View and manage all Analytics rules
The Analytics Rules page offers a consolidated view of all Analytics BIOC and XDR Analytics rules which are crucial to your organization's security posture. Designed to provide complete transparency, this centralized hub enables EDR experts and SOC analysts to gain a comprehensive understanding of every Analytics rule that could generate an issue and take action accordingly. For more information, see Analytics issues and Analytics BIOCs.
Within the unified Analytics rules table, you can leverage powerful capabilities to manage and investigate Analytics rules effectively.
Get an understanding of all the rules that generated an issue in one place.
Filter rules by name or description for seamless integration with issue investigations.
Filter rules by any column, including "Variant Severities" to quickly locate rule variants associated with specific severity criteria.
Order by any column, enabling you to prioritize and evaluate issues based on severity, name, modification time, and other critical factors.
Fine-tune your XDR Analytics rules by disabling or enabling specific ones, and changing the severity of the rules or the rule variants.
View more information for a selected analytics rule, including all its variants, and pivot to the Cortex Analytics Reference for the specific rule.
The Analytics Rules page is under → .
Some of the displayed properties are listed below:
Column name | Description |
|---|---|
Modification Time | When the rule was last changed |
Name | Name of the rule |
Severity | Severity of the basic variant |
Severity Variations | Number of different variants for the rule, including their respective severities |
Severity Modification time | Last time the severity for any of the rule’s variants was changed |
Severity Modification user | Latest user who changed the severity of any rule variant |
Severity Modified | Yes/No indicating if the severity for any of the rule variants was changed |
Status | Enabled or Disable |
Type | XDR Analytics or XDR Analytics BIOC |
Tags | Detector tag |
Description | Cortex Cloud defined description of the rule |
Mitre Att&ck Tactic | Goals an adversary is trying to achieve during a cyberattack |
Mitre Att&ck Technique | Adversary tactics and techniques used in cyberattacks |
# of Issues | Number of issues generated by the rule in all its variants |
Use the right click menu for the following actions:
Disable or enable a rule to customize issue generation based on the Analytics rule.
View Rule or Edit Rule depending on your permissions.
View Rule
View the rule with all its variants, including their respective descriptions, tags, and severities in the View Analytics Rule screen.
For more information about the Mitre Att&ck techniques and tactics, click the tag to display its explanation in the MITRE ATT&CK database.
For more information about the rule, click View Rule, and click More information to display the Analytics Alert Reference.
Edit Rule
Edit Rule is available only if you have the necessary Edit permissions.
View the rule details as described in the View Rule section.
Customize the severity of the issues triggered by the analytics rule, or any of its variants, to align with your organizational needs in the Edit Analytics Rule screen.
Some of the reasons you may want to change a severity level are below, although the list is not exhaustive.
Lowering a severity for specific rules, suspected as false positives, to reduce the number of issues raised by Cortex Cloud.
Raising a severity for specific rules, to trigger generating issues for a specific behavior in Cortex Cloud.
Customizing the severity of a specific logic to be immune to content updates, thus keeping the same custom severity, agnostic to Cortex Cloudsuggestion.
Edit the severity of a rule or one or more of its variants:
Right click the rule and select Edit Rule.
In the variant you want to change, select the severity you want.
Warning
Changing the default severity may result in issues not being triggered or too many issues being triggered. Please consider this carefully before you change the severity recommended by Cortex Cloud. Any responsibility for not getting issues triggered as a result of changing the severity will be yours.
If the severity determined by Cortex Cloud was changed, to revert to the default, click Reset to default next to the severity.
Note
The default severity is updated by content updates. If a content update determines a new default severity for the rule that's the same as the value you had previously determined, you won't have the option to reset to default. For example, if the default was Informational, and you changed the severity to Medium, and after a content update Cortex Cloud now determines the default to be Medium, the Reset to default option won't be displayed.
Click Save.
Show rows or hide rows with a specific rule.
Copy entire row.
Note
When you select multiple rows, you can only enable or disable the selected rules.