The domain name queried in the DNS request.
Core Alert Fields
- Details
- Content
- Dependencies
- Version History
This Content Pack will provide you with the core alert fields.
| Name | Description |
|---|---|
DNS Query Name | |
Host Mac Address | MAC address of the endpoint or server on which this alert triggered. |
Image Name | |
Actor Process Instance ID | Unique identifier of the Actor Process instance generated by Cortex XDR |
File Macro SHA256 | SHA256 hash value of an Microsoft Office file macro |
File MD5 | MD5 hash value of the file. |
Process execution signer | Signer of the process that triggered the alert. |
Host Risk Reasons | The descriptions of the reasons that contributed to the host's risk level. |
Hostname | The hostname of the endpoint or server on which this alert triggered. The hostname is generally available for XDR agent alerts or alerts that are stitched with EDR data. When the hostname is unknown, this field is blank. |
Cloud Referenced Resource | Represents the resources that are referenced in the alert log. In most cases, the referred resource will be where the operation was initiated on |
Agent OS Sub Type | The operating system subtype of the agent from which the alert was triggered. |
CGO path | |
Host FQDN | The fully qualified domain name (FQDN) of the Windows endpoint or server on which this alert triggered. |
Cluster Name | |
Remote IP | The remote IP address of a network operation that triggered the alert. |
Email Subject | The email subject value of a firewall alerts triggered on a the content of a malicious email. |
Alert Search Results | |
File SHA256 | SHA256 hash value of the file. |
Initiated By | The name of the process that initiated an activity such as a network connection or registry change. |
User Risk Reasons | The descriptions of the reasons that contributed to the user's risk level. |
Cloud Resource Sub-type | A more specific classification used to map the types of resources. For example, DISK,VPC, Subnet are all mapped to Compute |
Excluded | Whether the alert is excluded by an exclusion configuration |
Misc | Miscellaneous information about the alert. |
Initiator MD5 | The MD5 value of the process which initiated the alert. |
Initiator SHA256 | The SHA256 hash value of the initiator. |
Email Sender | The email sender value of a firewall alerts triggered on a the content of a malicious email. |
Initiator TID | Thread ID (TID) of the initiating process. |
Initiator signature | Signing status of the process that initiated the activity: Unsigned, Signed, Invalid Signature, Unknown. |
User Risk Level | The risk level associated with the risky user. Can be LOW, MED or HIGH. |
Initiator PID | Process ID (PID) of the initiating process. |
CGO CMD | Command-line arguments of the Causality Group Owner. |
App-id | Related App-ID for an alert. App-ID is a traffic classification system that determines what an application is irrespective of port, protocol, encryption (SSH or SSL) or any other evasive tactic used by the application. When known, you can also pivot to the Palo Alto Networks Applipedia entry that describes the detected application. |
Container ID | |
Domain | The domain on which an alert was triggered. |
Target process name | The name of the process whose creation triggered the alert. |
Target process SHA256 | The SHA256 hash vale of an external DLL file that triggered the alert. |
Host IP | IP address of the endpoint or server on which this alert triggered. |
Cloud Operation Type | |
CGO signature | Signing status of the CGO: Unsigned, Signed, Invalid Signature, Unknown. |
Is Phishing | Indicates whether a firewall alert is classified as phishing |
NGFW Vsys Name | Name of the virtual system for the Palo Alto Networks firewall that triggered an alert |
Initiator signer | Signer of the process that triggered the alert. |
Contains Featured User | |
Cloud Identity Type | Classification used to map identity type that initiated an operation which triggered an alert. For example, Service, Application and Temporary Credentials |
Registry Full Key | If the alert triggered on registry modifications (the Event Type is Registry) this is the full registry key that triggered the alert. If not, then N/A. |
Rule ID | The ID that matches the rule that triggered the alert |
appsubcategory | APP-ID Sub category name associated with a firewall alert |
OS Parent SHA256 | Parent operating system SHA256 hash value |
CID | Unique identifier of the causality instance generated by Cortex XDR |
Country | |
Event Type | The type of event on which the alert was triggered: File Event, Injection Event, Load Image Event, Network Event, Process Execution, Registry Event |
Source Zone Name | The source zone name of the connection for firewall alerts. |
Process execution signature | Signature status of the process that triggered the alert: Unsigned, Signed, Invalid Signature, Unknown. |
File path | When the alert triggered on a file (the Event Type is File) this is the path to the file on the endpoint. If not, then N/A. |
OS Parent CMD | Command-line used to by the parent operating system to initiate the process including any arguments |
OS Parent Signature | Signing status of the operating system of the activity |
