Use the Palo Alto Networks Cortex integration to query your Palo Alto Networks Cortex environment.
There are several steps required to configure this integration. You will navigate between Cortex XSOAR and Cortex Hub to retrieve tokens required later in the process. Be sure to follow each procedure in order.
- Activate XSOAR on Palo Alto Networks Cortex Hub
- Configure the Palo Alto Networks Cortex Integration on XSOAR
Activate XSOAR on Palo Alto Networks Cortex Hub
- Navigate to Palo Alto Networks Cortex Hub .
- In the Apps from Palo Alto Networks section, locate Cortex XSOAR and click Activate .
- In the upper-right corner, click the gear icon.
-
Locate XSOAR app, and click
Add Instance
.
- Instance Name (Required): A meaningful name for the instance.
- Description (Optional): A meaningful description for the instance.
- Region (Required): The region in which the instance is located.
- Cortex Data Lake (Required): Your Cortex Data Lake instance.
- Directory Sync (Required): Your Directory Sync instance.
- In the Your Cortex Apps section, click the XSOAR icon.
-
When prompted, enter the XSOAR verification token:
25$nhXyu4. - Click Send , and when prompted, click Authorize .
- In the Request for Approval window, click Allow .
- When prompted, copy the Authentication Token, Authentication ID, and Authentication Key. You will need to enter this as part of configuring the Palo Alto Networks Cortex integration on XSOAR .
Configure the Palo Alto Networks Cortex Integration on XSOAR
- Navigate to Settings > Integrations > Servers & Services .
- Search for Palo Alto Networks Cortex.
-
Click
Add instance
to create and configure a new integration instance.
- Name : a textual name for the integration instance.
- Authentication Token : received from the Activate XSOAR on Palo Alto Networks Cortex Hub procedure.
- Authentication ID : received from the Activate XSOAR on Palo Alto Networks Cortex Hub procedure.
- Authentication Key : received from the Activate XSOAR on Palo Alto Networks Cortex Hub procedure.
- Click Test to validate the integration and Demisto App Token.
Commands
You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
- Query logs: cortex-query-logs
- Get logs for critical threats: cortex-get-critical-threat-logs
- Get social applications: cortex-get-social-applications
- Query the Cortex logging service: cortex-search-by-file-hash
- Query traffic logs: cortex-query-traffic-logs
- Query threat logs: cortex-query-threat-logs
- Query Traps logs: cortex-query-traps-logs
- Query analytics logs: cortex-query-analytics-logs
1. Query logs
Use this command to query logs in your Palo Alto Networks Cortex environment.
Base Command
cortex-query-logs
Input
| Argument Name | Description | Example |
| startTime | Query start time | startTime="2018-04-26 00:00:00" |
| endTime | Query end time | endTime="2018-04-26 00:00:00" |
| query | Free text SQL query |
For example, query="select * from panw.traffic limit 5". There are multiple tables in Loggings, such as: threat, traffic. Refer to Cortex Logging service schema reference for the full list. |
| timeRange | Query time range, used with the rangeValue parameter | This example runs the query for the previous week: timeRange="weeks" rangeValue="1". |
| rangeValue | Query time value, used with the timeRange parameter | This example runs the query for the previous week: timeRange="weeks" rangeValue="1". |
Context Output
| Path | Description |
| Cortex.Logging.id | Log ID |
| Cortex.Logging.score | Log score |
| Cortex.Logging.action | Log action |
| Cortex.Logging.app | Log application |
| Cortex.Logging.proto | Protocol used |
| Cortex.Logging.dst | Destination IP |
| Cortex.Logging.rule | Rule used for log |
| Cortex.Logging.src | Source of action |
| Cortex.Logging.category-of-app | Application's category |
| Cortex.Logging.srcloc | Source location |
| Cortex.Logging.dstloc | Destination location |
| Cortex.Logging.characteristic-of-app | Application's characteristics |
| Cortex.Logging.device_name | Device name |
| Cortex.Logging.nat | Was NAT used? |
| Cortex.Logging.natdport | NAT port |
| Cortex.Logging.natdst | NAT destination |
| Cortex.Logging.natsrc | NAT source |
Command Example
!cortex-query-logs startTime="2018-04-26 00:00:00" endTime="2018-04-28 00:00:00" query="select * from panw.traffic limit 5"
Context Example
{
"Logging":[
{
"action":"allow",
"action_source":"from-policy",
"actionflags":-9223372036854776000,
"app":"ssh",
"assoc_id":0,
"bytes":4245,
"bytes_received":2925,
"bytes_sent":1320,
"category":"0",
"category-of-app":"networking",
"characteristic-of-app":[
"able-to-transfer-file",
"has-known-vulnerability",
"tunnel-other-application",
"prone-to-misuse",
"is-saas"
],
"chunks":0,
"chunks_received":0,
"chunks_sent":0,
"cloud_hostname":"PA-VM",
"config_ver":2049,
"customer-id":"140744002",
"device_name":"PA-VM",
"dg_hier_level_1":13,
"dg_hier_level_2":0,
"dg_hier_level_3":0,
"dg_hier_level_4":0,
"dport":22,
"dst":"172.31.23.156",
"dstloc":"172.16.0.0-172.31.255.255",
"elapsed":2,
"flags":4194381,
"from":"Untrust",
"fwd":1,
"id":"140744002_lcaas:1:65862:1",
"inbound_if":"ethernet1/1",
"is-saas-of-app":0,
"logset":"LCaaS",
"nat":1,
"natdport":22,
"natdst":"172.31.39.63",
"natsport":55949,
"natsrc":"172.31.38.209",
"non-standard-dport":0,
"outbound_if":"ethernet1/2",
"packets":24,
"parent_session_id":0,
"parent_start_time":0,
"pkts_received":12,
"pkts_sent":12,
"proto":"tcp",
"receive_time":1524528178,
"recsize":1480,
"repeatcnt":1,
"risk-of-app":"4",
"rule":"MonitorAll",
"sanctioned-state-of-app":0,
"score":2,
"seqno":383249,
"serial":"",
"session_end_reason":"tcp-fin",
"sessionid":160523,
"sport":48512,
"src":"52.221.242.53",
"srcloc":"SG",
"start":1524528156,
"subcategory-of-app":"encrypted-tunnel",
"subtype":"end",
"technology-of-app":"client-server",
"time_generated":1524528172,
"time_received":1524528172,
"to":"Trust",
"tunnel":0,
"tunneled-app":"untunneled",
"tunnelid_imsi":0,
"type":"traffic",
"users":"52.221.242.53",
"vsys":"vsys1",
"vsys_id":1
},
{
"action":"allow",
"action_source":"from-policy",
"actionflags":-9223372036854776000,
"app":"dns",
"assoc_id":0,
"bytes":227,
"bytes_received":154,
"bytes_sent":73,
"category":"0",
"category-of-app":"networking",
"characteristic-of-app":[
"able-to-transfer-file",
"tunnel-other-application",
"is-saas"
],
"chunks":0,
"chunks_received":0,
"chunks_sent":0,
"cloud_hostname":"PA-VM",
"config_ver":2049,
"customer-id":"140744002",
"device_name":"PA-VM",
"dg_hier_level_1":13,
"dg_hier_level_2":0,
"dg_hier_level_3":0,
"dg_hier_level_4":0,
"dport":53,
"dst":"8.8.8.8",
"dstloc":"US",
"elapsed":0,
"flags":4194404,
"from":"Trust",
"fwd":1,
"id":"140744002_lcaas:1:65862:2",
"inbound_if":"ethernet1/2",
"is-saas-of-app":0,
"logset":"LCaaS",
"nat":1,
"natdport":53,
"natdst":"8.8.8.8",
"natsport":40841,
"natsrc":"172.31.23.156",
"non-standard-dport":0,
"outbound_if":"ethernet1/1",
"packets":2,
"parent_session_id":0,
"parent_start_time":0,
"pkts_received":1,
"pkts_sent":1,
"proto":"udp",
"receive_time":1524528178,
"recsize":1470,
"repeatcnt":1,
"risk-of-app":"4",
"rule":"MonitorAll",
"sanctioned-state-of-app":0,
"score":2,
"seqno":383250,
"serial":"",
"session_end_reason":"aged-out",
"sessionid":160507,
"sport":56973,
"src":"172.31.39.63",
"srcloc":"172.16.0.0-172.31.255.255",
"start":1524528145,
"subcategory-of-app":"infrastructure",
"subtype":"end",
"technology-of-app":"network-protocol",
"time_generated":1524528174,
"time_received":1524528174,
"to":"Untrust",
"tunnel":0,
"tunneled-app":"untunneled",
"tunnelid_imsi":0,
"type":"traffic",
"users":"172.31.39.63",
"vsys":"vsys1",
"vsys_id":1
}
]
}
2. Return logs for critical threats
Use this command to return logs for critical threats.
