Triage Alerts - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Prevent Administrator Guide

Product
Cortex XDR
License
Prevent
Creation date
2024-07-16
Last date published
2024-12-04
Category
Administrator Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation
Abstract

Manage and investigate alerts in the Cortex XDR management console.

When the Cortex XDR management console displays a new alert on the Alerts page, use the following steps to investigate and triage the alert:

  1. Review the data shown in the alert such as the command-line arguments (CMD), process info, etc.

    For more information about the alert fields, see Alerts.

  2. Analyze the chain of execution in the Causality View.

    When the app correlates an alert with additional endpoint data, the Alerts table displays a green dot to the left of the alert row to indicate the alert is eligible for analysis in the Causality View. If the alert has a gray dot, the alert is not eligible for analysis in the Causality View. This can occur when there is no data collected for an event, or the app has not yet finished processing the EDR data. To view the reason analysis is not available, hover over the gray dot.

  3. If deemed malicious, consider responding by isolating the endpoint from the network.

  4. Remediate the endpoint and return the endpoint from isolation.