Use the Palo Alto Networks Cortex integration to query your Palo Alto Networks Cortex environment.

There are several steps required to configure this integration. You will navigate between Demisto and Cortex Hub to retrieve tokens required later in the process. Be sure to follow each procedure in order.

  1. Activate Demisto on Palo Alto Networks Cortex Hub
  2. Configure the Palo Alto Networks Cortex Integration on Demisto

Activate Demisto on Palo Alto Networks Cortex Hub

  1. Navigate to Palo Alto Networks Cortex Hub .
  2. In the Apps from Palo Alto Networks section, locate Demisto and click Activate .
  3. In the upper-right corner, click the gear icon.
  4. Locate Demisto app, and click Add Instance .
    • Instance Name (Required): A meaningful name for the instance.
    • Description (Optional): A meaningful description for the instance.
    • Region (Required): The region in which the instance is located.
    • Cortex Data Lake (Required): Your Cortex Data Lake instance.
    • Directory Sync (Required): Your Directory Sync instance.
  5. In the Your Cortex Apps section, click the Demisto icon.
  6. When prompted, enter the Demisto verification token: 25$nhXyu4 .
  7. Click Send , and when prompted, click Authorize .
  8. In the Request for Approval window, click Allow .
  9. When prompted, copy the Authentication Token, Authentication ID, and Authentication Key. You will need to enter this as part of configuring the Palo Alto Networks Cortex integration on Demisto .

Configure the Palo Alto Networks Cortex Integration on Demisto

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for Palo Alto Networks Cortex.
  3. Click Add instance to create and configure a new integration instance.
  4. Click Test to validate the integration and Demisto App Token.

Commands

You can execute these commands from the Demisto CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Query logs: cortex-query-logs
  2. Get logs for critical threats: cortex-get-critical-threat-logs
  3. Get social applications: cortex-get-social-applications
  4. Query the Cortex logging service: cortex-search-by-file-hash
  5. Query traffic logs: cortex-query-traffic-logs
  6. Query threat logs: cortex-query-threat-logs
  7. Query Traps logs: cortex-query-traps-logs
  8. Query analytics logs: cortex-query-analytics-logs

1. Query logs


Use this command to query logs in your Palo Alto Networks Cortex environment.

Base Command

cortex-query-logs

Input
Argument Name Description Example
startTime Query start time startTime="2018-04-26 00:00:00"
endTime Query end time endTime="2018-04-26 00:00:00"
query Free text SQL query

For example, query="select * from panw.traffic limit 5".

There are multiple tables in Loggings, such as: threat, traffic. Refer to Cortex Logging service schema reference for the full list.

timeRange Query time range, used with the rangeValue parameter This example runs the query for the previous week: timeRange="weeks" rangeValue="1".
rangeValue Query time value, used with the timeRange parameter This example runs the query for the previous week: timeRange="weeks" rangeValue="1".

Context Output
Path Description
Cortex.Logging.id Log ID
Cortex.Logging.score Log score
Cortex.Logging.action Log action
Cortex.Logging.app Log application
Cortex.Logging.proto Protocol used
Cortex.Logging.dst Destination IP
Cortex.Logging.rule Rule used for log
Cortex.Logging.src Source of action
Cortex.Logging.category-of-app Application's category
Cortex.Logging.srcloc Source location
Cortex.Logging.dstloc Destination location
Cortex.Logging.characteristic-of-app Application's characteristics
Cortex.Logging.device_name Device name
Cortex.Logging.nat Was NAT used?
Cortex.Logging.natdport NAT port
Cortex.Logging.natdst NAT destination
Cortex.Logging.natsrc NAT source

Command Example
!cortex-query-logs startTime="2018-04-26 00:00:00" endTime="2018-04-28 00:00:00" query="select * from panw.traffic limit 5"
Context Example
{  
   "Logging":[  
      {  
         "action":"allow",
         "action_source":"from-policy",
         "actionflags":-9223372036854776000,
         "app":"ssh",
         "assoc_id":0,
         "bytes":4245,
         "bytes_received":2925,
         "bytes_sent":1320,
         "category":"0",
         "category-of-app":"networking",
         "characteristic-of-app":[  
            "able-to-transfer-file",
            "has-known-vulnerability",
            "tunnel-other-application",
            "prone-to-misuse",
            "is-saas"
         ],
         "chunks":0,
         "chunks_received":0,
         "chunks_sent":0,
         "cloud_hostname":"PA-VM",
         "config_ver":2049,
         "customer-id":"140744002",
         "device_name":"PA-VM",
         "dg_hier_level_1":13,
         "dg_hier_level_2":0,
         "dg_hier_level_3":0,
         "dg_hier_level_4":0,
         "dport":22,
         "dst":"172.31.23.156",
         "dstloc":"172.16.0.0-172.31.255.255",
         "elapsed":2,
         "flags":4194381,
         "from":"Untrust",
         "fwd":1,
         "id":"140744002_lcaas:1:65862:1",
         "inbound_if":"ethernet1/1",
         "is-saas-of-app":0,
         "logset":"LCaaS",
         "nat":1,
         "natdport":22,
         "natdst":"172.31.39.63",
         "natsport":55949,
         "natsrc":"172.31.38.209",
         "non-standard-dport":0,
         "outbound_if":"ethernet1/2",
         "packets":24,
         "parent_session_id":0,
         "parent_start_time":0,
         "pkts_received":12,
         "pkts_sent":12,
         "proto":"tcp",
         "receive_time":1524528178,
         "recsize":1480,
         "repeatcnt":1,
         "risk-of-app":"4",
         "rule":"MonitorAll",
         "sanctioned-state-of-app":0,
         "score":2,
         "seqno":383249,
         "serial":"",
         "session_end_reason":"tcp-fin",
         "sessionid":160523,
         "sport":48512,
         "src":"52.221.242.53",
         "srcloc":"SG",
         "start":1524528156,
         "subcategory-of-app":"encrypted-tunnel",
         "subtype":"end",
         "technology-of-app":"client-server",
         "time_generated":1524528172,
         "time_received":1524528172,
         "to":"Trust",
         "tunnel":0,
         "tunneled-app":"untunneled",
         "tunnelid_imsi":0,
         "type":"traffic",
         "users":"52.221.242.53",
         "vsys":"vsys1",
         "vsys_id":1
      },
      {  
         "action":"allow",
         "action_source":"from-policy",
         "actionflags":-9223372036854776000,
         "app":"dns",
         "assoc_id":0,
         "bytes":227,
         "bytes_received":154,
         "bytes_sent":73,
         "category":"0",
         "category-of-app":"networking",
         "characteristic-of-app":[  
            "able-to-transfer-file",
            "tunnel-other-application",
            "is-saas"
         ],
         "chunks":0,
         "chunks_received":0,
         "chunks_sent":0,
         "cloud_hostname":"PA-VM",
         "config_ver":2049,
         "customer-id":"140744002",
         "device_name":"PA-VM",
         "dg_hier_level_1":13,
         "dg_hier_level_2":0,
         "dg_hier_level_3":0,
         "dg_hier_level_4":0,
         "dport":53,
         "dst":"8.8.8.8",
         "dstloc":"US",
         "elapsed":0,
         "flags":4194404,
         "from":"Trust",
         "fwd":1,
         "id":"140744002_lcaas:1:65862:2",
         "inbound_if":"ethernet1/2",
         "is-saas-of-app":0,
         "logset":"LCaaS",
         "nat":1,
         "natdport":53,
         "natdst":"8.8.8.8",
         "natsport":40841,
         "natsrc":"172.31.23.156",
         "non-standard-dport":0,
         "outbound_if":"ethernet1/1",
         "packets":2,
         "parent_session_id":0,
         "parent_start_time":0,
         "pkts_received":1,
         "pkts_sent":1,
         "proto":"udp",
         "receive_time":1524528178,
         "recsize":1470,
         "repeatcnt":1,
         "risk-of-app":"4",
         "rule":"MonitorAll",
         "sanctioned-state-of-app":0,
         "score":2,
         "seqno":383250,
         "serial":"",
         "session_end_reason":"aged-out",
         "sessionid":160507,
         "sport":56973,
         "src":"172.31.39.63",
         "srcloc":"172.16.0.0-172.31.255.255",
         "start":1524528145,
         "subcategory-of-app":"infrastructure",
         "subtype":"end",
         "technology-of-app":"network-protocol",
         "time_generated":1524528174,
         "time_received":1524528174,
         "to":"Untrust",
         "tunnel":0,
         "tunneled-app":"untunneled",
         "tunnelid_imsi":0,
         "type":"traffic",
         "users":"172.31.39.63",
         "vsys":"vsys1",
         "vsys_id":1
      }
   ]
}

2. Return logs for critical threats


Use this command to return logs for critical threats.