Base Command
cortex-get-critical-threat-logs
Input
| Argument Name | Description | Example |
| startTime | Query start time | startTime="2018-04-26 00:00:00" |
| endTime | Query end time | endTime="2018-04-26 00:00:00" |
| logsAmount | Number of logs. |
Default is 10. |
| timeRange | Query time range, used with the rangeValue parameter | This example runs the query for the previous week: timeRange="weeks" rangeValue="1". |
| strictValue | Query time value, used with the timeRange parameter | This example runs the query for the previous week: timeRange="weeks" rangeValue="1". |
Context Output
| Path | Description |
| Cortex.Logging.id | Log ID |
| Cortex.Logging.score | Log score |
| Cortex.Logging.action | Log action |
| Cortex.Logging.app | Log application |
| Cortex.Logging.proto | Protocol used |
| Cortex.Logging.dst | Destination IP |
| Cortex.Logging.rule | Rule used for log |
| Cortex.Logging.src | Source of action |
| Cortex.Logging.category-of-app | Application's category |
| Cortex.Logging.srcloc | Source location |
| Cortex.Logging.dstloc | Destination location |
| Cortex.Logging.characteristic-of-app | Application's characteristics |
| Cortex.Logging.device_name | Device name |
| Cortex.Logging.nat | Was NAT used? |
| Cortex.Logging.natdport | NAT port |
| Cortex.Logging.natdst | NAT destination |
| Cortex.Logging.natsrc | NAT source |
| Cortex.Logging.risk-of-app | Application's risk |
| Cortex.Logging.type | Threat type |
| Cortex.Logging.pcap_id | Pcap ID |
| Cortex.Logging.reportid | Report ID |
| Cortex.Logging.category-of-threatid | Category of threat ID |
| Cortex.Logging.subtype | Threat sub-type |
| Cortex.Logging.time_received | Time the threat was received |
| Cortex.Logging.pcap | PCAP |
| Cortex.Logging.name-of-threatid | Name of threat ID |
| Cortex.Logging.severity | Threat severity |
Command Example
!cortex-get-critical-threat-logs timeRange="weeks" rangeValue=2 logsAmount=5
Context Example
{
"Logging":[
{
"action":"4",
"actionflags":-6917529027641082000,
"app":"web-browsing",
"category":"0",
"category-of-app":"general-internet",
"category-of-threatid":34,
"characteristic-of-app":[
"able-to-transfer-file",
"has-known-vulnerability",
"tunnel-other-application",
"prone-to-misuse",
"is-saas"
],
"cloud_hostname":"PA-VM",
"config_ver":2049,
"contentver":524358163,
"customer-id":"140744002",
"device_name":"PA-VM",
"dg_hier_level_1":13,
"dg_hier_level_2":0,
"dg_hier_level_3":0,
"dg_hier_level_4":0,
"direction":0,
"dport":80,
"dst":"172.31.23.156",
"dstloc":"172.16.0.0-172.31.255.255",
"flags":4202496,
"from":"Untrust",
"fwd":1,
"http_method":"unknown",
"id":"140744002_lcaas:0:90490:4",
"inbound_if":"ethernet1/1",
"is-saas-of-app":0,
"log_feat_bit1":1,
"logset":"LCaaS",
"misc":"52.8.8.48/",
"name-of-threatid":"Apache Struts Jakarta Multipart Parser Remote Code Execution Vulnerability",
"nat":1,
"natdport":80,
"natdst":"172.31.39.63",
"natsport":60896,
"natsrc":"172.31.38.209",
"non-standard-dport":0,
"outbound_if":"ethernet1/2",
"parent_session_id":0,
"parent_start_time":0,
"pcap":null,
"pcap_id":0,
"proto":"tcp",
"receive_time":1524753146,
"recsize":1573,
"repeatcnt":3,
"reportid":0,
"risk-of-app":"4",
"rule":"MonitorAll",
"sanctioned-state-of-app":0,
"score":2,
"seqno":434509,
"serial":"",
"sessionid":187358,
"severity":"critical",
"sig_flags":0,
"sport":53470,
"src":"166.111.32.179",
"srcloc":"CN",
"subcategory-of-app":"internet-utility",
"subtype":"spyware-dns",
"technology-of-app":"browser-based",
"threatid":34221,
"time_generated":1524753149,
"time_received":1524753149,
"to":"Trust",
"tunnel":0,
"tunneled-app":"tunneled-app",
"tunnelid_imsi":0,
"type":"threat",
"url_idx":1,
"users":"166.111.32.179",
"vsys":"vsys1",
"vsys_id":1
}
]
}
3. Get social applications
Use this command to return social applications.
Base Command
cortex-get-social-applications
Input
| Argument Name | Description | Example |
| startTime | Query start time | startTime="2018-04-26 00:00:00" |
| endTime | Query end time | endTime="2018-04-26 00:00:00" |
| logsAmount | Number of logs. |
Default is 10. |
| timeRange | Query time range, used with the rangeValue parameter | This example runs the query for the previous week: timeRange="weeks" rangeValue="1". |
| strictValue | Query time value, used with the timeRange parameter | This example runs the query for the previous week: timeRange="weeks" rangeValue="1". |
Context Output
| Path | Description |
| Cortex.Logging.id | Log ID |
| Cortex.Logging.score | Log score |
| Cortex.Logging.action | Log action |
| Cortex.Logging.app | Log application |
| Cortex.Logging.proto | Protocol used |
| Cortex.Logging.dst | Destination IP |
| Cortex.Logging.rule | Rule used for log |
| Cortex.Logging.src | Source of action |
| Cortex.Logging.category-of-app | Application's category |
| Cortex.Logging.srcloc | Source location |
| Cortex.Logging.dstloc | Destination location |
| Cortex.Logging.characteristic-of-app | Application's characteristics |
| Cortex.Logging.device_name | Device name |
| Cortex.Logging.nat | Was NAT used? |
| Cortex.Logging.natdport | NAT port |
| Cortex.Logging.natdst | NAT destination |
| Cortex.Logging.natsrc | NAT source |
| Cortex.Logging.risk-of-app | Application's risk |
| Cortex.Logging.aggregations.size | Aggregations size |
| Cortex.Logging.natsport | NAT port |
| Cortex.Logging.start | Traffic start |
| Cortex.Logging.subcategory-of-apptime_received | Sub-category of application time |
Command Example
!cortex-get-social-applications startTime="2018-04-26 00:00:00" endTime="2018-04-28 00:00:00" logsAmount=5
Command Example
{
"Logging":[
{
"action":"allow",
"action_source":"from-policy",
"actionflags":-9223372036854776000,
"app":"facebook-base",
"assoc_id":0,
"bytes":5536,
"bytes_received":3806,
"bytes_sent":1730,
"category":"10014",
"category-of-app":"collaboration",
"characteristic-of-app":[
"able-to-transfer-file",
"has-known-vulnerability",
"tunnel-other-application",
"prone-to-misuse",
"is-saas"
],
"chunks":0,
"chunks_received":0,
"chunks_sent":0,
"cloud_hostname":"VM-Series",
"config_ver":2049,
"container-of-app":"facebook",
"customer-id":"140744002",
"device_name":"VM-Series",
"dg_hier_level_1":13,
"dg_hier_level_2":0,
"dg_hier_level_3":0,
"dg_hier_level_4":0,
"dport":443,
"dst":"157.240.1.18",
"dstloc":"US",
"elapsed":289,
"flags":77,
"from":"SCTC",
"fwd":1,
"id":"140744002_lcaas:1:92075:333",
"inbound_if":"ethernet1/1",
"is-saas-of-app":0,
"logset":"LCaaS",
"natdport":0,
"natdst":"0.0.0.0",
"natsport":0,
"natsrc":"0.0.0.0",
"non-standard-dport":0,
"outbound_if":"ethernet1/1",
"packets":25,
"parent_session_id":0,
"parent_start_time":0,
"pkts_received":17,
"pkts_sent":8,
"proto":"tcp",
"receive_time":1524761638,
"recsize":1527,
"repeatcnt":1,
"risk-of-app":"4",
"rule":"MonitorAll-SCTC",
"sanctioned-state-of-app":0,
"score":9.9996195,
"seqno":123856604,
"serial":"",
"session_end_reason":"aged-out",
"sessionid":30298,
"sport":47385,
"src":"192.168.200.5",
"srcloc":"192.168.0.0-192.168.255.255",
"start":1524761209,
"subcategory-of-app":"social-networking",
"subtype":"end",
"technology-of-app":"browser-based",
"time_generated":1524761621,
"time_received":1524761621,
"to":"SCTC",
"tunnel":0,
"tunneled-app":"tunneled-app",
"tunnelid_imsi":0,
"type":"traffic",
"users":"192.168.200.5",
"vsys":"vsys1",
"vsys_id":1
},
{
"action":"allow",
"action_source":"from-policy",
"actionflags":-9223372036854776000,
"app":"linkedin-base",
"assoc_id":0,
"bytes":9641,
"bytes_received":6935,
"bytes_sent":2706,
"category":"10065",
"category-of-app":"collaboration",
"characteristic-of-app":[
"has-known-vulnerability",
"tunnel-other-application",
"is-saas"
],
"chunks":0,
"chunks_received":0,
"chunks_sent":0,
"cloud_hostname":"VM-Series",
"config_ver":2049,
"container-of-app":"linkedin",
"customer-id":"140744002",
"device_name":"VM-Series",
"dg_hier_level_1":13,
"dg_hier_level_2":0,
"dg_hier_level_3":0,
"dg_hier_level_4":0,
"dport":443,
"dst":"152.195.133.1",
"dstloc":"US",
"elapsed":204,
"flags":77,
"from":"SCTC",
"fwd":1,
"id":"140744002_lcaas:1:92075:640",
"inbound_if":"ethernet1/1",
"is-saas-of-app":0,
"logset":"LCaaS",
"natdport":0,
"natdst":"0.0.0.0",
"natsport":0,
"natsrc":"0.0.0.0",
"non-standard-dport":0,
"outbound_if":"ethernet1/1",
"packets":35,
"parent_session_id":0,
"parent_start_time":0,
"pkts_received":17,
"pkts_sent":18,
"proto":"tcp",
"receive_time":1524761638,
"recsize":1517,
"repeatcnt":1,
"risk-of-app":"3",
"rule":"MonitorAll-SCTC",
"sanctioned-state-of-app":0,
"score":9.9996195,
"seqno":123856911,
"serial":"",
"session_end_reason":"tcp-rst-from-server",
"sessionid":45992,
"sport":53712,
"src":"10.11.48.7",
"srcloc":"10.0.0.0-10.255.255.255",
"start":1524761403,
"subcategory-of-app":"social-networking",
"subtype":"end",
"technology-of-app":"browser-based",
"time_generated":1524761624,
"time_received":1524761624,
"to":"SCTC",
"tunnel":0,
"tunneled-app":"tunneled-app",
"tunnelid_imsi":0,
"type":"traffic",
"users":"10.11.48.7",
"vsys":"vsys1",
"vsys_id":1
}
]
}
4. Query the Cortex logging service
Executes a query on the Cortex logging service.
