topic There is no alert severity in the SIEM logs. in Cortex XDR Discussions

There is no alert severity in the SIEM logs.

Aristooo — Thu, 26 Sep 2024 08:53:11 GMT

Hi. We send Cortex XDR syslog to SIEM. When I check Notification (Settings - Configurations - Notifications) settings, Severity field is available. But on SIEM logs, there is not severity of alert.

Re: There is no alert severity in the SIEM logs.

jmazzeo — Thu, 26 Sep 2024 15:46:43 GMT

Hi @Aristooo, thanks for reaching us using the Live Community.

The severity field is sent with the forwarding integration using syslog. You can check our documentation with the message format here, maybe your SIEM is not parsing that field with the correct format.

If this post answers your question, please mark it as the solution.

Re: There is no alert severity in the SIEM logs.

Aristooo — Tue, 15 Oct 2024 05:27:50 GMT

Hi @jmazzeo, thank you for your response. Sorry I forgot to reply your comment.

I checked the link you sent and saw that the alert severity in CEF is represented by numbers. It's the same in the logs we forwarded as well. Thank you very much.

HEADER/Vendor="Palo Alto Networks" (as a constant string)HEADER/Device Product="Cortex XDR" (as a constant string)HEADER/Product Version= Cortex XDR version (2.0/2.1....)HEADER/Severity=(integer/0 - Unknown, 6 - Low, 8 - Medium, 9 - High)HEADER/Device Event Class ID=alert sourceHEADER/name =alert name