Base Command

cortex-get-critical-threat-logs

Input
Argument Name Description Example
startTime Query start time startTime="2018-04-26 00:00:00"
endTime Query end time endTime="2018-04-26 00:00:00"
logsAmount Number of logs.

Default is 10.

timeRange Query time range, used with the rangeValue parameter This example runs the query for the previous week: timeRange="weeks" rangeValue="1".
strictValue Query time value, used with the timeRange parameter This example runs the query for the previous week: timeRange="weeks" rangeValue="1".

Context Output
Path Description
Cortex.Logging.id Log ID
Cortex.Logging.score Log score
Cortex.Logging.action Log action
Cortex.Logging.app Log application
Cortex.Logging.proto Protocol used
Cortex.Logging.dst Destination IP
Cortex.Logging.rule Rule used for log
Cortex.Logging.src Source of action
Cortex.Logging.category-of-app Application's category
Cortex.Logging.srcloc Source location
Cortex.Logging.dstloc Destination location
Cortex.Logging.characteristic-of-app Application's characteristics
Cortex.Logging.device_name Device name
Cortex.Logging.nat Was NAT used?
Cortex.Logging.natdport NAT port
Cortex.Logging.natdst NAT destination
Cortex.Logging.natsrc NAT source
Cortex.Logging.risk-of-app Application's risk
Cortex.Logging.type Threat type
Cortex.Logging.pcap_id Pcap ID
Cortex.Logging.reportid Report ID
Cortex.Logging.category-of-threatid Category of threat ID
Cortex.Logging.subtype Threat sub-type
Cortex.Logging.time_received Time the threat was received
Cortex.Logging.pcap PCAP
Cortex.Logging.name-of-threatid Name of threat ID
Cortex.Logging.severity Threat severity

Command Example
!cortex-get-critical-threat-logs timeRange="weeks" rangeValue=2 logsAmount=5

Context Example
{  
   "Logging":[  
      {  
         "action":"4",
         "actionflags":-6917529027641082000,
         "app":"web-browsing",
         "category":"0",
         "category-of-app":"general-internet",
         "category-of-threatid":34,
         "characteristic-of-app":[  
            "able-to-transfer-file",
            "has-known-vulnerability",
            "tunnel-other-application",
            "prone-to-misuse",
            "is-saas"
         ],
         "cloud_hostname":"PA-VM",
         "config_ver":2049,
         "contentver":524358163,
         "customer-id":"140744002",
         "device_name":"PA-VM",
         "dg_hier_level_1":13,
         "dg_hier_level_2":0,
         "dg_hier_level_3":0,
         "dg_hier_level_4":0,
         "direction":0,
         "dport":80,
         "dst":"172.31.23.156",
         "dstloc":"172.16.0.0-172.31.255.255",
         "flags":4202496,
         "from":"Untrust",
         "fwd":1,
         "http_method":"unknown",
         "id":"140744002_lcaas:0:90490:4",
         "inbound_if":"ethernet1/1",
         "is-saas-of-app":0,
         "log_feat_bit1":1,
         "logset":"LCaaS",
         "misc":"52.8.8.48/",
         "name-of-threatid":"Apache Struts Jakarta Multipart Parser Remote Code Execution Vulnerability",
         "nat":1,
         "natdport":80,
         "natdst":"172.31.39.63",
         "natsport":60896,
         "natsrc":"172.31.38.209",
         "non-standard-dport":0,
         "outbound_if":"ethernet1/2",
         "parent_session_id":0,
         "parent_start_time":0,
         "pcap":null,
         "pcap_id":0,
         "proto":"tcp",
         "receive_time":1524753146,
         "recsize":1573,
         "repeatcnt":3,
         "reportid":0,
         "risk-of-app":"4",
         "rule":"MonitorAll",
         "sanctioned-state-of-app":0,
         "score":2,
         "seqno":434509,
         "serial":"",
         "sessionid":187358,
         "severity":"critical",
         "sig_flags":0,
         "sport":53470,
         "src":"166.111.32.179",
         "srcloc":"CN",
         "subcategory-of-app":"internet-utility",
         "subtype":"spyware-dns",
         "technology-of-app":"browser-based",
         "threatid":34221,
         "time_generated":1524753149,
         "time_received":1524753149,
         "to":"Trust",
         "tunnel":0,
         "tunneled-app":"tunneled-app",
         "tunnelid_imsi":0,
         "type":"threat",
         "url_idx":1,
         "users":"166.111.32.179",
         "vsys":"vsys1",
         "vsys_id":1
      }
   ]
}

3. Get social applications

Use this command to return social applications.

Base Command

cortex-get-social-applications

Input
Argument Name Description Example
startTime Query start time startTime="2018-04-26 00:00:00"
endTime Query end time endTime="2018-04-26 00:00:00"
logsAmount Number of logs.

Default is 10.

timeRange Query time range, used with the rangeValue parameter This example runs the query for the previous week: timeRange="weeks" rangeValue="1".
strictValue Query time value, used with the timeRange parameter This example runs the query for the previous week: timeRange="weeks" rangeValue="1".

Context Output
Path Description
Cortex.Logging.id Log ID
Cortex.Logging.score Log score
Cortex.Logging.action Log action
Cortex.Logging.app Log application
Cortex.Logging.proto Protocol used
Cortex.Logging.dst Destination IP
Cortex.Logging.rule Rule used for log
Cortex.Logging.src Source of action
Cortex.Logging.category-of-app Application's category
Cortex.Logging.srcloc Source location
Cortex.Logging.dstloc Destination location
Cortex.Logging.characteristic-of-app Application's characteristics
Cortex.Logging.device_name Device name
Cortex.Logging.nat Was NAT used?
Cortex.Logging.natdport NAT port
Cortex.Logging.natdst NAT destination
Cortex.Logging.natsrc NAT source
Cortex.Logging.risk-of-app Application's risk
Cortex.Logging.aggregations.size Aggregations size
Cortex.Logging.natsport NAT port
Cortex.Logging.start Traffic start
Cortex.Logging.subcategory-of-apptime_received Sub-category of application time

Command Example
!cortex-get-social-applications startTime="2018-04-26 00:00:00" endTime="2018-04-28 00:00:00" logsAmount=5

Command Example

{  
   "Logging":[  
      {  
         "action":"allow",
         "action_source":"from-policy",
         "actionflags":-9223372036854776000,
         "app":"facebook-base",
         "assoc_id":0,
         "bytes":5536,
         "bytes_received":3806,
         "bytes_sent":1730,
         "category":"10014",
         "category-of-app":"collaboration",
         "characteristic-of-app":[  
            "able-to-transfer-file",
            "has-known-vulnerability",
            "tunnel-other-application",
            "prone-to-misuse",
            "is-saas"
         ],
         "chunks":0,
         "chunks_received":0,
         "chunks_sent":0,
         "cloud_hostname":"VM-Series",
         "config_ver":2049,
         "container-of-app":"facebook",
         "customer-id":"140744002",
         "device_name":"VM-Series",
         "dg_hier_level_1":13,
         "dg_hier_level_2":0,
         "dg_hier_level_3":0,
         "dg_hier_level_4":0,
         "dport":443,
         "dst":"157.240.1.18",
         "dstloc":"US",
         "elapsed":289,
         "flags":77,
         "from":"SCTC",
         "fwd":1,
         "id":"140744002_lcaas:1:92075:333",
         "inbound_if":"ethernet1/1",
         "is-saas-of-app":0,
         "logset":"LCaaS",
         "natdport":0,
         "natdst":"0.0.0.0",
         "natsport":0,
         "natsrc":"0.0.0.0",
         "non-standard-dport":0,
         "outbound_if":"ethernet1/1",
         "packets":25,
         "parent_session_id":0,
         "parent_start_time":0,
         "pkts_received":17,
         "pkts_sent":8,
         "proto":"tcp",
         "receive_time":1524761638,
         "recsize":1527,
         "repeatcnt":1,
         "risk-of-app":"4",
         "rule":"MonitorAll-SCTC",
         "sanctioned-state-of-app":0,
         "score":9.9996195,
         "seqno":123856604,
         "serial":"",
         "session_end_reason":"aged-out",
         "sessionid":30298,
         "sport":47385,
         "src":"192.168.200.5",
         "srcloc":"192.168.0.0-192.168.255.255",
         "start":1524761209,
         "subcategory-of-app":"social-networking",
         "subtype":"end",
         "technology-of-app":"browser-based",
         "time_generated":1524761621,
         "time_received":1524761621,
         "to":"SCTC",
         "tunnel":0,
         "tunneled-app":"tunneled-app",
         "tunnelid_imsi":0,
         "type":"traffic",
         "users":"192.168.200.5",
         "vsys":"vsys1",
         "vsys_id":1
      },
      {  
         "action":"allow",
         "action_source":"from-policy",
         "actionflags":-9223372036854776000,
         "app":"linkedin-base",
         "assoc_id":0,
         "bytes":9641,
         "bytes_received":6935,
         "bytes_sent":2706,
         "category":"10065",
         "category-of-app":"collaboration",
         "characteristic-of-app":[  
            "has-known-vulnerability",
            "tunnel-other-application",
            "is-saas"
         ],
         "chunks":0,
         "chunks_received":0,
         "chunks_sent":0,
         "cloud_hostname":"VM-Series",
         "config_ver":2049,
         "container-of-app":"linkedin",
         "customer-id":"140744002",
         "device_name":"VM-Series",
         "dg_hier_level_1":13,
         "dg_hier_level_2":0,
         "dg_hier_level_3":0,
         "dg_hier_level_4":0,
         "dport":443,
         "dst":"152.195.133.1",
         "dstloc":"US",
         "elapsed":204,
         "flags":77,
         "from":"SCTC",
         "fwd":1,
         "id":"140744002_lcaas:1:92075:640",
         "inbound_if":"ethernet1/1",
         "is-saas-of-app":0,
         "logset":"LCaaS",
         "natdport":0,
         "natdst":"0.0.0.0",
         "natsport":0,
         "natsrc":"0.0.0.0",
         "non-standard-dport":0,
         "outbound_if":"ethernet1/1",
         "packets":35,
         "parent_session_id":0,
         "parent_start_time":0,
         "pkts_received":17,
         "pkts_sent":18,
         "proto":"tcp",
         "receive_time":1524761638,
         "recsize":1517,
         "repeatcnt":1,
         "risk-of-app":"3",
         "rule":"MonitorAll-SCTC",
         "sanctioned-state-of-app":0,
         "score":9.9996195,
         "seqno":123856911,
         "serial":"",
         "session_end_reason":"tcp-rst-from-server",
         "sessionid":45992,
         "sport":53712,
         "src":"10.11.48.7",
         "srcloc":"10.0.0.0-10.255.255.255",
         "start":1524761403,
         "subcategory-of-app":"social-networking",
         "subtype":"end",
         "technology-of-app":"browser-based",
         "time_generated":1524761624,
         "time_received":1524761624,
         "to":"SCTC",
         "tunnel":0,
         "tunneled-app":"tunneled-app",
         "tunnelid_imsi":0,
         "type":"traffic",
         "users":"10.11.48.7",
         "vsys":"vsys1",
         "vsys_id":1
      }
   ]
}