Base Command
cortex-search-by-file-hash
Input
| Argument Name | Description |
|---|---|
| startTime | Query start time. For example, startTime="2018-04-26 00:00:00" |
| endTime | Query end time. For example, endTime="2018-04-26 00:00:00" |
| logsAmount | Amount of logs. Default is 10 |
| timeRange | Time range for the query, used with rangeValue. For example, timeRange="weeks" rangeValue="1" would run the query on the last week. |
| rangeValue | Time value for the query, used with timeRange. For example, timeRange="weeks" rangeValue="1" would run the query on the last week. |
| SHA256 | File hash for the query. For example, SHA256="503ca1a4fc0d48b18c0336f544ba0f0abf305ae3a3f49b3c2b86" will return all logs related to this file. |
Context Output
| Path | Type | Description |
|---|---|---|
| Cortex.Logging.id | string | Log ID |
| Cortex.Logging.score | number | Log score |
| Cortex.Logging.action | unknown | Log action |
| Cortex.Logging.app | unknown | Log app |
| Cortex.Logging.proto | string | The protocol used |
| Cortex.Logging.dst | string | Destination IP |
| Cortex.Logging.rule | unknown | Rule used |
| Cortex.Logging.src | unknown | The source of the action |
| Cortex.Logging.category-of-app | string | Application's category |
| Cortex.Logging.srcloc | string | Source location |
| Cortex.Logging.dstloc | string | Destination location |
| Cortex.Logging.characteristic-of-app | unknown | Application's characteristics |
| Cortex.Logging.device_name | string | Device name |
| Cortex.Logging.nat | number | Whether NAT was used |
| Cortex.Logging.natdport | unknown | NAT port |
| Cortex.Logging.natdst | unknown | NAT destination |
| Cortex.Logging.natsrc | unknown | NAT source |
| Cortex.Logging.risk-of-app | unknown | Risk of application |
| Cortex.Logging.type | unknown | Threat type |
| Cortex.Logging.pcad_id | unknown | Pcap ID |
| Cortex.Logging.reportid | number | Report ID |
| Cortex.Logging.category-of-threatid | unknown | Category of threat ID |
| Cortex.Logging.subtype | unknown | Threat sub-type |
| Cortex.Logging.time_received | unknown | Time received |
| Cortex.Logging.pcap | unknown | Pcap |
| Cortex.Logging.name-of-threatid | string | Name of threat ID |
| Cortex.Logging.severity | unknown | Threat Severity |
Command Example
!cortex-search-by-file-hash SHA256=503ca1a4fc0d48b18c0336f544ba0f0abf305ae3a3f49b3c2b86b8645d6572dc
Context Example
{
"Cortex": {
"Logging": [
{
"SHA256": "503ca1a4fc0d48b18c0336f544ba0f0abf305ae3a3f49b3c2b86b8645d6572dc",
"action": "allow",
"actionflags": -6917529027641082000,
"app": "google-app-engine",
"category": "malicious",
"category-of-app": "general-internet",
"category-of-threatid": "unknown",
"characteristic-of-app": [
"has-known-vulnerability",
"tunnel-other-application",
"prone-to-misuse",
"is-saas"
],
"cloud": "wildfire.paloaltonetworks.com",
"cloud_hostname": "PA-VM",
"config_ver": 2049,
"contentver": 0,
"customer-id": "140744002",
"device_name": "PA-VM",
"dg_hier_level_1": 13,
"dg_hier_level_2": 0,
"dg_hier_level_3": 0,
"dg_hier_level_4": 0,
"direction": "server-to-client",
"dport": 80,
"dst": "216.58.195.78",
"dstloc": "US",
"filename": "echomalware",
"filetype": "pe",
"flags": 4202496,
"from": "Trust",
"fwd": 1,
"http_method": "unknown",
"id": "140744002_lcaas:1:381684:0",
"inbound_if": "ethernet1/2",
"is-saas-of-app": 0,
"log_feat_bit1": 1,
"logset": "LCaaS",
"name-of-threatid": "Windows Executable (EXE)",
"nat": 1,
"natdport": 80,
"natdst": "216.58.195.78",
"natsport": 38085,
"natsrc": "172.31.23.156",
"non-standard-dport": 0,
"outbound_if": "ethernet1/1",
"parent_session_id": 0,
"parent_start_time": 0,
"pcap": null,
"pcap_id": 0,
"proto": "tcp",
"receive_time": 1527033937,
"recsize": 1704,
"repeatcnt": 1,
"reportid": 9794151710,
"risk-of-app": "3",
"rule": "MonitorAll",
"sanctioned-state-of-app": 0,
"score": 2.139842,
"seqno": 829961,
"serial": "",
"sessionid": 99875,
"severity": "high",
"sig_flags": 0,
"sport": 35072,
"src": "172.31.39.63",
"srcloc": "172.16.0.0-172.31.255.255",
"srcuser": "test@email.com",
"subcategory-of-app": "internet-utility",
"subject": null,
"subtype": "wildfire",
"technology-of-app": "browser-based",
"threatid": 52020,
"time_generated": 1527033928,
"time_received": 1527033928,
"to": "Untrust",
"tunnel": 0,
"tunneled-app": "tunneled-app",
"tunnelid_imsi": 0,
"type": "threat",
"url_idx": 1,
"users": "test@email.com",
"vsys": "vsys1",
"vsys_id": 1
}
]
}
}
Human Readable Output
5. Query traffic logs
Searches the Cortex panw.traffic table, which is the traffic logs table for PAN-OS and Panorama.
