Enable the Analytics Engine and Identity Analytics - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

Learn how to enable the Analytics Engine and Identity Analytics.

Cortex XDR - Analytics includes the following:

  • Cortex XDR Analytics Engine: Analyzes your endpoint data to develop a baseline and raise Analytics and Analytics BIOC alerts when anomalies and malicious behaviors are detected.

  • Identity Analytics: Allows the Cortex XDR  - Analytics engine to aggregate and display user profile details, activities, and alerts related to a user-based Analytics type alert and Analytics BIOC rule during an investigation.

Danger

Analytics Engine

To create a baseline for enabling analytics, Cortex XDR requires a minimum of one of the following data sets:

  • EDR or Network logs from at least 30 endpoints over a minimum of 2 weeks

  • Cloud audit logs over a minimum of 5 days

Identity Analytics

  • Cortex XDR - Analytics must be activated.

  • Cloud Identity Engine must be set up. For more information, see Cloud Identity Engine.

How to enable analytics
  1. Select SettingsConfigurationsCortex XDR - Analytics.

  2. Click Enable. Creating a baseline can take up to three hours.

    Adding Windows DHCP logs can enhance the Analytics Engine. For more information, see Ingest Windows DHCP Logs with an XDR Collector Profile.

  3. Activate Identity Analytics by turning on the toggle.