4. Query the Cortex logging service


Executes a query on the Cortex logging service.

Base Command

cortex-search-by-file-hash

Input
Argument Name Description
startTime Query start time. For example, startTime="2018-04-26 00:00:00"
endTime Query end time. For example, endTime="2018-04-26 00:00:00"
logsAmount Amount of logs. Default is 10
timeRange Time range for the query, used with rangeValue. For example, timeRange="weeks" rangeValue="1" would run the query on the last week.
rangeValue Time value for the query, used with timeRange. For example, timeRange="weeks" rangeValue="1" would run the query on the last week.
SHA256 File hash for the query. For example, SHA256="503ca1a4fc0d48b18c0336f544ba0f0abf305ae3a3f49b3c2b86" will return all logs related to this file.

Context Output
Path Type Description
Cortex.Logging.id string Log ID
Cortex.Logging.score number Log score
Cortex.Logging.action unknown Log action
Cortex.Logging.app unknown Log app
Cortex.Logging.proto string The protocol used
Cortex.Logging.dst string Destination IP
Cortex.Logging.rule unknown Rule used
Cortex.Logging.src unknown The source of the action
Cortex.Logging.category-of-app string Application's category
Cortex.Logging.srcloc string Source location
Cortex.Logging.dstloc string Destination location
Cortex.Logging.characteristic-of-app unknown Application's characteristics
Cortex.Logging.device_name string Device name
Cortex.Logging.nat number Whether NAT was used
Cortex.Logging.natdport unknown NAT port
Cortex.Logging.natdst unknown NAT destination
Cortex.Logging.natsrc unknown NAT source
Cortex.Logging.risk-of-app unknown Risk of application
Cortex.Logging.type unknown Threat type
Cortex.Logging.pcad_id unknown Pcap ID
Cortex.Logging.reportid number Report ID
Cortex.Logging.category-of-threatid unknown Category of threat ID
Cortex.Logging.subtype unknown Threat sub-type
Cortex.Logging.time_received unknown Time received
Cortex.Logging.pcap unknown Pcap
Cortex.Logging.name-of-threatid string Name of threat ID
Cortex.Logging.severity unknown Threat Severity

Command Example
!cortex-search-by-file-hash SHA256=503ca1a4fc0d48b18c0336f544ba0f0abf305ae3a3f49b3c2b86b8645d6572dc

Context Example

{
  "Cortex": {
    "Logging": [
      {
        "SHA256": "503ca1a4fc0d48b18c0336f544ba0f0abf305ae3a3f49b3c2b86b8645d6572dc",
        "action": "allow",
        "actionflags": -6917529027641082000,
        "app": "google-app-engine",
        "category": "malicious",
        "category-of-app": "general-internet",
        "category-of-threatid": "unknown",
        "characteristic-of-app": [
          "has-known-vulnerability",
          "tunnel-other-application",
          "prone-to-misuse",
          "is-saas"
        ],
        "cloud": "wildfire.paloaltonetworks.com",
        "cloud_hostname": "PA-VM",
        "config_ver": 2049,
        "contentver": 0,
        "customer-id": "140744002",
        "device_name": "PA-VM",
        "dg_hier_level_1": 13,
        "dg_hier_level_2": 0,
        "dg_hier_level_3": 0,
        "dg_hier_level_4": 0,
        "direction": "server-to-client",
        "dport": 80,
        "dst": "216.58.195.78",
        "dstloc": "US",
        "filename": "echomalware",
        "filetype": "pe",
        "flags": 4202496,
        "from": "Trust",
        "fwd": 1,
        "http_method": "unknown",
        "id": "140744002_lcaas:1:381684:0",
        "inbound_if": "ethernet1/2",
        "is-saas-of-app": 0,
        "log_feat_bit1": 1,
        "logset": "LCaaS",
        "name-of-threatid": "Windows Executable (EXE)",
        "nat": 1,
        "natdport": 80,
        "natdst": "216.58.195.78",
        "natsport": 38085,
        "natsrc": "172.31.23.156",
        "non-standard-dport": 0,
        "outbound_if": "ethernet1/1",
        "parent_session_id": 0,
        "parent_start_time": 0,
        "pcap": null,
        "pcap_id": 0,
        "proto": "tcp",
        "receive_time": 1527033937,
        "recsize": 1704,
        "repeatcnt": 1,
        "reportid": 9794151710,
        "risk-of-app": "3",
        "rule": "MonitorAll",
        "sanctioned-state-of-app": 0,
        "score": 2.139842,
        "seqno": 829961,
        "serial": "",
        "sessionid": 99875,
        "severity": "high",
        "sig_flags": 0,
        "sport": 35072,
        "src": "172.31.39.63",
        "srcloc": "172.16.0.0-172.31.255.255",
        "srcuser": "test@email.com",
        "subcategory-of-app": "internet-utility",
        "subject": null,
        "subtype": "wildfire",
        "technology-of-app": "browser-based",
        "threatid": 52020,
        "time_generated": 1527033928,
        "time_received": 1527033928,
        "to": "Untrust",
        "tunnel": 0,
        "tunneled-app": "tunneled-app",
        "tunnelid_imsi": 0,
        "type": "threat",
        "url_idx": 1,
        "users": "test@email.com",
        "vsys": "vsys1",
        "vsys_id": 1
      }
    ]
  }
}
Human Readable Output

5. Query traffic logs


Searches the Cortex panw.traffic table, which is the traffic logs table for PAN-OS and Panorama.