Base Command
cortex-query-traffic-logs
Input
| Argument Name | Description | Required |
|---|---|---|
| ip | An IP address or an array of IP addresses for which to search, for example 1.1.1.1,2.2.2.2. | Optional |
| rule | A rule name or an array of rule names to search. | Optional |
| from_zone | A source zone name or an array of source zone names to search. | Optional |
| to_zone | A destination zone name or an array of zone names to search. | Optional |
| port | A destination port number or an array of destination port numbers to search. | Optional |
| action | An action name or an array of action names to search. | Optional |
| query | A free-text query for which to search. This forms the WHERE part of the query, for example, !cortex-query-traffic-logs query="src LIKE '192.168.1.*' AND dst='8.8.8.8'" | Optional |
| fields | The fields that are selected in the query. Selection can be "all" (same as *) or a list of specific fields in the table. List of fields can be found after viewing all the outputed fields with all. | Optional |
| startTime | The query start time. For example, startTime="2018-04-26 00:00:00" | Optional |
| endTime | The query end time. For example, endTime="2018-04-26 00:00:00". | Optional |
| timeRange | The time range for the query, used with the rangeValue argument. The following example runs the query on the previous week, timeRange="weeks" timeValue="1". | Optional |
| rangeValue | The time value for the query, used with the timeRange argument. The following example runs the query on the previous week, timeRange="weeks" timeValue="1". | Optional |
| limit | The number of logs to return. Default is 5. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Cortex.Logging.Traffic.Action | String | Identifies the action that the firewall took for the network traffic. |
| Cortex.Logging.Traffic.RiskOfApp | String | Indicates the risk of the application, from a network security perspective. The risk range is 1-5, where 5 is the riskiest. |
| Cortex.Logging.Traffic.Natsport | String | Post-NAT source port. |
| Cortex.Logging.Traffic.SessionID | String | Identifies the firewall's internal identifier for a specific network session. |
| Cortex.Logging.Traffic.Packets | String | Number of total packets (transmit and receive) seen for the session. |
| Cortex.Logging.Traffic.CharacteristicOfApp | String | Identifies the behaviorial characteristic of the application associated with the network traffic. |
| Cortex.Logging.Traffic.App | String | Application associated with the network traffic. |
| Cortex.Logging.Traffic.Vsys | String | Virtual system associated with the network traffic. |
| Cortex.Logging.Traffic.Nat | String | Indicates whether the firewall is performing network address translation (NAT) for the logged traffic. If it is, this value is 1. |
| Cortex.Logging.Traffic.ReceiveTime | String | Time the log was received at the management plane. |
| Cortex.Logging.Traffic.SubcategoryOfApp | String | Identifies the application's subcategory. The subcategory is related to the application's category, |
| Cortex.Logging.Traffic.Users | String | Srcuser or dstuser or srcip (one of). |
| Cortex.Logging.Traffic.Proto | String | IP protocol associated with the session. |
| Cortex.Logging.Traffic.TunneledApp | String | Whether the application is tunneled. |
| Cortex.Logging.Traffic.Natdport | String | Post-NAT destination port. |
| Cortex.Logging.Traffic.Dst | String | Original destination IP address. The IP address is an IPv4/IPv6 address in hex format. |
| Cortex.Logging.Traffic.Natdst | String | If destination NAT performed, the post-NAT destination IP address. The IP address is an IPv4/IPv6 address in hex format. |
| Cortex.Logging.Traffic.Rule | String | Name of the security policy rule that the network traffic matched. |
| Cortex.Logging.Traffic.Dport | String | Network traffic's destination port. If this value is 0, then the app is using its standard port. |
| Cortex.Logging.Traffic.Elapsed | String | Total time taken for the network session to complete. |
| Cortex.Logging.Traffic.DeviceName | String | The hostname of the firewall that logged the network traffic. |
| Cortex.Logging.Traffic.Subtype | String | Traffic log subtype. Values are: start, end, drop, deny. |
| Cortex.Logging.Traffic.TimeReceived | String | Time the log was received at the management plane. |
| Cortex.Logging.Traffic.SessionEndReason | String | The reason a session terminated. If the termination had multiple causes. This field displays only the highest priority reason. |
| Cortex.Logging.Traffic.Natsrc | String | If source NAT was performed, the post-NAT source IP address. The IP address is an IPv4/IPv6 address in hex format. |
| Cortex.Logging.Traffic.Src | String | Original source IP address. The IP address is an IPv4/IPv6 address in hex format. |
| Cortex.Logging.Traffic.Start | String | Time when the session was established. |
| Cortex.Logging.Traffic.TimeGenerated | String | Time the log was generated on the data plane. |
| Cortex.Logging.Traffic.CategoryOfApp | String | Identifies the high-level family of the application. |
| Cortex.Logging.Traffic.Srcloc | String | Source country or internal region for private addresses. The internal region is a user-defined name for a specific network in the user's enterprise. |
| Cortex.Logging.Traffic.Dstloc | String | Destination country or internal region for private addresses. The internal region is a user-defined name for a specific network in the user's enterprise. |
| Cortex.Logging.Traffic.Serial | String | Serial number of the firewall that generated the log. |
| Cortex.Logging.Traffic.Bytes | String | Number of total bytes (transmit and receive). |
| Cortex.Logging.Traffic.VsysID | String | A unique identifier for a virtual system on a Palo Alto Networks firewall. |
| Cortex.Logging.Traffic.To | String | Networking zone to which the traffic was sent. |
| Cortex.Logging.Traffic.Category | String | URL category associated with the session (if applicable). |
| Cortex.Logging.Traffic.Sport | String | Source port utilized by the session. |
| Cortex.Logging.Traffic.Tunnel | String | Type of tunnel. |
| Cortex.Logging.Traffic.IsPhishing | String | Detected enterprise credential submission by an end user. |
| IP.Address | String | IP address. |
Command Example
!cortex-query-traffic-logs rule=To_Internet,To_VPN limit=2
Context Example
{
"Cortex.Logging.Traffic": [
{
"Action": "allow",
"App": "dns",
"Bytes": 309,
"Category": "any",
"CategoryOfApp": "networking",
"CharacteristicOfApp": [
"able-to-transfer-file",
"tunnel-other-application",
"is-saas"
],
"DeviceName": "DEVICE NAME",
"Dport": 53,
"Dst": "8.8.8.8",
"Dstloc": "US",
"Elapsed": 1,
"Natdst": "0.0.0.0",
"Natsrc": "0.0.0.0",
"Packets": 2,
"Proto": "udp",
"ReceiveTime": 1571995273,
"RiskOfApp": "3",
"Rule": "To_Internet",
"Serial": "007051000058440",
"SessionEndReason": "aged-out",
"SessionID": 107112,
"Sport": 34105,
"Src": "8.8.8.8",
"Srcloc": "10.0.0.0-10.255.255.255",
"Start": 1571995220,
"SubcategoryOfApp": "infrastructure",
"Subtype": "end",
"TimeGenerated": 1571995250,
"TimeReceived": 1571995250,
"To": "internet",
"Tunnel": "N/A",
"TunneledApp": "untunneled",
"Users": "8.8.8.8",
"Vsys": "vsys1",
"VsysID": 1,
"id": "42635546_lcaas:4:2012540:1",
"score": 1.9452807
},
{
"Action": "allow",
"App": "dns",
"Bytes": 309,
"Category": "any",
"CategoryOfApp": "networking",
"CharacteristicOfApp": [
"able-to-transfer-file",
"tunnel-other-application",
"is-saas"
],
"DeviceName": "DEVICE NAME",
"Dport": 53,
"Dst": "8.8.8.8",
"Dstloc": "US",
"Natdst": "0.0.0.0",
"Natsrc": "0.0.0.0",
"Packets": 2,
"Proto": "udp",
"ReceiveTime": 1571995273,
"RiskOfApp": "3",
"Rule": "To_Internet",
"Serial": "007051000058440",
"SessionEndReason": "aged-out",
"SessionID": 225363,
"Sport": 50230,
"Src": "8.8.8.8",
"Srcloc": "10.0.0.0-10.255.255.255",
"Start": 1571995222,
"SubcategoryOfApp": "infrastructure",
"Subtype": "end",
"TimeGenerated": 1571995251,
"TimeReceived": 1571995251,
"To": "internet",
"Tunnel": "N/A",
"TunneledApp": "untunneled",
"Users": "8.8.8.8",
"Vsys": "vsys1",
"VsysID": 1,
"id": "42635546_lcaas:4:2012540:8",
"score": 1.9452807
}
],
"IP": [
{
"Address": "8.8.8.8"
},
{
"Address": "0.0.0.0"
}
]
}
Human Readable Output
Logs traffic table
| Source Address | Destination Address | Application | Action | Rule | Time Generated |
|---|---|---|---|---|---|
| 8.8.8.8 | 8.8.8.8 | dns | allow | To_Internet | 2019-10-25T09:20:50 |
| 8.8.8.8 | 8.8.8.8 | dns | allow | To_Internet | 2019-10-25T09:20:51 |
Additional Information
If the user is using the command with field="all" then the human readable output will contain the following fields: Source Address, Destination Address, Application, Action, Rule & Time Generated. If the user is using the command with fields="field1,field2,field3" then the human readable output will contain the following fields: field1, field2 & field3.
6. Query threat logs
Searches the Cortex panw.threat table, which is the threat logs table for PAN-OS/Panorama.
