Alert Panel View - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2024-07-16
Last date published
2024-12-04
Category
Administrator Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation
Abstract

The Alert Panel provides detailed information about alerts at a glance and in the context of the incident.

The Alert Panel provides detailed information about alerts at a glance and in the context of the incident. To open the Alerts panel, in the Alerts Table, click on any alert.

In this view, you can change the severity of an alert, star it, investigate it in the Causality view, and exclude it from the Analytics.

This panel displays the name and description of the alert, the source that triggered the alert, and the following details where applicable.

GENERAL

Displays the following information about the alert.

  • Timestamp

  • ID

  • Number of suppressed alerts (for IOC, BIOC, and Analytics alerts) —Number of alerts that were suppressed because they were detected as duplicates of the alert

  • Last suppressed alert timestamp (for IOC, BIOC, and Analytics alerts)—The last time Cortex XDR suppressed an alert because it was detected as a duplicate of the alert

  • Action taken as a result of the alert

  • Category—type of threat detected

  • File Macro SHA256

  • Tags applied by Cortex XDR

BEHAVIORAL ANALYTICS

Note

The Behavioral Analytics section is available only when the Identity Threat Module add-on is enabled. Cortex XDR displays Behavioral Analytics widgets for selected alerts and is continuously adding widgets to more alerts.

The BEHAVIORAL ANALYTICS section displays graphs that visualize the anomalies that were observed by the detector. This enables you to evaluate the deviation in the context of the baseline behavior. As you navigate between the different factors that triggered the alert, the event and the baseline information are displayed in tabular format or in timeline format, depending on the type of event.

  • The tabular view displays the baseline behavior in a table, with the anomaly highlighted and in a separate line.

  • The timeline view displays the highlighted atypical value, and if applicable, the minimum, maximum, and average values, for the selected period.

From the Behavioral Analytics section, you can navigate to the Causality chain.

MITRE ATTACK

Displays the Mitre Attack tactics and techniques.

HOST

Displays the Host platform, Host name, Host IP, Host MAC address, Host FQDN.

RULE

When the alert is triggered by a rule, the RULE section displays details about the rule, for example Type, Severity, Name, Description, Number of Hits, and Source.

NETWORK CONNECTIONS or LOGIN or PROCESS EXECUTION or RPC CALL, SYSTEM CALL, or REGISTRY EVENTS

Displays relevant information about the connection details.

CLOUD AUDIT LOG

Displays the Audit log details for alerts generated on Cloud hosts.