Base Command

cortex-query-traffic-logs

Input
Argument Name Description Required
ip An IP address or an array of IP addresses for which to search, for example 1.1.1.1,2.2.2.2. Optional
rule A rule name or an array of rule names to search. Optional
from_zone A source zone name or an array of source zone names to search. Optional
to_zone A destination zone name or an array of zone names to search. Optional
port A destination port number or an array of destination port numbers to search. Optional
action An action name or an array of action names to search. Optional
query A free-text query for which to search. This forms the WHERE part of the query, for example, !cortex-query-traffic-logs query="src LIKE '192.168.1.*' AND dst='8.8.8.8'" Optional
fields The fields that are selected in the query. Selection can be "all" (same as *) or a list of specific fields in the table. List of fields can be found after viewing all the outputed fields with all. Optional
startTime The query start time. For example, startTime="2018-04-26 00:00:00" Optional
endTime The query end time. For example, endTime="2018-04-26 00:00:00". Optional
timeRange The time range for the query, used with the rangeValue argument. The following example runs the query on the previous week, timeRange="weeks" timeValue="1". Optional
rangeValue The time value for the query, used with the timeRange argument. The following example runs the query on the previous week, timeRange="weeks" timeValue="1". Optional
limit The number of logs to return. Default is 5. Optional

Context Output
Path Type Description
Cortex.Logging.Traffic.Action String Identifies the action that the firewall took for the network traffic.
Cortex.Logging.Traffic.RiskOfApp String Indicates the risk of the application, from a network security perspective. The risk range is 1-5, where 5 is the riskiest.
Cortex.Logging.Traffic.Natsport String Post-NAT source port.
Cortex.Logging.Traffic.SessionID String Identifies the firewall's internal identifier for a specific network session.
Cortex.Logging.Traffic.Packets String Number of total packets (transmit and receive) seen for the session.
Cortex.Logging.Traffic.CharacteristicOfApp String Identifies the behaviorial characteristic of the application associated with the network traffic.
Cortex.Logging.Traffic.App String Application associated with the network traffic.
Cortex.Logging.Traffic.Vsys String Virtual system associated with the network traffic.
Cortex.Logging.Traffic.Nat String Indicates whether the firewall is performing network address translation (NAT) for the logged traffic. If it is, this value is 1.
Cortex.Logging.Traffic.ReceiveTime String Time the log was received at the management plane.
Cortex.Logging.Traffic.SubcategoryOfApp String Identifies the application's subcategory. The subcategory is related to the application's category,
Cortex.Logging.Traffic.Users String Srcuser or dstuser or srcip (one of).
Cortex.Logging.Traffic.Proto String IP protocol associated with the session.
Cortex.Logging.Traffic.TunneledApp String Whether the application is tunneled.
Cortex.Logging.Traffic.Natdport String Post-NAT destination port.
Cortex.Logging.Traffic.Dst String Original destination IP address. The IP address is an IPv4/IPv6 address in hex format.
Cortex.Logging.Traffic.Natdst String If destination NAT performed, the post-NAT destination IP address. The IP address is an IPv4/IPv6 address in hex format.
Cortex.Logging.Traffic.Rule String Name of the security policy rule that the network traffic matched.
Cortex.Logging.Traffic.Dport String Network traffic's destination port. If this value is 0, then the app is using its standard port.
Cortex.Logging.Traffic.Elapsed String Total time taken for the network session to complete.
Cortex.Logging.Traffic.DeviceName String The hostname of the firewall that logged the network traffic.
Cortex.Logging.Traffic.Subtype String Traffic log subtype. Values are: start, end, drop, deny.
Cortex.Logging.Traffic.TimeReceived String Time the log was received at the management plane.
Cortex.Logging.Traffic.SessionEndReason String The reason a session terminated. If the termination had multiple causes. This field displays only the highest priority reason.
Cortex.Logging.Traffic.Natsrc String If source NAT was performed, the post-NAT source IP address. The IP address is an IPv4/IPv6 address in hex format.
Cortex.Logging.Traffic.Src String Original source IP address. The IP address is an IPv4/IPv6 address in hex format.
Cortex.Logging.Traffic.Start String Time when the session was established.
Cortex.Logging.Traffic.TimeGenerated String Time the log was generated on the data plane.
Cortex.Logging.Traffic.CategoryOfApp String Identifies the high-level family of the application.
Cortex.Logging.Traffic.Srcloc String Source country or internal region for private addresses. The internal region is a user-defined name for a specific network in the user's enterprise.
Cortex.Logging.Traffic.Dstloc String Destination country or internal region for private addresses. The internal region is a user-defined name for a specific network in the user's enterprise.
Cortex.Logging.Traffic.Serial String Serial number of the firewall that generated the log.
Cortex.Logging.Traffic.Bytes String Number of total bytes (transmit and receive).
Cortex.Logging.Traffic.VsysID String A unique identifier for a virtual system on a Palo Alto Networks firewall.
Cortex.Logging.Traffic.To String Networking zone to which the traffic was sent.
Cortex.Logging.Traffic.Category String URL category associated with the session (if applicable).
Cortex.Logging.Traffic.Sport String Source port utilized by the session.
Cortex.Logging.Traffic.Tunnel String Type of tunnel.
Cortex.Logging.Traffic.IsPhishing String Detected enterprise credential submission by an end user.
IP.Address String IP address.

Command Example
!cortex-query-traffic-logs rule=To_Internet,To_VPN limit=2
Context Example
{
    "Cortex.Logging.Traffic": [
        {
            "Action": "allow",
            "App": "dns",
            "Bytes": 309,
            "Category": "any",
            "CategoryOfApp": "networking",
            "CharacteristicOfApp": [
                "able-to-transfer-file",
                "tunnel-other-application",
                "is-saas"
            ],
            "DeviceName": "DEVICE NAME",
            "Dport": 53,
            "Dst": "8.8.8.8",
            "Dstloc": "US",
            "Elapsed": 1,
            "Natdst": "0.0.0.0",
            "Natsrc": "0.0.0.0",
            "Packets": 2,
            "Proto": "udp",
            "ReceiveTime": 1571995273,
            "RiskOfApp": "3",
            "Rule": "To_Internet",
            "Serial": "007051000058440",
            "SessionEndReason": "aged-out",
            "SessionID": 107112,
            "Sport": 34105,
            "Src": "8.8.8.8",
            "Srcloc": "10.0.0.0-10.255.255.255",
            "Start": 1571995220,
            "SubcategoryOfApp": "infrastructure",
            "Subtype": "end",
            "TimeGenerated": 1571995250,
            "TimeReceived": 1571995250,
            "To": "internet",
            "Tunnel": "N/A",
            "TunneledApp": "untunneled",
            "Users": "8.8.8.8",
            "Vsys": "vsys1",
            "VsysID": 1,
            "id": "42635546_lcaas:4:2012540:1",
            "score": 1.9452807
        },
        {
            "Action": "allow",
            "App": "dns",
            "Bytes": 309,
            "Category": "any",
            "CategoryOfApp": "networking",
            "CharacteristicOfApp": [
                "able-to-transfer-file",
                "tunnel-other-application",
                "is-saas"
            ],
            "DeviceName": "DEVICE NAME",
            "Dport": 53,
            "Dst": "8.8.8.8",
            "Dstloc": "US",
            "Natdst": "0.0.0.0",
            "Natsrc": "0.0.0.0",
            "Packets": 2,
            "Proto": "udp",
            "ReceiveTime": 1571995273,
            "RiskOfApp": "3",
            "Rule": "To_Internet",
            "Serial": "007051000058440",
            "SessionEndReason": "aged-out",
            "SessionID": 225363,
            "Sport": 50230,
            "Src": "8.8.8.8",
            "Srcloc": "10.0.0.0-10.255.255.255",
            "Start": 1571995222,
            "SubcategoryOfApp": "infrastructure",
            "Subtype": "end",
            "TimeGenerated": 1571995251,
            "TimeReceived": 1571995251,
            "To": "internet",
            "Tunnel": "N/A",
            "TunneledApp": "untunneled",
            "Users": "8.8.8.8",
            "Vsys": "vsys1",
            "VsysID": 1,
            "id": "42635546_lcaas:4:2012540:8",
            "score": 1.9452807
        }
    ],
    "IP": [
        {
            "Address": "8.8.8.8"
        },
        {
            "Address": "0.0.0.0"
        }
    ]
}
Human Readable Output

Logs traffic table

Source Address Destination Address Application Action Rule Time Generated
8.8.8.8 8.8.8.8 dns allow To_Internet 2019-10-25T09:20:50
8.8.8.8 8.8.8.8 dns allow To_Internet 2019-10-25T09:20:51

Additional Information

If the user is using the command with field="all" then the human readable output will contain the following fields: Source Address, Destination Address, Application, Action, Rule & Time Generated. If the user is using the command with fields="field1,field2,field3" then the human readable output will contain the following fields: field1, field2 & field3.

6. Query threat logs


Searches the Cortex panw.threat table, which is the threat logs table for PAN-OS/Panorama.