Base Command
cortex-query-threat-logs
Input
| Argument Name | Description | Required |
|---|---|---|
| ip | An IP address or an array of IP addresses for which to search, for example 1.1.1.1,2.2.2.2. | Optional |
| rule | Rule name or array of rule names to search. | Optional |
| from_zone | Source zone or array of zones to search. | Optional |
| to_zone | Destination zone or array of zones to search. | Optional |
| port | Port or array of ports to search. | Optional |
| action | Action or array of actions lo search. | Optional |
| query | Free input query to search. This is the WHERE part of the query. so an example will be !cortex-query-traffic-logs query="src LIKE '192.168.1.*' AND dst = '192.168.1.12'" | Optional |
| fields | The fields that are selected in the query. Selection can be "all" (same as *) or listing of specific fields in the table. List of fields can be found after viewing all the outputed fields with all. | Optional |
| hash | SHA256 hash or array of SHA256 hashes to search. | Optional |
| url | URL or array of URLs to search. | Optional |
| startTime | The query start time. For example, startTime="2018-04-26 00:00:00" | Optional |
| endTime | The query end time. For example, endTime="2018-04-26 00:00:00" | Optional |
| timeRange | The time range for the query, used with the rangeValue argument. For example, timeRange="weeks" timeValue="1" would run the query on the previous week. | Optional |
| rangeValue | The time value for the query, used with the timeRange argument. For example, timeRange="weeks" rangeValue="1" would run the query on the previous week. | Optional |
| limit | The number of logs to return. Default is 5. | Optional |
Context Output
t
| Path | Type | Description |
|---|---|---|
| Cortex.Logging.Threat.SessionID | String | Identifies the firewall's internal identifier for a specific network session. |
| Cortex.Logging.Threat.Action | String | Identifies the action that the firewall took for the network traffic. |
| Cortex.Logging.Threat.App | String | Application associated with the network traffic. |
| Cortex.Logging.Threat.Nat | String | Indicates whether the firewall is performing network address translation (NAT) for the logged traffic. If it is, this value is 1. |
| Cortex.Logging.Threat.SubcategoryOfApp | String | Identifies the application's subcategory. The subcategoryis related to the application's category, which is identified in category_of_app. |
| Cortex.Logging.Threat.PcapID | String | Packet capture (pcap) ID. This is used to correlate threat pcap files with extended pcaps taken as a part of the session flow. All threat logs will contain either a pcap_id of 0 (no associated pcap) , or an ID referencing the extended pcap file. |
| Cortex.Logging.Threat.Natdst | String | If destination NAT performed, the post-NAT destination IP address. The IP address is an IPv4/IPv6 address in hex format. |
| Cortex.Logging.Threat.Flags | String | Bit field which provides details on the session, such as whether the session use IPv6, whether the session was denied due to a URL filtering rule, and/or whether the log corresponds to a transaction within an HTTP proxy session. |
| Cortex.Logging.Threat.Dport | String | Network traffic's destination port. If this value is 0, then the app is using its standard port. |
| Cortex.Logging.Threat.ThreatID | String | Numerical identifier for the threat type. All threats encountered by Palo Alto Networks firewalls are assigned a unique identifier |
| Cortex.Logging.Threat.Natsrc | String | If source NAT was performed, the post-NAT source IP address. The IP address is an IPv4/IPv6 address in hex format. |
| Cortex.Logging.Threat.CategoryOfApp | String | Identifies the managing application, or parent, of the application associated with this network traffic, if any. |
| Cortex.Logging.Threat.Srcloc | String | Source country or internal region for private addresses. The internal region is a user-defined name for a specific network in the user's enterprise. |
| Cortex.Logging.Threat.Dstloc | String | Destination country or internal region for private addresses. The internal region is a user-defined name for a specific network in the user's enterprise. |
| Cortex.Logging.Threat.To | String | Networking zone to which the traffic was sent. |
| Cortex.Logging.Threat.RiskOfApp | String | Indicates how risky the application is from a network security perspective. Values range from 1-5, where 5 is the riskiest. |
| Cortex.Logging.Threat.Natsport | String | Post-NAT source port. |
| Cortex.Logging.Threat.URLDenied | String | Session was denied due to a URL filtering rule. |
| Cortex.Logging.Threat.CharacteristicOfApp | String | Identifies the behaviorial characteristic of the application associated with the network traffic. |
| Cortex.Logging.Threat.HTTPMethod | String | Only in URL filtering logs. Describes the HTTP Method used in the web request |
| Cortex.Logging.Threat.From | String | The networking zone from which the traffic originated. |
| Cortex.Logging.Threat.Vsys | String | Virtual system associated with the network traffic. |
| Cortex.Logging.Threat.ReceiveTime | String | Time the log was received at the management plane. |
| Cortex.Logging.Threat.Users | String | Srcuser or dstuser or srcip (one of). |
| Cortex.Logging.Threat.Proto | String | IP protocol associated with the session. |
| Cortex.Logging.Threat.Natdport | String | Post-NAT destination port. |
| Cortex.Logging.Threat.Dst | String | Original destination IP address. The IP address is an IPv4/ IPv6 address in hex format. |
| Cortex.Logging.Threat.Rule | String | Name of the security policy rule that the network traffic matched. |
| Cortex.Logging.Threat.CategoryOfThreatID | String | Threat category of the detected threat. |
| Cortex.Logging.Threat.DeviceName | String | The hostname of the firewall that logged the network traffic. |
| Cortex.Logging.Threat.Subtype | String | Subtype of the threat log. |
| Cortex.Logging.Threat.TimeReceived | String | Time the log was received at the management plane. |
| Cortex.Logging.Threat.Direction | String | Indicates the direction of the attack, client-to-server or server-to-client: |
| Cortex.Logging.Threat.Misc | String | The meaning of this field differs according to the log's subtype: Subtype is URL, this field contains the requested URI. Subtype is File, this field contains the file name or file type. Subtype is Virus, this field contains the file name. Subtype is WildFire, this field contains the file name. |
| Cortex.Logging.Threat.Severity | String | Severity associated with the event. |
| Cortex.Logging.Threat.Src | String | Original source IP address. The IP address is an IPv4/IPv6 address in hex format. |
| Cortex.Logging.Threat.TimeGenerated | String | Time the log was generated on the data plane. |
| Cortex.Logging.Threat.Serial | String | Serial number of the firewall that generated the log. |
| Cortex.Logging.Threat.VsysID | String | A unique identifier for a virtual system on a Palo Alto Networks firewall. |
| Cortex.Logging.Threat.URLDomain | String | The name of the internet domain that was visited in this session. |
| Cortex.Logging.Threat.Category | String | For the URL subtype, this identifies the URL Category. For the WildFire subtype, this identifies the verdict on the file. It is one of ‘malicious’, ‘phishing’, ‘grayware’, or ‘benign’; |
| Cortex.Logging.Threat.Sport | String | Source port utilized by the session. |
| Cortex.Logging.Threat.IsPhishing | Boolean | Detected enterprise credential submission by an end user. |
| IP.Address | String | IP address. |
| Domain.Name | String | The domain name, for example: "google.com". |
| File.SHA256 | String | The SHA256 hash of the file. |
| File.Name | String | The full file name (including file extension). |
| File.Type | String | The file type, as determined by libmagic (same as displayed in file entries). |
Command Example
!cortex-query-threat-logs fields=src,dst ip=8.8.8.8 limit=1
Context Example
{
"Cortex.Logging.Threat": [
{
"Dst": "7.7.7.7",
"Src": "8.8.8.8",
"id": "42635546_lcaas:4:2023012:4",
"score": 4.7690573
}
],
"IP": [
{
"Address": "8.8.8.8"
},
{
"Address": "7.7.7.7"
}
]
}
Human Readable Output
Logs threat table
| src | dst |
|---|---|
| 8.8.8.8 | 7.7.7.7 |
Additional Information
If the user is using the command with field="all" then the human readable output will contain the following fields: Source Address, Destination Address, Application, Action, Rule & Time Generated. If the user is using the command with fields="field1,field2,field3" then the human readable output will contain the following fields: field1, field2 & field3.
7. Query Traps logs
Searches the Cortex tms.threat table, which is the threat logs table for the Traps endpoint protection and response.
