Analytics engine - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-01
Category
Administrator Guide

Cortex XDR uses its Analytics Engine to examine logs and data retrieved from your sensors on the Cortex XDR tenants to build an activity baseline, and recognize abnormal activity when it occurs. The Analytics engine accesses your logs as they are streamed to the Cortex XDR tenant, including any firewall data, and analyzes the information as soon as it arrives. Cortex XDR triggers an Analytics alert when the Analytics Engine determines an anomaly.

The Analytics Engine examines traffic and data from a variety of sources such as network activity from firewall logs, VPN logs (from Prisma Access from the Panorama plugin), endpoint activity data (on Windows endpoints), Active Directory or a combination of these sources, to identify the endpoints and users on your network. After identifying the endpoints and the users, the Analytics Engine collects relevant details about each asset based on the information it obtains from the logs to create profiles. The Analytics Engine can detect threats from only network data or only endpoint data, but for more context when investigating an alert, we recommend using a combination of data sources.

The Analytics Engine creates and maintains profiles to view the activity of the endpoint or user in context by comparing it to similar endpoints or users. The large number of profile types can generally be placed into one of three categories.

  • Peer Group profiles: A statistical analysis of an entity or an entity relation that compares activities from multiple entities in a peer group. For example, a domain can have a cross-organization popularity profile or per peer group popularity profile.

  • Temporal profiles: A statistical analysis of an entity or an entity relation that compares the same entity to itself over time. For example, a host can have a profile depending on the number of ports it accessed in the past.

  • Entity classification: A model detecting the role of an entity. For example, users can be classified as service accounts, and hosts as domain controllers.