Base Command

cortex-query-threat-logs

Input
Argument Name Description Required
ip An IP address or an array of IP addresses for which to search, for example 1.1.1.1,2.2.2.2. Optional
rule Rule name or array of rule names to search. Optional
from_zone Source zone or array of zones to search. Optional
to_zone Destination zone or array of zones to search. Optional
port Port or array of ports to search. Optional
action Action or array of actions lo search. Optional
query Free input query to search. This is the WHERE part of the query. so an example will be !cortex-query-traffic-logs query="src LIKE '192.168.1.*' AND dst = '192.168.1.12'" Optional
fields The fields that are selected in the query. Selection can be "all" (same as *) or listing of specific fields in the table. List of fields can be found after viewing all the outputed fields with all. Optional
hash SHA256 hash or array of SHA256 hashes to search. Optional
url URL or array of URLs to search. Optional
startTime The query start time. For example, startTime="2018-04-26 00:00:00" Optional
endTime The query end time. For example, endTime="2018-04-26 00:00:00" Optional
timeRange The time range for the query, used with the rangeValue argument. For example, timeRange="weeks" timeValue="1" would run the query on the previous week. Optional
rangeValue The time value for the query, used with the timeRange argument. For example, timeRange="weeks" rangeValue="1" would run the query on the previous week. Optional
limit The number of logs to return. Default is 5. Optional

Context Output

t

Path Type Description
Cortex.Logging.Threat.SessionID String Identifies the firewall's internal identifier for a specific network session.
Cortex.Logging.Threat.Action String Identifies the action that the firewall took for the network traffic.
Cortex.Logging.Threat.App String Application associated with the network traffic.
Cortex.Logging.Threat.Nat String Indicates whether the firewall is performing network address translation (NAT) for the logged traffic. If it is, this value is 1.
Cortex.Logging.Threat.SubcategoryOfApp String Identifies the application's subcategory. The subcategoryis related to the application's category, which is identified in category_of_app.
Cortex.Logging.Threat.PcapID String Packet capture (pcap) ID. This is used to correlate threat pcap files with extended pcaps taken as a part of the session flow. All threat logs will contain either a pcap_id of 0 (no associated pcap) , or an ID referencing the extended pcap file.
Cortex.Logging.Threat.Natdst String If destination NAT performed, the post-NAT destination IP address. The IP address is an IPv4/IPv6 address in hex format.
Cortex.Logging.Threat.Flags String Bit field which provides details on the session, such as whether the session use IPv6, whether the session was denied due to a URL filtering rule, and/or whether the log corresponds to a transaction within an HTTP proxy session.
Cortex.Logging.Threat.Dport String Network traffic's destination port. If this value is 0, then the app is using its standard port.
Cortex.Logging.Threat.ThreatID String Numerical identifier for the threat type. All threats encountered by Palo Alto Networks firewalls are assigned a unique identifier
Cortex.Logging.Threat.Natsrc String If source NAT was performed, the post-NAT source IP address. The IP address is an IPv4/IPv6 address in hex format.
Cortex.Logging.Threat.CategoryOfApp String Identifies the managing application, or parent, of the application associated with this network traffic, if any.
Cortex.Logging.Threat.Srcloc String Source country or internal region for private addresses. The internal region is a user-defined name for a specific network in the user's enterprise.
Cortex.Logging.Threat.Dstloc String Destination country or internal region for private addresses. The internal region is a user-defined name for a specific network in the user's enterprise.
Cortex.Logging.Threat.To String Networking zone to which the traffic was sent.
Cortex.Logging.Threat.RiskOfApp String Indicates how risky the application is from a network security perspective. Values range from 1-5, where 5 is the riskiest.
Cortex.Logging.Threat.Natsport String Post-NAT source port.
Cortex.Logging.Threat.URLDenied String Session was denied due to a URL filtering rule.
Cortex.Logging.Threat.CharacteristicOfApp String Identifies the behaviorial characteristic of the application associated with the network traffic.
Cortex.Logging.Threat.HTTPMethod String Only in URL filtering logs. Describes the HTTP Method used in the web request
Cortex.Logging.Threat.From String The networking zone from which the traffic originated.
Cortex.Logging.Threat.Vsys String Virtual system associated with the network traffic.
Cortex.Logging.Threat.ReceiveTime String Time the log was received at the management plane.
Cortex.Logging.Threat.Users String Srcuser or dstuser or srcip (one of).
Cortex.Logging.Threat.Proto String IP protocol associated with the session.
Cortex.Logging.Threat.Natdport String Post-NAT destination port.
Cortex.Logging.Threat.Dst String Original destination IP address. The IP address is an IPv4/ IPv6 address in hex format.
Cortex.Logging.Threat.Rule String Name of the security policy rule that the network traffic matched.
Cortex.Logging.Threat.CategoryOfThreatID String Threat category of the detected threat.
Cortex.Logging.Threat.DeviceName String The hostname of the firewall that logged the network traffic.
Cortex.Logging.Threat.Subtype String Subtype of the threat log.
Cortex.Logging.Threat.TimeReceived String Time the log was received at the management plane.
Cortex.Logging.Threat.Direction String Indicates the direction of the attack, client-to-server or server-to-client:
Cortex.Logging.Threat.Misc String The meaning of this field differs according to the log's subtype: Subtype is URL, this field contains the requested URI. Subtype is File, this field contains the file name or file type. Subtype is Virus, this field contains the file name. Subtype is WildFire, this field contains the file name.
Cortex.Logging.Threat.Severity String Severity associated with the event.
Cortex.Logging.Threat.Src String Original source IP address. The IP address is an IPv4/IPv6 address in hex format.
Cortex.Logging.Threat.TimeGenerated String Time the log was generated on the data plane.
Cortex.Logging.Threat.Serial String Serial number of the firewall that generated the log.
Cortex.Logging.Threat.VsysID String A unique identifier for a virtual system on a Palo Alto Networks firewall.
Cortex.Logging.Threat.URLDomain String The name of the internet domain that was visited in this session.
Cortex.Logging.Threat.Category String For the URL subtype, this identifies the URL Category. For the WildFire subtype, this identifies the verdict on the file. It is one of ‘malicious’, ‘phishing’, ‘grayware’, or ‘benign’;
Cortex.Logging.Threat.Sport String Source port utilized by the session.
Cortex.Logging.Threat.IsPhishing Boolean Detected enterprise credential submission by an end user.
IP.Address String IP address.
Domain.Name String The domain name, for example: "google.com".
File.SHA256 String The SHA256 hash of the file.
File.Name String The full file name (including file extension).
File.Type String The file type, as determined by libmagic (same as displayed in file entries).

Command Example
!cortex-query-threat-logs fields=src,dst ip=8.8.8.8 limit=1
Context Example
{
    "Cortex.Logging.Threat": [
        {
            "Dst": "7.7.7.7",
            "Src": "8.8.8.8",
            "id": "42635546_lcaas:4:2023012:4",
            "score": 4.7690573
        }
    ],
    "IP": [
        {
            "Address": "8.8.8.8"
        },
        {
            "Address": "7.7.7.7"
        }
    ]
}
Human Readable Output

Logs threat table

src dst
8.8.8.8 7.7.7.7

Additional Information

If the user is using the command with field="all" then the human readable output will contain the following fields: Source Address, Destination Address, Application, Action, Rule & Time Generated. If the user is using the command with fields="field1,field2,field3" then the human readable output will contain the following fields: field1, field2 & field3.

7. Query Traps logs


Searches the Cortex tms.threat table, which is the threat logs table for the Traps endpoint protection and response.

Base Command

cortex-query-traps-logs

Input
Argument Name Description Required
ip IP or array of IPs to search for example 1.1.1.1,2.2.2.2. Optional
host Host or array of hosts to search. Optional
user User or an array or users to search. Optional
category Category or array of categories to search. Optional
hash Hash or array of hashes to search. Optional
query Free-text input query to search. This is the WHERE part of the query so an example will be src = '1.1.1.1' OR rule = 'test rule'. Optional
fields The fields that are selected in the query. Selection can be "all" (same as *) or listing of specific fields in the table. List of fields can be found after viewing all the outputed fields with all. Optional
startTime The query start time. For example, startTime="2018-04-26 00:00:00". Optional
endTime The query end time. For example, endTime="2018-04-26 00:00:00". Optional
timeRange The time range for the query, used with the rangeValue argument. For example, timeRange="weeks" timeValue="1" would run the query on the previous week. Optional
rangeValue The time value for the query, used with the timeRange argument. For example, timeRange="weeks" rangeValue="1" would run the query on the previous week. Optional
limit The number of logs to return. Default is 5. Optional

