What Changed
Added new ASIM AlertEvent parser for Palo Alto Cortex XDR alerts via Codeless Connector Framework, targeting the PaloAltoCortexXDR_Alerts_CL table.
Parser Impact
- Schema normalization: Transforms Palo Alto XDR alerts to ASIM AlertEvent schema v0.1
- Data source support: Ingests from PaloAltoCortexXDR_Alerts_CL table (CCF-based connector)
- Filtering logic: Filters to XDR Analytics sources only, excludes firewall detections and NO_HOST events
- Field mapping: Maps 30+ fields including threat metadata, MITRE ATT&CK techniques, process details, and device information
- Entity extraction: Normalizes usernames, device IDs, IP addresses (separates internal/external), and file hashes
Key Detection Benefits
- MITRE coverage: Extracts and formats MITRE ATT&CK tactics and techniques from native XDR data
- Threat categorization: Maps event types to standardized threat categories (Security Policy Violation, MaliciousUrl)
- Process context: Normalizes command lines, file paths, and signature details across multiple process fields
- Network visibility: Separates internal/external IP addresses, includes URL extraction from malicious connections
- User context: Handles Windows domain accounts and system/service account classification
Affected Files
.script/tests/KqlvalidationsTests/CustomTables/PaloAltoCortexXDR_Alerts_CL.json
Parsers/ASimAlertEvent/ARM/ASimAlertEvent/ASimAlertEvent.json
Parsers/ASimAlertEvent/ARM/ASimAlertEventPaloAltoXDR/ASimAlertEventPaloAltoXDR.json
Parsers/ASimAlertEvent/ARM/ASimAlertEventPaloAltoXDR/README.md
Parsers/ASimAlertEvent/ARM/FullDeploymentAlertEvent.json
Parsers/ASimAlertEvent/ARM/imAlertEvent/imAlertEvent.json
Parsers/ASimAlertEvent/ARM/vimAlertEventPaloAltoXDR/README.md
Parsers/ASimAlertEvent/ARM/vimAlertEventPaloAltoXDR/vimAlertEventPaloAltoXDR.json
Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEvent.md
Parsers/ASimAlertEvent/CHANGELOG/ASimAlertEventPaloAltoXDR.md
Parsers/ASimAlertEvent/CHANGELOG/imAlertEvent.md
Parsers/ASimAlertEvent/CHANGELOG/vimAlertEventPaloAltoXDR.md
Parsers/ASimAlertEvent/Parsers/ASimAlertEvent.yaml
Parsers/ASimAlertEvent/Parsers/ASimAlertEventPaloAltoXDR.yaml
Parsers/ASimAlertEvent/Parsers/imAlertEvent.yaml
Parsers/ASimAlertEvent/Parsers/vimAlertEventPaloAltoXDR.yaml
Sample Data/ASIM/Palo Alto_Cortex XDR_AlertEvent_IngestedLogs.csv