The Alert Panel provides detailed information about alerts at a glance and in the context of the incident.
The Alert Panel provides detailed information about alerts at a glance and in the context of the incident. To open the Alerts panel, in the Alerts Table, click on any alert.
In this view, you can change the severity of an alert, star it, investigate it in the Causality view, and exclude it from the Analytics.
This panel displays the name and description of the alert, the source that triggered the alert, and the following details where applicable.
GENERAL
Displays the following information about the alert.
Timestamp
ID
Number of suppressed alerts (for IOC, BIOC, and Analytics alerts) —Number of alerts that were suppressed because they were detected as duplicates of the alert
Last suppressed alert timestamp (for IOC, BIOC, and Analytics alerts)—The last time Cortex XDR suppressed an alert because it was detected as a duplicate of the alert
Action taken as a result of the alert
Category—type of threat detected
File Macro SHA256
Tags applied by Cortex XDR
BEHAVIORAL ANALYTICS
Note
The Behavioral Analytics section is available only when the Identity Threat Module add-on is enabled. Cortex XDR displays Behavioral Analytics widgets for selected alerts and is continuously adding widgets to more alerts.
The BEHAVIORAL ANALYTICS section displays graphs that visualize the anomalies that were observed by the detector. This enables you to evaluate the deviation in the context of the baseline behavior. As you navigate between the different factors that triggered the alert, the event and the baseline information are displayed in tabular format or in timeline format, depending on the type of event.
The tabular view displays the baseline behavior in a table, with the anomaly highlighted and in a separate line.
The timeline view displays the highlighted atypical value, and if applicable, the minimum, maximum, and average values, for the selected period.
From the Behavioral Analytics section, you can navigate to the Causality chain.
MITRE ATTACK
Displays the Mitre Attack tactics and techniques.
HOST
Displays the Host platform, Host name, Host IP, Host MAC address, Host FQDN.
RULE
When the alert is triggered by a rule, the RULE section displays details about the rule, for example Type, Severity, Name, Description, Number of Hits, and Source.
NETWORK CONNECTIONS or LOGIN or PROCESS EXECUTION or RPC CALL, SYSTEM CALL, or REGISTRY EVENTS
Displays relevant information about the connection details.
CLOUD AUDIT LOG
Displays the Audit log details for alerts generated on Cloud hosts.