Context Output
Path Type Description
Cortex.Logging.Traps.Severity String Severity level associated with the event.
Cortex.Logging.Traps.AgentID String Unique identifier for the Traps agent.
Cortex.Logging.Traps.EndPointHeader.OsType String Operating system of the endpoint.
Cortex.Logging.Traps.EndPointHeader.IsVdi String Indicates whether the endpoint is a virtual desktop infrastructure (VDI).
Cortex.Logging.Traps.EndPointHeader.OSVersion String Full version number of the operating system running on the endpoint. For example, 6.1.7601.19135.
Cortex.Logging.Traps.EndPointHeader.Is64 String Indicates whether the endpoint is running a 64-bit version of Windows.
Cortex.Logging.Traps.EndPointHeader.AgentIP String IP address of the endpoint.
Cortex.Logging.Traps.EndPointHeader.DeviceName String Hostname of the endpoint on which the event was logged.
Cortex.Logging.Traps.EndPointHeader.DeviceDomain String Domain to which the endpoint belongs.
Cortex.Logging.Traps.EndPointHeader.Username String The username on which the event was logged.
Cortex.Logging.Traps.EndPointHeader.AgentTime String Universal Time Coordinated (UTC) equivalent of the time at which an agent logged an event. ISO-8601 string representation.
Cortex.Logging.Traps.EndPointHeader.AgentVersion String Version of the Traps agent.
Cortex.Logging.Traps.EndPointHeader.ProtectionStatus String The Traps agent status.
Cortex.Logging.Traps.RecordType String Record type associated with the event.
Cortex.Logging.Traps.TrapsID String Tenant external ID.
Cortex.Logging.Traps.EventType String Subtype of the event.
Cortex.Logging.Traps.UUID String Unique identifier for the event in Cortex.
Cortex.Logging.Traps.ServerHost String Hostname of the Traps management service.
Cortex.Logging.Traps.GeneratedTime String Universal Time Coordinated (UTC) equivalent of the time at which an event was logged.
Cortex.Logging.Traps.ServerComponentVersion String Software version of the Traps management service.
Cortex.Logging.Traps.RegionID String Region ID.
Cortex.Logging.Traps.CustomerID String Customer ID.
Cortex.Logging.Traps.ServerTime String Universal Time Coordinated (UTC) equivalent of the time at which the server generated the log. If the log was generated on an endpoint.
Cortex.Logging.Traps.OriginalAgentTime String Original time on the endpoint device.
Cortex.Logging.Traps.Facility Sting The Traps system component that initiated the event For example:, TrapsAgent, TrapsServiceCore, TrapsServiceManagement, TrapsServiceBackend.
Cortex.Logging.Traps.MessageData.PreventionKey String Unique identifier for security events.
Cortex.Logging.Traps.MessageData.Processes.PID String Process identifier.
Cortex.Logging.Traps.MessageData.Processes.ParentID String Parent process identifier.
Cortex.Logging.Traps.MessageData.Processes.ExeFileIdx String Index of target files for specific security events such as: Scanning, Malicious DLL, Malicious Macro events.
Cortex.Logging.Traps.MessageData.Processes.UserIdx String Index of users.
Cortex.Logging.Traps.MessageData.Processes.CommandLine String Command line executed with the process.
Cortex.Logging.Traps.MessageData.Processes.Terminated String Termination action taken on the file.
Cortex.Logging.Traps.MessageData.Files.RawFullPath String Full path for the executed file.
Cortex.Logging.Traps.MessageData.Files.FileName String File name.
Cortex.Logging.Traps.MessageData.Files.SHA256 String SHA256 hash of the file.
Cortex.Logging.Traps.MessageData.Files.FileSize String File size.
Cortex.Logging.Traps.MessageData.Users.Username String Username of the active user on the endpoint.
Cortex.Logging.Traps.MessageData.Users.Domain String Domain to which the user account belongs.
Cortex.Logging.Traps.MessageData.PostDetected String Was post detected.
Cortex.Logging.Traps.MessageData.Terminate String Termination action taken on the file.
Cortex.Logging.Traps.MessageData.Verdict String Traps verdict for the file.
Cortex.Logging.Traps.MessageData.Blocked String Block action taken on the file.
Cortex.Logging.Traps.MessageData.TargetProcessIdx String The prevention target process index in the processes array.
Cortex.Logging.Traps.MessageData.ModuleCategory String Security module name.
Cortex.Logging.Traps.MessageData.PreventionMode String The prevention mode used.
Cortex.Logging.Traps.MessageData.TrapsSeverity String Traps Severity level associated with the event defined for the Traps management service.
Cortex.Logging.Traps.MessageData.SourceProcess.User.Username String Source username initiating the process.
Cortex.Logging.Traps.MessageData.SourceProcess.PID String Source process ID (PID).
Cortex.Logging.Traps.MessageData.SourceProcess.ParentID String Parent ID for the source process.
Cortex.Logging.Traps.MessageData.SourceProcess.CommandLine String Source process command line.
Cortex.Logging.Traps.MessageData.SourceProcess.InstanceID String Traps instance ID.
Cortex.Logging.Traps.MessageData.SourceProcess.Terminated String Source process termination action taken on the file.
Cortex.Logging.Traps.MessageData.SourceProcess.RawFullPath String Source process raw full path.
Cortex.Logging.Traps.MessageData.SourceProcess.FileName String Source process file name.
Cortex.Logging.Traps.MessageData.SourceProcess.SHA256 String Source process SHA256 hash.
Cortex.Logging.Traps.MessageData.SourceProcess.FileSize String Source process file size.
Cortex.Logging.Traps.MessageData.SourceProcess.InnerObjectSHA256 String Source process inner object SHA256 hash
Endpoint.Hostname String The hostname that is mapped to this endpoint.
Endpoint.IPAddress String The IP address of the endpoint.
Endpoint.Domain String The domain of the endpoint.
Endpoint.OSVersion String OS version.
Endpoint.OS String Endpoint OS.
Endpoint.ID String The unique ID within the tool retrieving the endpoint.
Host.Hostname String The name of the host.
Host.IPAddress String The IP address of the host.
Host.Domain String The domain of the host.
Host.OSVersion String The OS version of the host.
Host.OS String Host OS.
Host.ID String The unique ID within the tool retrieving the host.
Process.PID Number The PID of the process.
Process.Parent String Parent process objects.
Process.CommandLine String The full command line (including arguments).
Process.SHA256 String The SHA256 hash of the process.
Process.Name String The name of the process.
Process.Path String The file system path to the binary file.
File.Name String The full file name (including file extension).
File.Type String The file type, as determined by libmagic (same as displayed in file entries).
File.Path String The path where the file is located.
File.Size Number The size of the file in bytes.
File.SHA256 String The SHA256 hash of the file.
File.DigitalSignature.Publisher String The publisher of the digital signature for the file.
File.Company String The name of the company that released a binary.

Command Example
!cortex-query-traps-logs startTime=2011-10-25T00:00:31 endTime=2019-10-27T00:00:31 fields=endPointHeader.userName limit=4 user=administrator,tim,josh
Context Example
{
    "Cortex.Logging.Traps": [
        {
            "EndPointHeader": {
                "Username": "administrator"
            },
            "id": "9c8228bd-c26b-452c-855f-bbd83070809f",
            "score": 1.452933
        },
        {
            "EndPointHeader": {
                "Username": "administrator"
            },
            "id": "8d54c329-5ef7-4563-9018-a1b69cb90bbd",
            "score": 1.452933
        },
        {
            "EndPointHeader": {
                "Username": "administrator"
            },
            "id": "cbdf7fc6-5fa3-4090-aa3d-4f0aaf3b45d9",
            "score": 1.452933
        },
        {
            "EndPointHeader": {
                "Username": "administrator"
            },
            "id": "df2ef772-ce37-41a5-a4de-bacee0135d58",
            "score": 1.452933
        }
    ]
}
Human Readable Output

Logs traps table

endPointHeader.userName
administrator
administrator
administrator
administrator

Additional Information

If the user is using the command with field="all" then the human readable output will contain the following fields: Severity, Event Type, User, Agent Address, Agent Name & Agent Time. If the user is using the command with fields="field1,field2,field3" then the human readable output will contain the following fields: field1, field2 & field3.

8. Query analytics logs


Searches the Cortex tms.analytics table, which is the endpoint logs table for Traps Analytics.

Base Command

cortex-query-analytics-logs

Input
Argument Name Description Required
ip Agent IP or array of agent IP to search. Optional
host Agent host name or array of agent host names to search. Optional
user Username or array of usernames to search. Optional
category Event category or array of event categories to search. Optional
hash Hash or array of hashes to search. Optional
query Free-text input query to search. This forms the WHERE part of the query. For example, endPointHeader.agentIp = '1.1.1.1'. Optional
fields The fields that are selected in the query. Selection can be "all" (same as *) or a list of specific fields in the table. You can find the list of fields after viewing all the outputed fields with "all". Optional
startTime The query start time. For example, startTime="2018-04-26 00:00:00". Optional
endTime The query end time. For example, endTime="2018-04-26 00:00:00". Optional
timeRange The time range for the query, used with the rangeValue argument. For example, timeRange="weeks" timeValue="1" would run the query on the previous week. Optional
rangeValue The time value for the query, used with the timeRange argument. For example, timeRange="weeks" rangeValue="1" would run the query on the previous week. Optional
limit The number of logs to return. Default is 5. Optional

