View and manage all Analytics rules
The Analytics Rules page offers a consolidated view of all Analytics BIOC and XDR Analytics rules which are crucial to your organization's security posture. Designed to provide complete transparency, this centralized hub enables EDR experts and SOC analysts to gain a comprehensive understanding of every Analytics rule that could generate an alert and take action accordingly. For more information, see Analytics alerts and Analytics BIOCs.
Within the unified Analytics rules table, you can leverage powerful capabilities to manage and investigate Analytics rules effectively.
Get an understanding of all the rules that generated an alert in one place.
Filter rules by name or description for seamless integration with alert investigations.
Filter rules by any column, including "Variant Severities" to quickly locate rule variants associated with specific severity criteria.
Order by any column, enabling you to prioritize and evaluate alerts based on severity, name, modification time, and other critical factors.
Fine-tune your XDR Analytics rules by disabling or enabling specific ones.
View more information for a selected analytics rule, including all its variants, and pivot to the Cortex Analytics Reference for the specific rule.
The Analytics Rules page is under → .
Some of the displayed properties are listed below:
Column name | Description |
|---|---|
Modification Time | When the rule was last changed |
Name | Name of the rule |
Severity | Severity of the basic variant |
Severity Variations | Number of different variants for the rule, including their respective severities |
Severity Modification time | Last time the severity for any of the rule’s variants was changed |
Severity Modification user | Latest user who changed the severity of any rule variant |
Severity Modified | Yes/No indicating if the severity for any of the rule variants was changed |
Status | Enabled or Disable |
Type | XDR Analytics or XDR Analytics BIOC |
Tags | Detector tag |
Description | Cortex XDR defined description of the rule |
Mitre Att&ck Tactic | Goals an adversary is trying to achieve during a cyberattack |
Mitre Att&ck Technique | Adversary tactics and techniques used in cyberattacks |
# of Alerts | Number of alerts generated by the rule in all its variants |
Use the right click menu for the following actions:
Disable or enable a rule to customize alert generation based on the Analytics rule.
View Rule or Edit Rule depending on your permissions.
View Rule
View the rule with all its variants, including their respective descriptions, tags, and severities in the View Analytics Rule screen.
For more information about the MITRE ATT&CK techniques and tactics, click the tag to display its explanation in the MITRE ATT&CK database.
For more information about the rule, click View Rule, and click More information to display the Analytics Alert Reference.
Edit Rule
Edit Rule is available only if you have the necessary Edit permissions.
View the rule details as described in the View Rule section.
Customize the severity of the alerts triggered by the analytics rule, or any of its variants, to align with your organizational needs in the Edit Analytics Rule screen.
Some of the reasons you may want to change a severity level are below, although the list is not exhaustive.
Lowering a severity for specific rules, suspected as false positives, to reduce the number of alerts raised by Cortex XDR.
Raising a severity for specific rules, to trigger generating alerts for a specific behavior in Cortex XDR.
Customizing the severity of a specific logic to be immune to content updates, thus keeping the same custom severity, agnostic to Cortex XDRsuggestion.
Edit the severity of a rule or one or more of its variants:
Right click the rule and select Edit Rule.
In the variant you want to change, select the severity you want.
Warning
Changing the default severity may result in alerts not being triggered or too many alerts being triggered. Please consider this carefully before you change the severity recommended by Cortex XDR. Any responsibility for not getting alerts triggered as a result of changing the severity will be yours.
If the severity determined by Cortex XDR was changed, to revert to the default, click Reset to default next to the severity.
Note
The default severity is updated by content updates. If a content update determines a new default severity for the rule that's the same as the value you had previously determined, you won't have the option to reset to default. For example, if the default was Informational, and you changed the severity to Medium, and after a content update Cortex XDR now determines the default to be Medium, the Reset to default option won't be displayed.
Click Save.
Show rows or hide rows with a specific rule.
Copy entire row.
Note
When you select multiple rows, you can only enable or disable the selected rules.