Analytics alert view - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

From the Cortex XDR management console, you can view a detailed summary of the behavior that triggered analytics alerts.

Notice

Requires a Cortex XDR Pro license.

The analytics alert view provides a detailed summary of the behavior that triggered an Analytics or Analytics BIOC alert. This view also provides a visual depiction of the behavior and additional information you can use to assess the alert. This includes the endpoint on which the activity was initiated, the user that performed the action, the technique the analytics engine observed, and activity and interactions with other hosts inside or outside of your network.

When enabling Identity Analytics, alerts associated with suspicious user activity such as stolen or misused credentials, lateral movement, credential harvesting, or brute-force data are displayed with a User node.

For Analytics alerts, the analytics view indicates the endpoint for which the alert was raised.

For Analytics BIOC alerts, the Analytics view summarizes information about the alert, including the source host name, IP address, the process name on which the alert was raised, and the corresponding process ID.

(Analytics alerts only) Describes the behavior that triggered the alert and activity impact.

Similar to the Causality View, the analytics view provides a graphic representation of the activity that triggered the alert and an interactive way to view the chain of behavior for an Analytics alert. You can move the graphic, extend it, and modify it. To adjust the appearance, you can enlarge/shrink the chain for easy viewing using the size controls on the right. You can also move the chain around by selecting and dragging it. To return the chain to its original position and size, click causality-view-reset-icon.png in the lower-right of the graph.

Right-click on a node to view additional information.

The activity depicted in the graphic varies depending on the type of alert:

  • Analytics alerts: You can view a summary of the aggregated activity including the source host, the anomalous activity, connection count, and the destination host. You can also select the host to view any relevant profile information.

  • Analytics BIOC alerts: You can view the specific event behavior including the causality group owner that initiated the activity and related process nodes. To view the summary of the specific event, you can select the analytics-bioc.png above the process node.

The following nodes display information unique to the analytics alert view:

  • identity-analytics-user-node.png User node: Hover over to display the User Information and user Analytics Profile data.

  • multi-event-node.png Multi-Event: Displays all the event types associated with the alert in the in the All Events table.

The alert description provides details and statistics related to the activity. Beneath the description, you can also view the alert name, severity assigned to the alert, time of the activity, alert tactic (category) and type, and links to the MITRE summary of the attack tactic.

When selecting a User node, Identity User Details, such as Active Directory Group, Organizational Unit, and Role associated with the user are displayed. If available, Login Details also appear.

Displays events related to the alert.

User node: Displays the logins, hosts, alerts, and process executions associated with the user aggregated by the Identity Analytics 7 days prior to and after the analytics alert timestamp. Right-click to Investigate Causality Chain and View in XQL the associated events.

Multi-Event: Displays the events associated with the alert according to the type of event type. Right-click to View in XQL and further Investigate with XQL the event details.

Actions you can take in response to an Analytics alert. These actions can include isolating a host from the network, initiating a live terminal session, and adding an IP address or domain name to an external dynamic list (EDL) that is enforceable in your Palo Alto Networks firewall security policy.