Context Output
Path Type Description
Cortex.Logging.Analytics.AgentID String Unique identifier for the Traps agent.
Cortex.Logging.Analytics.EndPointHeader.OsType String Operating system of the endpoint.
Cortex.Logging.Analytics.EndPointHeader.IsVdi String Indicates whether the endpoint is a virtual desktop infrastructure (VDI).
Cortex.Logging.Analytics.EndPointHeader.OSVersion String Full version number of the operating system running on the endpoint. For example, 6.1.7601.19135.
Cortex.Logging.Analytics.EndPointHeader.Is64 String Indicates whether the endpoint is running a 64-bit version of Windows.
Cortex.Logging.Analytics.EndPointHeader.AgentIP String IP address of the endpoint.
Cortex.Logging.Analytics.EndPointHeader.DeviceName String Hostname of the endpoint on which the event was logged.
Cortex.Logging.Analytics.EndPointHeader.DeviceDomain String Domain to which the endpoint belongs.
Cortex.Logging.Analytics.EndPointHeader.Username String The username on which the event was logged.
Cortex.Logging.Analytics.EndPointHeader.UserDomain String Username of the active user on the endpoint.
Cortex.Logging.Analytics.EndPointHeader.AgentTime String Universal Time Coordinated (UTC) equivalent of the time at which an agent logged an event. ISO-8601 string representation.
Cortex.Logging.Analytics.EndPointHeader.AgentVersion String Version of the Traps agent.
Cortex.Logging.Analytics.EndPointHeader.ProtectionStatus String Status of the Traps protection.
Cortex.Logging.Analytics.EndPointHeader.DataCollectionStatus String Status of the agent logging.
Cortex.Logging.Analytics.TrapsID String Tenant external ID.
Cortex.Logging.Analytics.EventType String Subtype of event.
Cortex.Logging.Analytics.UUID String Event unique ID.
Cortex.Logging.Analytics.GeneratedTime String Universal Time Coordinated (UTC) equivalent of the time at which an event was logged. For agent events, this represents the time on the endpoint. For policy, configuration, and system events, this represents the time on the Traps management service. ISO-8601 string representation (for example, 2017-01-24T09:08:59Z).
Cortex.Logging.Analytics.RegionID String ID of the Traps management service region.
Cortex.Logging.Analytics.OriginalAgentTime String Original timestamp for endpoint.
Cortex.Logging.Analytics.Facility String The Traps system component that initiated the event, for example TrapsAgent, TrapsServiceCore, TrapsServiceManagement, TrapsServiceBackend.
Cortex.Logging.Analytics.MessageData.type String Type of file.
Cortex.Logging.Analytics.MessageData.SHA256 String The SHA256 hash of the file.
Cortex.Logging.Analytics.MessageData.FileName String File name, without the path or the file type extension.
Cortex.Logging.Analytics.MessageData.FilePath String Full path, aligned with OS format.
Cortex.Logging.Analytics.MessageData.FileSize String Size of the file in bytes.
Cortex.Logging.Analytics.MessageData.Reported String Whether the file was reported.
Cortex.Logging.Analytics.MessageData.Blocked String Whether the file was blocked.
Cortex.Logging.Analytics.MessageData.LocalAnalysisResult.Trusted String Trusted signer result.
Cortex.Logging.Analytics.MessageData.LocalAnalysisResult.Publishers String File publisher.
Cortex.Logging.Analytics.MessageData.LocalAnalysisResult.TrustedID String Trusted ID.
Cortex.Logging.Analytics.MessageData.ExecutionCount String File execution count.
Cortex.Logging.Analytics.MessageData.LastSeen String The date the file was last seen.
Cortex.Logging.Analytics.Severity String The threat severity.
Endpoint.Hostname String The hostname that is mapped to this endpoint.
Endpoint.IPAddress String The IP address of the endpoint.
Endpoint.Domain String The domain of the endpoint.
Endpoint.OSVersion String OS version.
Endpoint.OS String Endpoint OS.
Endpoint.ID String The unique ID within the tool retrieving the endpoint.
Host.Hostname String The name of the host.
Host.IPAddress String The IP address of the host.
Host.Domain String The domain of the host.
Host.OSVersion String The OS version of the host.
Host.OS String Host OS.
Host.ID String The unique ID within the tool retrieving the host.
File.Name String The full file name (including file extension).
File.Type String The file type, as determined by libmagic (same as displayed in file entries).
File.Path String The path where the file is located.
File.Size Number The size of the file in bytes.
File.SHA256 String The SHA256 hash of the file.
File.DigitalSignature.Publisher String The publisher of the digital signature for the file.
File.Company String The name of the company that released a binary.

