",
  "action_process_image_path": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
  "action_process_image_sha256": "a1b2c3d4e5f6...",
  "action_process_command_line": "powershell.exe -ExecutionPolicy Bypass -File script.ps1",
  "action_process_signature_vendor": "Microsoft Corporation",
  "action_process_signature_status": "SIGNED",
  "actor_process_image_name": "cmd.exe",
  "actor_process_image_path": "C:\\Windows\\System32\\cmd.exe",
  "actor_process_pid": 4532,
  "actor_primary_user_sid": "S-1-5-21-...",
  "actor_primary_username": "jsmith",
  "causality_actor_process_image_name": "explorer.exe",
  "causality_actor_causality_id": "xyz789"
}

Structure:

Nested JSON with event-specific fields based on event type

CEF Format (SIEM Forwarding)

Example:

CEF:0|Palo Alto Networks|Cortex XDR|8.2|PROCESS|Process Execution|5|rt=1704200000000 dhost=WORKSTATION-01 duser=jsmith fname=powershell.exe fpath=C:\Windows\System32\WindowsPowerShell\1.0\powershell.exe cs1=powershell.exe -ExecutionPolicy Bypass -File script.ps1 cs1Label=CommandLine fileHash=a1b2c3d4e5f6...

Structure:

Common Event Format for SIEM integration via Broker VM

LEEF Format (IBM QRadar)

Example:

LEEF:2.0|Palo Alto Networks|Cortex XDR|8.2|PROCESS|devTime=1704200000000	devTimeFormat=epoch	dst=WORKSTATION-01	usrName=jsmith	fileName=powershell.exe	filePath=C:\Windows\System32\WindowsPowerShell\1.0\powershell.exe

Structure:

Log Event Extended Format for QRadar integration

Fields Reference

FieldTypeDescriptionExample
event_id
string
Unique identifier for the eventabc123def456
event_type
string
Primary event type categoryPROCESS
event_sub_type
string
Specific event subtypePROCESS_START
event_timestamp
integer
(milliseconds)		Event timestamp in epoch milliseconds1704200000000
endpoint_id
string
Unique identifier for the endpointe1f2a3b4c5d6
endpoint_name
string
Hostname of the endpointWORKSTATION-01
endpoint_domain
string
Domain the endpoint belongs tocorp.local
endpoint_os
string
Operating system of the endpointWindows 10
endpoint_os_version
string
Full OS version string10.0.19045
agent_version
string
Version of the Cortex XDR agent8.2.0.12345
action_process_image_name
string
Name of the process being executed (target process)powershell.exe
action_process_image_path
string
Full path to the process executableC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
action_process_image_sha256
string
SHA256 hash of the process executablea1b2c3d4e5f67890abcdef1234567890abcdef1234567890abcdef1234567890
action_process_command_line
string
Full command line of the executed processpowershell.exe -ExecutionPolicy Bypass -File script.ps1
action_process_pid
integer
Process ID of the action process1234
action_process_signature_vendor
string
Vendor name from the digital signatureMicrosoft Corporation
action_process_signature_status
string
Digital signature verification statusSIGNED
actor_process_image_name
string
Name of the parent process that initiated the actioncmd.exe
actor_process_image_path
string
Full path to the parent processC:\Windows\System32\cmd.exe
actor_process_pid
integer
Process ID of the parent/actor process4532
actor_process_command_line
string
Command line of the parent processcmd.exe /c start.bat
actor_primary_user_sid
string
Windows SID of the user running the processS-1-5-21-1234567890-1234567890-1234567890-1001
actor_primary_username
string
Username running the processjsmith
causality_actor_process_image_name
string
Root process that initiated the causality chainexplorer.exe
causality_actor_causality_id
string
Unique identifier linking related events in a causality chainxyz789abc123
action_file_name
string
Name of the file involved in file eventsmalware.exe
action_file_path
string
Full path of the file involved in file eventsC:\Users\jsmith\Downloads\malware.exe
action_file_sha256
string
SHA256 hash of the fileb2c3d4e5f67890abcdef1234567890abcdef1234567890abcdef1234567890ab
action_file_size
integer
(bytes)		Size of the file in bytes524288
action_remote_ip
ip
Remote IP address for network events203.0.113.50
action_remote_port
integer
Remote port for network events443
action_local_ip
ip
Local IP address for network events192.168.1.100
action_local_port
integer
Local port for network events54321
action_network_protocol
string
Network protocol usedTCP
dns_query_name
string
DNS query hostnamemalicious-domain.com
action_registry_key_name
string
Registry key path for registry eventsHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
action_registry_value_name
string
Registry value nameMalwareStartup
action_registry_data
string
Data written to the registry valueC:\ProgramData\malware.exe
module_sha256
string
SHA256 hash of loaded module/DLLc3d4e5f67890abcdef1234567890abcdef1234567890abcdef1234567890abcd
module_path
string
Path to the loaded module/DLLC:\Windows\System32\kernel32.dll