Base Command
cortex-query-traps-logs
Input
| Argument Name | Description | Required |
|---|---|---|
| ip | IP or array of IPs to search for example 1.1.1.1,2.2.2.2. | Optional |
| host | Host or array of hosts to search. | Optional |
| user | User or an array or users to search. | Optional |
| category | Category or array of categories to search. | Optional |
| hash | Hash or array of hashes to search. | Optional |
| query | Free-text input query to search. This is the WHERE part of the query so an example will be src = '1.1.1.1' OR rule = 'test rule'. | Optional |
| fields | The fields that are selected in the query. Selection can be "all" (same as *) or listing of specific fields in the table. List of fields can be found after viewing all the outputed fields with all. | Optional |
| startTime | The query start time. For example, startTime="2018-04-26 00:00:00". | Optional |
| endTime | The query end time. For example, endTime="2018-04-26 00:00:00". | Optional |
| timeRange | The time range for the query, used with the rangeValue argument. For example, timeRange="weeks" timeValue="1" would run the query on the previous week. | Optional |
| rangeValue | The time value for the query, used with the timeRange argument. For example, timeRange="weeks" rangeValue="1" would run the query on the previous week. | Optional |
| limit | The number of logs to return. Default is 5. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Cortex.Logging.Traps.Severity | String | Severity level associated with the event. |
| Cortex.Logging.Traps.AgentID | String | Unique identifier for the Traps agent. |
| Cortex.Logging.Traps.EndPointHeader.OsType | String | Operating system of the endpoint. |
| Cortex.Logging.Traps.EndPointHeader.IsVdi | String | Indicates whether the endpoint is a virtual desktop infrastructure (VDI). |
| Cortex.Logging.Traps.EndPointHeader.OSVersion | String | Full version number of the operating system running on the endpoint. For example, 6.1.7601.19135. |
| Cortex.Logging.Traps.EndPointHeader.Is64 | String | Indicates whether the endpoint is running a 64-bit version of Windows. |
| Cortex.Logging.Traps.EndPointHeader.AgentIP | String | IP address of the endpoint. |
| Cortex.Logging.Traps.EndPointHeader.DeviceName | String | Hostname of the endpoint on which the event was logged. |
| Cortex.Logging.Traps.EndPointHeader.DeviceDomain | String | Domain to which the endpoint belongs. |
| Cortex.Logging.Traps.EndPointHeader.Username | String | The username on which the event was logged. |
| Cortex.Logging.Traps.EndPointHeader.AgentTime | String | Universal Time Coordinated (UTC) equivalent of the time at which an agent logged an event. ISO-8601 string representation. |
| Cortex.Logging.Traps.EndPointHeader.AgentVersion | String | Version of the Traps agent. |
| Cortex.Logging.Traps.EndPointHeader.ProtectionStatus | String | The Traps agent status. |
| Cortex.Logging.Traps.RecordType | String | Record type associated with the event. |
| Cortex.Logging.Traps.TrapsID | String | Tenant external ID. |
| Cortex.Logging.Traps.EventType | String | Subtype of the event. |
| Cortex.Logging.Traps.UUID | String | Unique identifier for the event in Cortex. |
| Cortex.Logging.Traps.ServerHost | String | Hostname of the Traps management service. |
| Cortex.Logging.Traps.GeneratedTime | String | Universal Time Coordinated (UTC) equivalent of the time at which an event was logged. |
| Cortex.Logging.Traps.ServerComponentVersion | String | Software version of the Traps management service. |
| Cortex.Logging.Traps.RegionID | String | Region ID. |
| Cortex.Logging.Traps.CustomerID | String | Customer ID. |
| Cortex.Logging.Traps.ServerTime | String | Universal Time Coordinated (UTC) equivalent of the time at which the server generated the log. If the log was generated on an endpoint. |
| Cortex.Logging.Traps.OriginalAgentTime | String | Original time on the endpoint device. |
| Cortex.Logging.Traps.Facility | Sting | The Traps system component that initiated the event For example:, TrapsAgent, TrapsServiceCore, TrapsServiceManagement, TrapsServiceBackend. |
| Cortex.Logging.Traps.MessageData.PreventionKey | String | Unique identifier for security events. |
| Cortex.Logging.Traps.MessageData.Processes.PID | String | Process identifier. |
| Cortex.Logging.Traps.MessageData.Processes.ParentID | String | Parent process identifier. |
| Cortex.Logging.Traps.MessageData.Processes.ExeFileIdx | String | Index of target files for specific security events such as: Scanning, Malicious DLL, Malicious Macro events. |
| Cortex.Logging.Traps.MessageData.Processes.UserIdx | String | Index of users. |
| Cortex.Logging.Traps.MessageData.Processes.CommandLine | String | Command line executed with the process. |
| Cortex.Logging.Traps.MessageData.Processes.Terminated | String | Termination action taken on the file. |
| Cortex.Logging.Traps.MessageData.Files.RawFullPath | String | Full path for the executed file. |
| Cortex.Logging.Traps.MessageData.Files.FileName | String | File name. |
| Cortex.Logging.Traps.MessageData.Files.SHA256 | String | SHA256 hash of the file. |
| Cortex.Logging.Traps.MessageData.Files.FileSize | String | File size. |
| Cortex.Logging.Traps.MessageData.Users.Username | String | Username of the active user on the endpoint. |
| Cortex.Logging.Traps.MessageData.Users.Domain | String | Domain to which the user account belongs. |
| Cortex.Logging.Traps.MessageData.PostDetected | String | Was post detected. |
| Cortex.Logging.Traps.MessageData.Terminate | String | Termination action taken on the file. |
| Cortex.Logging.Traps.MessageData.Verdict | String | Traps verdict for the file. |
| Cortex.Logging.Traps.MessageData.Blocked | String | Block action taken on the file. |
| Cortex.Logging.Traps.MessageData.TargetProcessIdx | String | The prevention target process index in the processes array. |
| Cortex.Logging.Traps.MessageData.ModuleCategory | String | Security module name. |
| Cortex.Logging.Traps.MessageData.PreventionMode | String | The prevention mode used. |
| Cortex.Logging.Traps.MessageData.TrapsSeverity | String | Traps Severity level associated with the event defined for the Traps management service. |
| Cortex.Logging.Traps.MessageData.SourceProcess.User.Username | String | Source username initiating the process. |
| Cortex.Logging.Traps.MessageData.SourceProcess.PID | String | Source process ID (PID). |
| Cortex.Logging.Traps.MessageData.SourceProcess.ParentID | String | Parent ID for the source process. |
| Cortex.Logging.Traps.MessageData.SourceProcess.CommandLine | String | Source process command line. |
| Cortex.Logging.Traps.MessageData.SourceProcess.InstanceID | String | Traps instance ID. |
| Cortex.Logging.Traps.MessageData.SourceProcess.Terminated | String | Source process termination action taken on the file. |
| Cortex.Logging.Traps.MessageData.SourceProcess.RawFullPath | String | Source process raw full path. |
| Cortex.Logging.Traps.MessageData.SourceProcess.FileName | String | Source process file name. |
| Cortex.Logging.Traps.MessageData.SourceProcess.SHA256 | String | Source process SHA256 hash. |
| Cortex.Logging.Traps.MessageData.SourceProcess.FileSize | String | Source process file size. |
| Cortex.Logging.Traps.MessageData.SourceProcess.InnerObjectSHA256 | String | Source process inner object SHA256 hash |
| Endpoint.Hostname | String | The hostname that is mapped to this endpoint. |
| Endpoint.IPAddress | String | The IP address of the endpoint. |
| Endpoint.Domain | String | The domain of the endpoint. |
| Endpoint.OSVersion | String | OS version. |
| Endpoint.OS | String | Endpoint OS. |
| Endpoint.ID | String | The unique ID within the tool retrieving the endpoint. |
| Host.Hostname | String | The name of the host. |
| Host.IPAddress | String | The IP address of the host. |
| Host.Domain | String | The domain of the host. |
| Host.OSVersion | String | The OS version of the host. |
| Host.OS | String | Host OS. |
| Host.ID | String | The unique ID within the tool retrieving the host. |
| Process.PID | Number | The PID of the process. |
| Process.Parent | String | Parent process objects. |
| Process.CommandLine | String | The full command line (including arguments). |
| Process.SHA256 | String | The SHA256 hash of the process. |
| Process.Name | String | The name of the process. |
| Process.Path | String | The file system path to the binary file. |
| File.Name | String | The full file name (including file extension). |
| File.Type | String | The file type, as determined by libmagic (same as displayed in file entries). |
| File.Path | String | The path where the file is located. |
| File.Size | Number | The size of the file in bytes. |
| File.SHA256 | String | The SHA256 hash of the file. |
| File.DigitalSignature.Publisher | String | The publisher of the digital signature for the file. |
| File.Company | String | The name of the company that released a binary. |
Command Example
!cortex-query-traps-logs startTime=2011-10-25T00:00:31 endTime=2019-10-27T00:00:31 fields=endPointHeader.userName limit=4 user=administrator,tim,josh
Context Example
{
"Cortex.Logging.Traps": [
{
"EndPointHeader": {
"Username": "administrator"
},
"id": "9c8228bd-c26b-452c-855f-bbd83070809f",
"score": 1.452933
},
{
"EndPointHeader": {
"Username": "administrator"
},
"id": "8d54c329-5ef7-4563-9018-a1b69cb90bbd",
"score": 1.452933
},
{
"EndPointHeader": {
"Username": "administrator"
},
"id": "cbdf7fc6-5fa3-4090-aa3d-4f0aaf3b45d9",
"score": 1.452933
},
{
"EndPointHeader": {
"Username": "administrator"
},
"id": "df2ef772-ce37-41a5-a4de-bacee0135d58",
"score": 1.452933
}
]
}
Human Readable Output
Logs traps table
| endPointHeader.userName |
|---|
| administrator |
| administrator |
| administrator |
| administrator |
Additional Information
If the user is using the command with field="all" then the human readable output will contain the following fields: Severity, Event Type, User, Agent Address, Agent Name & Agent Time. If the user is using the command with fields="field1,field2,field3" then the human readable output will contain the following fields: field1, field2 & field3.
8. Query analytics logs
Searches the Cortex tms.analytics table, which is the endpoint logs table for Traps Analytics.