Host OS | Action taken by the alert sensor, either Detected or Prevented with action status displayed in parenthesis. |
Contains Featured IP Address | |
Cloud Project | Represents the cloud provider folders or projects. For example, AWS Accounts and Azure Subscriptions |
User name | The name of the user that initiated the behavior that triggered the alert. If the user is a domain user account, this field also identifies the domain. Any alert triggered based on network, authentication, or login events, displays the User Name in the follow standardized format in the Alerts and Incidents pages.<company domain>\<username> |
Local Port | If the alert triggered on network activity (the Event Type is Network Connection) this is the port on the endpoint that triggered the alert. If not, then N/A. |
Starred | Whether the alert is starred by starring configuration |
Email Recipient | The email recipient value of a firewall alerts triggered on a the content of a malicious email. |
CGO MD5 | The MD5 value of the CGO that initiated the alert. |
Contains Featured Host | |
App Technology | APP-ID technology name associated with a firewall alert |
Host Risk Level | The risk level associated with the risky host. Can be LOW, MED, or HIGH |
CGO SHA256 | The SHA256 value of the CGO that initiated the alert. |
Timestamp | The date and time when the alert was triggered. Right-click to Show rows 30 days prior or 30 days after the selected timestamp field value |
FW Rule ID | The firewall rule ID that triggered the firewall alert |
OS Parent Signer | Parent operating system signer |
Action | Action taken by the alert sensor, either Detected or Prevented with action status displayed in parenthesis. |
Local IP | If the alert triggered on network activity (the Event Type is Network Connection) this is the IP address of the host that triggered the alert. If not, then N/A. |
Cloud Provider | The name of the cloud provider where the alert occurred: AWS/GCP/Azure/etc |
OS Parent PID | OS parent process ID |
Initiator CMD | Command-line used to initiate the process including any arguments. |
Target process CMD | The command-line of the process whose creation triggered the alert. |
Action Process Instance ID | Unique identifier of the Action Process instance generated by Cortex XDR |
Mitre ATT&CK Technique | Displays the type of MITRE ATT&CK technique and sub-technique on which the alert was triggered. |
Destination Zone Name | The destination zone of the connection for firewall alerts. |
Mitre ATT&CK Tactic | Displays the type of MITRE ATT&CK tactic on which the alert was triggered. |
App Category | APP-ID category name associated with a firewall alert |
CGO signer | The name of the software publishing vendor that signed the file in the causality chain that led up to the alert. |
Cloud Resource Type | Classifications used to map similar types of resources across different cloud providers. For example, EC2, Google Compute Engine, and Microsoft Compute are all mapped to Compute |
FW Name | Name of firewall on which a firewall alert was raised. |
Category Name | Alert category based on the alert source. An example of an XDR Agent alert category is Exploit Modules. |
FW Rule Name | The firewall rule name that matches the network traffic that triggered the firewall alert. |
User Agent | |
XFF | The firewall rule ID that triggered the firewall alert |
Initiator path | Path of the initiating process. |
Module | For XDR Agent alerts, this field identifies the protection module that triggered the alert. |
Registry Data | If the alert triggered on registry modifications (the Event Type is Registry) this is the registry data that triggered the alert. If not, then N/A |
OS Parent ID | OS parent thread ID. |
Agent Id | A unique identifier per agent. |
Remote Agent Hostname | |
Cloud Identity Sub Type | A more specific classification of the identity initiated operation. For example, for Identity Type: Temporary Credentials the sub type could be Assumed Role |
OS Parent User Name | Name of the user associated with the parent operating system |
Remote Host | If the alert triggered on network activity (the Event Type is Network Connection) this is the the remote host name that triggered the alert. If not, then N/A. |
CGO name | The name of the process that started the causality chain based on Cortex XDR causality logic. |
File Name | |
Remote Port | The remote port of a network operation that triggered the alert. |
OS Parent Name | |
FW Serial Number | The serial number of the firewall that raised the firewall alert. |
URL | The URL destination address of the domain triggering the firewall alert. |
Core Alert Fields
- Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.
- 44960
Core Alert Fields
- Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.
- 43976
Core Alert Fields
- Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.
- 43146
Core Alert Fields
- Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.
- 42564
Core Alert Fields
- Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.
- 41916
Core Alert Fields
- Locked dependencies of the pack to ensure stability for versioned core packs. No changes in this release.
- 41627
PUBLISHER
PLATFORMS
INFO
| Certification | Certified | Read more |
| Supported By | Cortex | |
| Created | February 2, 2022 | |
| Last Release | July 5, 2026 |