Command Example
!cortex-query-analytics-logs fields=all host=DC1ENV9APC51 user=Administrator
Context Example
{
    "Cortex.Logging.Analytics": [
        {
            "AgentID": "30e55fb7590b0a907906b5620960931f",
            "EndPointHeader": {
                "AgentIP": "8.8.8.8",
                "AgentTime": "2019-10-26T14:20:08.124Z",
                "AgentVersion": "6.0.0.4961",
                "DeviceDomain": "DEVICE DOMAIN",
                "DeviceName": "DEVICE NAME",
                "Is64": "The endpoint is running x64 architecture",
                "IsVdi": "",
                "OSVersion": "10.0.17134",
                "OsType": "Windows",
                "ProtectionStatus": 0,
                "UserDomain": "USER DOMAIN",
                "Username": "Administrator"
            },
            "EventType": "AgentTimelineEvent",
            "Facility": "TrapsAgent",
            "GeneratedTime": "2019-10-26T14:20:08.124Z",
            "MessageData": {
                "@type": "type.googleapis.com/cloud_api.HashEventObject",
                "Blocked": 0,
                "ExecutionCount": 49616,
                "FileName": "backgroundTaskHost.exe",
                "FilePath": "C:\\Windows\\System32\\",
                "FileSize": 19352,
                "LastSeen": "2019-10-26T14:20:00.532694200Z",
                "LocalAnalysisResult": {
                    "Publishers": [
                        "Microsoft Windows"
                    ],
                    "Trusted": "None",
                    "TrustedID": ""
                },
                "Reported": 0,
                "SHA256": "48b9eb1e31b0c2418742ce07675d58c974dd9f03007988c90c1e38f217f5c65b",
                "Type": "pe"
            },
            "OriginalAgentTime": "2019-10-26T14:20:00.532694200Z",
            "RegionID": "Americas (N. Virginia)",
            "TrapsID": "8692543548339348938",
            "UUID": "8dc1aaa6-7d38-4c7d-89b3-d37fe1e9008d",
            "id": "8dc1aaa6-7d38-4c7d-89b3-d37fe1e9008d",
            "score": 5.3399997
        },
        {
            "AgentID": "30e55fb7590b0a907906b5620960931f",
            "EndPointHeader": {
                "AgentIP": "8.8.8.8",
                "AgentTime": "2019-10-26T14:19:51.853Z",
                "AgentVersion": "6.0.0.4961",
                "DeviceDomain": "DEVICE DOMAIN",
                "DeviceName": "DEVICE NAME",
                "Is64": "The endpoint is running x64 architecture",
                "IsVdi": "",
                "OSVersion": "10.0.17134",
                "OsType": "Windows",
                "ProtectionStatus": 0,
                "UserDomain": "USER DOMAIN",
                "Username": "Administrator"
            },
            "EventType": "AgentTimelineEvent",
            "Facility": "TrapsAgent",
            "GeneratedTime": "2019-10-26T14:19:51.853Z",
            "MessageData": {
                "@type": "type.googleapis.com/cloud_api.HashEventObject",
                "Blocked": 0,
                "ExecutionCount": 9612,
                "FileName": "SearchProtocolHost.exe",
                "FilePath": "C:\\Windows\\System32\\",
                "FileSize": 406528,
                "LastSeen": "2019-10-26T14:19:44.261083400Z",
                "LocalAnalysisResult": {
                    "Publishers": [
                        "Microsoft Windows"
                    ],
                    "Trusted": "None",
                    "TrustedID": ""
                },
                "Reported": 0,
                "SHA256": "aee8842a078b3cf5566b3c95e4b521c2639e878fa4749a58d69700452c051261",
                "Type": "pe"
            },
            "OriginalAgentTime": "2019-10-26T14:19:44.261083400Z",
            "RegionID": "Americas (N. Virginia)",
            "TrapsID": "8692543548339348938",
            "UUID": "ebb20522-07db-4f1f-9a04-439e661d079e",
            "id": "ebb20522-07db-4f1f-9a04-439e661d079e",
            "score": 5.3399997
        },
        {
            "AgentID": "30e55fb7590b0a907906b5620960931f",
            "EndPointHeader": {
                "AgentIP": "8.8.8.8",
                "AgentTime": "2019-10-26T14:19:51.884Z",
                "AgentVersion": "6.0.0.4961",
                "DeviceDomain": "DEVICE DOMAIN",
                "DeviceName": "DEVICE NAME",
                "Is64": "The endpoint is running x64 architecture",
                "IsVdi": "",
                "OSVersion": "10.0.17134",
                "OsType": "Windows",
                "ProtectionStatus": 0,
                "UserDomain": "USER DOMAIN",
                "Username": "Administrator"
            },
            "EventType": "AgentTimelineEvent",
            "Facility": "TrapsAgent",
            "GeneratedTime": "2019-10-26T14:19:51.884Z",
            "MessageData": {
                "@type": "type.googleapis.com/cloud_api.HashEventObject",
                "Blocked": 0,
                "ExecutionCount": 9613,
                "FileName": "SearchFilterHost.exe",
                "FilePath": "C:\\Windows\\System32\\",
                "FileSize": 227328,
                "LastSeen": "2019-10-26T14:19:44.292322500Z",
                "LocalAnalysisResult": {
                    "Publishers": [
                        "Microsoft Windows"
                    ],
                    "Trusted": "None",
                    "TrustedID": ""
                },
                "Reported": 0,
                "SHA256": "6c033c5c65e3d788c66aa9079ce69e882a74dd14bd3d7539ad76ec7f13a34b8a",
                "Type": "pe"
            },
            "OriginalAgentTime": "2019-10-26T14:19:44.292322500Z",
            "RegionID": "Americas (N. Virginia)",
            "TrapsID": "8692543548339348938",
            "UUID": "3cd17b17-a0de-492d-81d9-ac6584757305",
            "id": "3cd17b17-a0de-492d-81d9-ac6584757305",
            "score": 5.3399997
        },
        {
            "AgentID": "30e55fb7590b0a907906b5620960931f",
            "EndPointHeader": {
                "AgentIP": "8.8.8.8",
                "AgentTime": "2019-10-26T14:20:08.124Z",
                "AgentVersion": "6.0.0.4961",
                "DeviceDomain": "DEVICE DOMAIN",
                "DeviceName": "DEVICE NAME",
                "Is64": "The endpoint is running x64 architecture",
                "IsVdi": "",
                "OSVersion": "10.0.17134",
                "OsType": "Windows",
                "ProtectionStatus": 0,
                "UserDomain": "USER DOMAIN",
                "Username": "Administrator"
            },
            "EventType": "AgentTimelineEvent",
            "Facility": "TrapsAgent",
            "GeneratedTime": "2019-10-26T14:20:08.124Z",
            "MessageData": {
                "@type": "type.googleapis.com/cloud_api.HashEventObject",
                "Blocked": 0,
                "ExecutionCount": 83238,
                "FileName": "conhost.exe",
                "FilePath": "C:\\Windows\\System32\\",
                "FileSize": 625664,
                "LastSeen": "2019-10-26T14:20:00.532694200Z",
                "LocalAnalysisResult": {
                    "Publishers": [
                        "Microsoft Windows"
                    ],
                    "Trusted": "None",
                    "TrustedID": ""
                },
                "Reported": 0,
                "SHA256": "04b6a35bc504401989b9e674c57c9e84d0cbdbbd9d8ce0ce83d7ceca0b7175ed",
                "Type": "pe"
            },
            "OriginalAgentTime": "2019-10-26T14:20:00.532694200Z",
            "RegionID": "Americas (N. Virginia)",
            "TrapsID": "8692543548339348938",
            "UUID": "fb53ea16-c9c7-4e3c-b6bf-179f9e89a4bb",
            "id": "fb53ea16-c9c7-4e3c-b6bf-179f9e89a4bb",
            "score": 5.3399997
        },
        {
            "AgentID": "30e55fb7590b0a907906b5620960931f",
            "EndPointHeader": {
                "AgentIP": "8.8.8.8",
                "AgentTime": "2019-10-26T14:20:08.202Z",
                "AgentVersion": "6.0.0.4961",
                "DeviceDomain": "DEVICE DOMAIN",
                "DeviceName": "DEVICE NAME",
                "Is64": "The endpoint is running x64 architecture",
                "IsVdi": "",
                "OSVersion": "10.0.17134",
                "OsType": "Windows",
                "ProtectionStatus": 0,
                "UserDomain": "USER DOMAIN",
                "Username": "Administrator"
            },
            "EventType": "AgentTimelineEvent",
            "Facility": "TrapsAgent",
            "GeneratedTime": "2019-10-26T14:20:08.202Z",
            "MessageData": {
                "@type": "type.googleapis.com/cloud_api.HashEventObject",
                "Blocked": 0,
                "ExecutionCount": 73500,
                "FileName": "timeout.exe",
                "FilePath": "C:\\Windows\\System32\\",
                "FileSize": 30720,
                "LastSeen": "2019-10-26T14:20:00.610816500Z",
                "LocalAnalysisResult": {
                    "Publishers": [
                        "Microsoft Windows"
                    ],
                    "Trusted": "None",
                    "TrustedID": ""
                },
                "Reported": 0,
                "SHA256": "b7d686c4c92d1c0bbf1604b8c43684e227353293b3206a1220bab77562504b3c",
                "Type": "pe"
            },
            "OriginalAgentTime": "2019-10-26T14:20:00.610816500Z",
            "RegionID": "Americas (N. Virginia)",
            "TrapsID": "8692543548339348938",
            "UUID": "df8ff6a8-65b2-4932-b7da-c56ddc84f1c3",
            "id": "df8ff6a8-65b2-4932-b7da-c56ddc84f1c3",
            "score": 5.3399997
        }
    ],
    "Endpoint": [
        {
            "Domain": "DEVICE DOMAIN",
            "Hostname": "DEVICE NAME",
            "ID": "30e55fb7590b0a907906b5620960931f",
            "IP": "8.8.8.8",
            "OS": "Windows",
            "OSVersion": "10.0.17134"
        }
    ],
    "File": [
        {
            "DigitalSignature.Publisher": [
                "Microsoft Windows"
            ],
            "Name": "backgroundTaskHost.exe",
            "Path": "C:\\Windows\\System32\\",
            "SHA256": "48b9eb1e31b0c2418742ce07675d58c974dd9f03007988c90c1e38f217f5c65b",
            "Size": 19352,
            "Type": "pe"
        },
        {
            "DigitalSignature.Publisher": [
                "Microsoft Windows"
            ],
            "Name": "SearchProtocolHost.exe",
            "Path": "C:\\Windows\\System32\\",
            "SHA256": "aee8842a078b3cf5566b3c95e4b521c2639e878fa4749a58d69700452c051261",
            "Size": 406528,
            "Type": "pe"
        },
        {
            "DigitalSignature.Publisher": [
                "Microsoft Windows"
            ],
            "Name": "SearchFilterHost.exe",
            "Path": "C:\\Windows\\System32\\",
            "SHA256": "6c033c5c65e3d788c66aa9079ce69e882a74dd14bd3d7539ad76ec7f13a34b8a",
            "Size": 227328,
            "Type": "pe"
        },
        {
            "DigitalSignature.Publisher": [
                "Microsoft Windows"
            ],
            "Name": "conhost.exe",
            "Path": "C:\\Windows\\System32\\",
            "SHA256": "04b6a35bc504401989b9e674c57c9e84d0cbdbbd9d8ce0ce83d7ceca0b7175ed",
            "Size": 625664,
            "Type": "pe"
        },
        {
            "DigitalSignature.Publisher": [
                "Microsoft Windows"
            ],
            "Name": "timeout.exe",
            "Path": "C:\\Windows\\System32\\",
            "SHA256": "b7d686c4c92d1c0bbf1604b8c43684e227353293b3206a1220bab77562504b3c",
            "Size": 30720,
            "Type": "pe"
        }
    ],
    "Host": [
        {
            "Domain": "DEVICE DOMAIN",
            "Hostname": "DEVICE NAME",
            "ID": "30e55fb7590b0a907906b5620960931f",
            "IP": "8.8.8.8",
            "OS": "Windows",
            "OSVersion": "10.0.17134"
        }
    ]
}
Human Readable Output

Logs analytics table

Event Type User Agent Address Agent Name Agent Time
AgentTimelineEvent Administrator 8.8.8.8 DEVICE NAME 2019-10-26T14:20:08.124Z
AgentTimelineEvent Administrator 8.8.8.8 DEVICE NAME 2019-10-26T14:19:51.853Z
AgentTimelineEvent Administrator 8.8.8.8 DEVICE NAME 2019-10-26T14:19:51.884Z
AgentTimelineEvent Administrator 8.8.8.8 DEVICE NAME 2019-10-26T14:20:08.124Z
AgentTimelineEvent Administrator 8.8.8.8 DEVICE NAME 2019-10-26T14:20:08.202Z

Additional Information

If the user is using the command with field="all" then the human readable output will contain the following fields: Severity, Event Type, User, Agent Address, Agent Name & Agent Time. If the user is using the command with fields="field1,field2,field3" then the human readable output will contain the following fields: field1, field2 & field3.