Base Command
cortex-query-analytics-logs
Input
| Argument Name | Description | Required |
|---|---|---|
| ip | Agent IP or array of agent IP to search. | Optional |
| host | Agent host name or array of agent host names to search. | Optional |
| user | Username or array of usernames to search. | Optional |
| category | Event category or array of event categories to search. | Optional |
| hash | Hash or array of hashes to search. | Optional |
| query | Free-text input query to search. This forms the WHERE part of the query. For example, endPointHeader.agentIp = '1.1.1.1'. | Optional |
| fields | The fields that are selected in the query. Selection can be "all" (same as *) or a list of specific fields in the table. You can find the list of fields after viewing all the outputed fields with "all". | Optional |
| startTime | The query start time. For example, startTime="2018-04-26 00:00:00". | Optional |
| endTime | The query end time. For example, endTime="2018-04-26 00:00:00". | Optional |
| timeRange | The time range for the query, used with the rangeValue argument. For example, timeRange="weeks" timeValue="1" would run the query on the previous week. | Optional |
| rangeValue | The time value for the query, used with the timeRange argument. For example, timeRange="weeks" rangeValue="1" would run the query on the previous week. | Optional |
| limit | The number of logs to return. Default is 5. | Optional |
Context Output
| Path | Type | Description |
|---|---|---|
| Cortex.Logging.Analytics.AgentID | String | Unique identifier for the Traps agent. |
| Cortex.Logging.Analytics.EndPointHeader.OsType | String | Operating system of the endpoint. |
| Cortex.Logging.Analytics.EndPointHeader.IsVdi | String | Indicates whether the endpoint is a virtual desktop infrastructure (VDI). |
| Cortex.Logging.Analytics.EndPointHeader.OSVersion | String | Full version number of the operating system running on the endpoint. For example, 6.1.7601.19135. |
| Cortex.Logging.Analytics.EndPointHeader.Is64 | String | Indicates whether the endpoint is running a 64-bit version of Windows. |
| Cortex.Logging.Analytics.EndPointHeader.AgentIP | String | IP address of the endpoint. |
| Cortex.Logging.Analytics.EndPointHeader.DeviceName | String | Hostname of the endpoint on which the event was logged. |
| Cortex.Logging.Analytics.EndPointHeader.DeviceDomain | String | Domain to which the endpoint belongs. |
| Cortex.Logging.Analytics.EndPointHeader.Username | String | The username on which the event was logged. |
| Cortex.Logging.Analytics.EndPointHeader.UserDomain | String | Username of the active user on the endpoint. |
| Cortex.Logging.Analytics.EndPointHeader.AgentTime | String | Universal Time Coordinated (UTC) equivalent of the time at which an agent logged an event. ISO-8601 string representation. |
| Cortex.Logging.Analytics.EndPointHeader.AgentVersion | String | Version of the Traps agent. |
| Cortex.Logging.Analytics.EndPointHeader.ProtectionStatus | String | Status of the Traps protection. |
| Cortex.Logging.Analytics.EndPointHeader.DataCollectionStatus | String | Status of the agent logging. |
| Cortex.Logging.Analytics.TrapsID | String | Tenant external ID. |
| Cortex.Logging.Analytics.EventType | String | Subtype of event. |
| Cortex.Logging.Analytics.UUID | String | Event unique ID. |
| Cortex.Logging.Analytics.GeneratedTime | String | Universal Time Coordinated (UTC) equivalent of the time at which an event was logged. For agent events, this represents the time on the endpoint. For policy, configuration, and system events, this represents the time on the Traps management service. ISO-8601 string representation (for example, 2017-01-24T09:08:59Z). |
| Cortex.Logging.Analytics.RegionID | String | ID of the Traps management service region. |
| Cortex.Logging.Analytics.OriginalAgentTime | String | Original timestamp for endpoint. |
| Cortex.Logging.Analytics.Facility | String | The Traps system component that initiated the event, for example TrapsAgent, TrapsServiceCore, TrapsServiceManagement, TrapsServiceBackend. |
| Cortex.Logging.Analytics.MessageData.type | String | Type of file. |
| Cortex.Logging.Analytics.MessageData.SHA256 | String | The SHA256 hash of the file. |
| Cortex.Logging.Analytics.MessageData.FileName | String | File name, without the path or the file type extension. |
| Cortex.Logging.Analytics.MessageData.FilePath | String | Full path, aligned with OS format. |
| Cortex.Logging.Analytics.MessageData.FileSize | String | Size of the file in bytes. |
| Cortex.Logging.Analytics.MessageData.Reported | String | Whether the file was reported. |
| Cortex.Logging.Analytics.MessageData.Blocked | String | Whether the file was blocked. |
| Cortex.Logging.Analytics.MessageData.LocalAnalysisResult.Trusted | String | Trusted signer result. |
| Cortex.Logging.Analytics.MessageData.LocalAnalysisResult.Publishers | String | File publisher. |
| Cortex.Logging.Analytics.MessageData.LocalAnalysisResult.TrustedID | String | Trusted ID. |
| Cortex.Logging.Analytics.MessageData.ExecutionCount | String | File execution count. |
| Cortex.Logging.Analytics.MessageData.LastSeen | String | The date the file was last seen. |
| Cortex.Logging.Analytics.Severity | String | The threat severity. |
| Endpoint.Hostname | String | The hostname that is mapped to this endpoint. |
| Endpoint.IPAddress | String | The IP address of the endpoint. |
| Endpoint.Domain | String | The domain of the endpoint. |
| Endpoint.OSVersion | String | OS version. |
| Endpoint.OS | String | Endpoint OS. |
| Endpoint.ID | String | The unique ID within the tool retrieving the endpoint. |
| Host.Hostname | String | The name of the host. |
| Host.IPAddress | String | The IP address of the host. |
| Host.Domain | String | The domain of the host. |
| Host.OSVersion | String | The OS version of the host. |
| Host.OS | String | Host OS. |
| Host.ID | String | The unique ID within the tool retrieving the host. |
| File.Name | String | The full file name (including file extension). |
| File.Type | String | The file type, as determined by libmagic (same as displayed in file entries). |
| File.Path | String | The path where the file is located. |
| File.Size | Number | The size of the file in bytes. |
| File.SHA256 | String | The SHA256 hash of the file. |
| File.DigitalSignature.Publisher | String | The publisher of the digital signature for the file. |
| File.Company | String | The name of the company that released a binary. |
Command Example
!cortex-query-analytics-logs fields=all host=DC1ENV9APC51 user=Administrator
Context Example
{
"Cortex.Logging.Analytics": [
{
"AgentID": "30e55fb7590b0a907906b5620960931f",
"EndPointHeader": {
"AgentIP": "8.8.8.8",
"AgentTime": "2019-10-26T14:20:08.124Z",
"AgentVersion": "6.0.0.4961",
"DeviceDomain": "DEVICE DOMAIN",
"DeviceName": "DEVICE NAME",
"Is64": "The endpoint is running x64 architecture",
"IsVdi": "",
"OSVersion": "10.0.17134",
"OsType": "Windows",
"ProtectionStatus": 0,
"UserDomain": "USER DOMAIN",
"Username": "Administrator"
},
"EventType": "AgentTimelineEvent",
"Facility": "TrapsAgent",
"GeneratedTime": "2019-10-26T14:20:08.124Z",
"MessageData": {
"@type": "type.googleapis.com/cloud_api.HashEventObject",
"Blocked": 0,
"ExecutionCount": 49616,
"FileName": "backgroundTaskHost.exe",
"FilePath": "C:\\Windows\\System32\\",
"FileSize": 19352,
"LastSeen": "2019-10-26T14:20:00.532694200Z",
"LocalAnalysisResult": {
"Publishers": [
"Microsoft Windows"
],
"Trusted": "None",
"TrustedID": ""
},
"Reported": 0,
"SHA256": "48b9eb1e31b0c2418742ce07675d58c974dd9f03007988c90c1e38f217f5c65b",
"Type": "pe"
},