Parsing Patterns

Grok Patterns

json:

# XQL queries return JSON - use JSON parser
# Example XQL: dataset = xdr_data | filter event_type = PROCESS

Regular Expressions

cef:

CEF:\d+\|Palo Alto Networks\|Cortex XDR\|(?P<version>[^|]+)\|(?P<event_type>[^|]+)\|(?P<event_name>[^|]+)\|(?P<severity>\d+)\|(?P<extensions>.*)

Collector Configurations

splunkyaml
1# Cortex XDR to Splunk via SIEM Integration
2[cortex:xdr:endpoint]
3TIME_FORMAT = %s%3N
4TIME_PREFIX = rt=
5SHOULD_LINEMERGE = false
6KV_MODE = none
7TRUNCATE = 65535
8
9# Search for process events
10index=cortex_xdr sourcetype="cortex:xdr:endpoint" event_type=PROCESS
11| stats count by action_process_image_name, actor_primary_username, endpoint_name
12
13# Hunt for PowerShell with suspicious flags
14index=cortex_xdr sourcetype="cortex:xdr:endpoint" action_process_image_name="powershell.exe"
15| search action_process_command_line IN ("*-enc*", "*-ExecutionPolicy Bypass*", "*-nop*", "*IEX*", "*DownloadString*")
16| table _time, endpoint_name, actor_primary_username, action_process_command_line

Configuration

Enable Logging

Configure Cortex XDR data collection profiles

# Via Cortex XDR Console
# Navigate to: Settings > Endpoint Security > Profiles > Agent Settings

# Enable comprehensive data collection:
1. Process Execution Data: Enable
2. Network Data Collection: Enable
3. File Access Monitoring: Enable
4. Registry Monitoring: Enable (Windows)
5. Script Execution Analysis: Enable

# Data Collection Levels:
- Standard: Basic process/file/network events
- Enhanced: Adds command line, registry, module loads
- Maximum: Full behavioral telemetry (higher storage)

Higher collection levels increase storage consumption in Cortex Data Lake

Log To Syslog

Configure SIEM forwarding via Broker VM

# Deploy Cortex XDR Broker VM
# Navigate to: Settings > Configurations > Broker VMs

# 1. Download and deploy Broker VM OVA
# 2. Configure Broker VM network settings
# 3. Register Broker VM with Cortex XDR tenant

# Configure Syslog Forwarding:
# Settings > Integrations > External Applications > Add Application

Syslog Target:
  - Server: <siem-ip>
  - Port: 514
  - Protocol: TCP/TLS
  - Format: CEF or LEEF

# Select data to forward:
  - Endpoint Events: Yes
  - Alerts: Yes
  - Incidents: Yes

Use Cases

Endpoint inventory

Track all endpoints with XDR agents installed

endpoint_name
endpoint_domain
endpoint_os
agent_version
dataset=xdr_data | dedup endpoint_id | stats count by endpoint_os

Agent health monitoring

Monitor XDR agent connectivity and version status

endpoint_id
endpoint_name
agent_version
event_timestamp
dataset=endpoints | filter agent_status != CONNECTED

Data collection verification

Verify events are being collected from all endpoints

endpoint_id
event_type
event_timestamp
dataset=xdr_data | stats count by endpoint_id, event_type | filter count < threshold

Troubleshooting

Tested On

v8.2 on Cortex XDR Agent
admin - 2026-01-03
v8.1 on Cortex XDR Agent
admin - 2026-01-03
Last updated: 2026-01-03 by admin
1 contributor

Community Discussions

Help improve this documentation

Found an error or want to add more examples? Contributions are welcome!

EditReport Issue