"OriginalAgentTime": "2019-10-26T14:20:00.532694200Z",
"RegionID": "Americas (N. Virginia)",
"TrapsID": "8692543548339348938",
"UUID": "8dc1aaa6-7d38-4c7d-89b3-d37fe1e9008d",
"id": "8dc1aaa6-7d38-4c7d-89b3-d37fe1e9008d",
"score": 5.3399997
},
{
"AgentID": "30e55fb7590b0a907906b5620960931f",
"EndPointHeader": {
"AgentIP": "8.8.8.8",
"AgentTime": "2019-10-26T14:19:51.853Z",
"AgentVersion": "6.0.0.4961",
"DeviceDomain": "DEVICE DOMAIN",
"DeviceName": "DEVICE NAME",
"Is64": "The endpoint is running x64 architecture",
"IsVdi": "",
"OSVersion": "10.0.17134",
"OsType": "Windows",
"ProtectionStatus": 0,
"UserDomain": "USER DOMAIN",
"Username": "Administrator"
},
"EventType": "AgentTimelineEvent",
"Facility": "TrapsAgent",
"GeneratedTime": "2019-10-26T14:19:51.853Z",
"MessageData": {
"@type": "type.googleapis.com/cloud_api.HashEventObject",
"Blocked": 0,
"ExecutionCount": 9612,
"FileName": "SearchProtocolHost.exe",
"FilePath": "C:\\Windows\\System32\\",
"FileSize": 406528,
"LastSeen": "2019-10-26T14:19:44.261083400Z",
"LocalAnalysisResult": {
"Publishers": [
"Microsoft Windows"
],
"Trusted": "None",
"TrustedID": ""
},
"Reported": 0,
"SHA256": "aee8842a078b3cf5566b3c95e4b521c2639e878fa4749a58d69700452c051261",
"Type": "pe"
},
"OriginalAgentTime": "2019-10-26T14:19:44.261083400Z",
"RegionID": "Americas (N. Virginia)",
"TrapsID": "8692543548339348938",
"UUID": "ebb20522-07db-4f1f-9a04-439e661d079e",
"id": "ebb20522-07db-4f1f-9a04-439e661d079e",
"score": 5.3399997
},
{
"AgentID": "30e55fb7590b0a907906b5620960931f",
"EndPointHeader": {
"AgentIP": "8.8.8.8",
"AgentTime": "2019-10-26T14:19:51.884Z",
"AgentVersion": "6.0.0.4961",
"DeviceDomain": "DEVICE DOMAIN",
"DeviceName": "DEVICE NAME",
"Is64": "The endpoint is running x64 architecture",
"IsVdi": "",
"OSVersion": "10.0.17134",
"OsType": "Windows",
"ProtectionStatus": 0,
"UserDomain": "USER DOMAIN",
"Username": "Administrator"
},
"EventType": "AgentTimelineEvent",
"Facility": "TrapsAgent",
"GeneratedTime": "2019-10-26T14:19:51.884Z",
"MessageData": {
"@type": "type.googleapis.com/cloud_api.HashEventObject",
"Blocked": 0,
"ExecutionCount": 9613,
"FileName": "SearchFilterHost.exe",
"FilePath": "C:\\Windows\\System32\\",
"FileSize": 227328,
"LastSeen": "2019-10-26T14:19:44.292322500Z",
"LocalAnalysisResult": {
"Publishers": [
"Microsoft Windows"
],
"Trusted": "None",
"TrustedID": ""
},
"Reported": 0,
"SHA256": "6c033c5c65e3d788c66aa9079ce69e882a74dd14bd3d7539ad76ec7f13a34b8a",
"Type": "pe"
},
"OriginalAgentTime": "2019-10-26T14:19:44.292322500Z",
"RegionID": "Americas (N. Virginia)",
"TrapsID": "8692543548339348938",
"UUID": "3cd17b17-a0de-492d-81d9-ac6584757305",
"id": "3cd17b17-a0de-492d-81d9-ac6584757305",
"score": 5.3399997
},
{
"AgentID": "30e55fb7590b0a907906b5620960931f",
"EndPointHeader": {
"AgentIP": "8.8.8.8",
"AgentTime": "2019-10-26T14:20:08.124Z",
"AgentVersion": "6.0.0.4961",
"DeviceDomain": "DEVICE DOMAIN",
"DeviceName": "DEVICE NAME",
"Is64": "The endpoint is running x64 architecture",
"IsVdi": "",
"OSVersion": "10.0.17134",
"OsType": "Windows",
"ProtectionStatus": 0,
"UserDomain": "USER DOMAIN",
"Username": "Administrator"
},
"EventType": "AgentTimelineEvent",
"Facility": "TrapsAgent",
"GeneratedTime": "2019-10-26T14:20:08.124Z",
"MessageData": {
"@type": "type.googleapis.com/cloud_api.HashEventObject",
"Blocked": 0,
"ExecutionCount": 83238,
"FileName": "conhost.exe",
"FilePath": "C:\\Windows\\System32\\",
"FileSize": 625664,
"LastSeen": "2019-10-26T14:20:00.532694200Z",
"LocalAnalysisResult": {
"Publishers": [
"Microsoft Windows"
],
"Trusted": "None",
"TrustedID": ""
},
"Reported": 0,
"SHA256": "04b6a35bc504401989b9e674c57c9e84d0cbdbbd9d8ce0ce83d7ceca0b7175ed",
"Type": "pe"
},
"OriginalAgentTime": "2019-10-26T14:20:00.532694200Z",
"RegionID": "Americas (N. Virginia)",
"TrapsID": "8692543548339348938",
"UUID": "fb53ea16-c9c7-4e3c-b6bf-179f9e89a4bb",
"id": "fb53ea16-c9c7-4e3c-b6bf-179f9e89a4bb",
"score": 5.3399997
},
{
"AgentID": "30e55fb7590b0a907906b5620960931f",
"EndPointHeader": {
"AgentIP": "8.8.8.8",
"AgentTime": "2019-10-26T14:20:08.202Z",
"AgentVersion": "6.0.0.4961",
"DeviceDomain": "DEVICE DOMAIN",
"DeviceName": "DEVICE NAME",
"Is64": "The endpoint is running x64 architecture",
"IsVdi": "",
"OSVersion": "10.0.17134",
"OsType": "Windows",
"ProtectionStatus": 0,
"UserDomain": "USER DOMAIN",
"Username": "Administrator"
},
"EventType": "AgentTimelineEvent",
"Facility": "TrapsAgent",
"GeneratedTime": "2019-10-26T14:20:08.202Z",
"MessageData": {
"@type": "type.googleapis.com/cloud_api.HashEventObject",
"Blocked": 0,
"ExecutionCount": 73500,
"FileName": "timeout.exe",
"FilePath": "C:\\Windows\\System32\\",
"FileSize": 30720,
"LastSeen": "2019-10-26T14:20:00.610816500Z",
"LocalAnalysisResult": {
"Publishers": [
"Microsoft Windows"
],
"Trusted": "None",
"TrustedID": ""
},
"Reported": 0,
"SHA256": "b7d686c4c92d1c0bbf1604b8c43684e227353293b3206a1220bab77562504b3c",
"Type": "pe"
},
"OriginalAgentTime": "2019-10-26T14:20:00.610816500Z",
"RegionID": "Americas (N. Virginia)",
"TrapsID": "8692543548339348938",
"UUID": "df8ff6a8-65b2-4932-b7da-c56ddc84f1c3",
"id": "df8ff6a8-65b2-4932-b7da-c56ddc84f1c3",
"score": 5.3399997
}
],
"Endpoint": [
{
"Domain": "DEVICE DOMAIN",
"Hostname": "DEVICE NAME",
"ID": "30e55fb7590b0a907906b5620960931f",
"IP": "8.8.8.8",
"OS": "Windows",
"OSVersion": "10.0.17134"
}
],
"File": [
{
"DigitalSignature.Publisher": [
"Microsoft Windows"
],
"Name": "backgroundTaskHost.exe",
"Path": "C:\\Windows\\System32\\",
"SHA256": "48b9eb1e31b0c2418742ce07675d58c974dd9f03007988c90c1e38f217f5c65b",
"Size": 19352,
"Type": "pe"
},
{
"DigitalSignature.Publisher": [
"Microsoft Windows"
],
"Name": "SearchProtocolHost.exe",
"Path": "C:\\Windows\\System32\\",
"SHA256": "aee8842a078b3cf5566b3c95e4b521c2639e878fa4749a58d69700452c051261",
"Size": 406528,
"Type": "pe"
},
{
"DigitalSignature.Publisher": [
"Microsoft Windows"
],
"Name": "SearchFilterHost.exe",
"Path": "C:\\Windows\\System32\\",
"SHA256": "6c033c5c65e3d788c66aa9079ce69e882a74dd14bd3d7539ad76ec7f13a34b8a",
"Size": 227328,
"Type": "pe"
},
{
"DigitalSignature.Publisher": [
"Microsoft Windows"
],
"Name": "conhost.exe",
"Path": "C:\\Windows\\System32\\",
"SHA256": "04b6a35bc504401989b9e674c57c9e84d0cbdbbd9d8ce0ce83d7ceca0b7175ed",
"Size": 625664,
"Type": "pe"
},
{
"DigitalSignature.Publisher": [
"Microsoft Windows"
],
"Name": "timeout.exe",
"Path": "C:\\Windows\\System32\\",
"SHA256": "b7d686c4c92d1c0bbf1604b8c43684e227353293b3206a1220bab77562504b3c",
"Size": 30720,
"Type": "pe"
}
],
"Host": [
{
"Domain": "DEVICE DOMAIN",
"Hostname": "DEVICE NAME",
"ID": "30e55fb7590b0a907906b5620960931f",
"IP": "8.8.8.8",
"OS": "Windows",
"OSVersion": "10.0.17134"
}
]
}
Human Readable Output
Logs analytics table
| Event Type | User | Agent Address | Agent Name | Agent Time |
|---|---|---|---|---|
| AgentTimelineEvent | Administrator | 8.8.8.8 | DEVICE NAME | 2019-10-26T14:20:08.124Z |
| AgentTimelineEvent | Administrator | 8.8.8.8 | DEVICE NAME | 2019-10-26T14:19:51.853Z |
| AgentTimelineEvent | Administrator | 8.8.8.8 | DEVICE NAME | 2019-10-26T14:19:51.884Z |
| AgentTimelineEvent | Administrator | 8.8.8.8 | DEVICE NAME | 2019-10-26T14:20:08.124Z |
| AgentTimelineEvent | Administrator | 8.8.8.8 | DEVICE NAME | 2019-10-26T14:20:08.202Z |
Additional Information
If the user is using the command with field="all" then the human readable output will contain the following fields: Severity, Event Type, User, Agent Address, Agent Name & Agent Time. If the user is using the command with fields="field1,field2,field3" then the human readable output will contain the following fields: field1, field2 & field3.