Learn more about the Alerts page in Cortex XDR.
The Alerts page consolidates all non-informational alerts from your detection sources This helps you efficiently triage the events you see each day. By analyzing an alert, you can better understand the cause of the alert, and take actions where required. The default alert retention period in Cortex XDR is 186 days.
To access the Alerts page, go to Incident Response → Incidents → Alerts Table.
By default, the Alerts page displays the security alerts received over the last seven days. Every 12 hours, the system enforces a cleanup policy to remove the oldest alerts once the maximum limit is exceeded.
To see detailed information about an alert, click an alert to open the alert panel. To investigate further, from the alert panel click Investigate or Investigate Causality Chain.
Cortex XDR processes and displays the names of users in the following standardized format, also termed “normalized user”.
<company domain>
\<username>
As a result, any alert triggered based on network, authentication, or login events displays the User Name in the standardized format in the Alerts and Incidents pages. This impacts every alert for Cortex XDR Analytics and Cortex XDR Analytics BIOC, including Correlation, BIOC, and IOC alerts triggered on one of these event types.
The following table describes both the default fields and additional optional fields that you can add to the alerts table using the column manager.
Field | Description | |
---|---|---|
Status Indicator ( ) | Identifies whether there is enough endpoint data to analyze an alert. | |
Check box to select one or more alerts on which to perform actions. Select multiple alerts to assign all selected alerts to an analyst, or to change the status or severity of all selected alerts. | ||
ACTION | Action taken by the alert sensor, either | |
AGENT OS SUB TYPE | Operating system subtype of the agent from which the alert was triggered. | |
ALERT ID | Unique identifier that Cortex XDR assigns to each alert. | |
ALERT NAME | Module that triggered the alert. If the alert was generated by Cortex XDR , the Alert Name will be the specific Cortex XDR rule that created the alert (BIOC, IOC, or Correlation Rule name). If from an external system, it will carry the name assigned to it by Cortex XDR . Alerts that match an alert starring policy also display a purple star. NoteFor alerts coming from firewalls, if duplicate alerts with the same name and host are raised within 24 hours, they are aggregated and identified by a +n tag. Alerts that contain a Featured Alert Field are displayed with flag. Alerts associated with Identity Analytics are displayed with an Identity Analytics tag. | |
ALERT SOURCE | Source of the alert. | |
ALERT TRIGGERED AN AUTOMATION RULE | indicates that the alert triggered an automation rule. | |
APP-ID | Related App-ID for an alert. App-ID is a traffic classification system that determines what an application is irrespective of port, protocol, encryption (SSH or SSL) or any other evasive tactic used by the application. When known, you can also pivot to the Palo Alto Networks Applipedia entry that describes the detected application. | |
APP CATEGORY | APP-ID category name associated with a firewall alert. | |
APP SUBCATEGORY | APP-ID subcategory name associated with a firewall alert. | |
APP TECHNOLOGY | APP-ID technology name associated with a firewall alert. | |
CATEGORY | Alert category based on the alert source. An example of an Cortex XDR agent alert category is Exploit Modules. An example of a BIOC alert category is Evasion. If a URL filtering category is known, this field also displays the name of the URL filtering category. | |
CGO CMD | Command-line arguments of the Causality Group Owner. | |
CGO MD5 | MD5 value of the CGO that initiated the alert. | |
CGO NAME | Name of the process that started the causality chain is based on Cortex XDR causality logic. | |
CGO SHA256 | SHA256 value of the CGO that initiated the alert. | |
CGO SIGNATURE | Signing status of the CGO | |
CGO SIGNER | Name of the software publishing vendor that signed the file in the causality chain that led up to the alert. NoteCortex XDR can display both the O (Organization) value and the CN (Common Name). | |
CLOUD IDENTITY TYPE | Classification is used to map the identity type that initiated an operation that triggered an alert. For example, | |
CLOUD IDENTITY SUB-TYPE | Specific classification of the identity initiated the operation. For example, for Identity Type: | |
CLOUD OPERATION TYPE | Represents what has happened because of the identity operation. For example, | |
CLOUD PROJECT | Represents the cloud provider folders or projects. For example, AWS Accounts and Azure Subscriptions. | |
CLOUD PROVIDER | Name of the cloud provider where the alert occurred. | |
CLOUD REFERENCED RESOURCE | Represents the resources that are referenced in the alert log. In most cases, the referred resource will be where the operation was initiated on. | |
CLOUD RESOURCE TYPE | Classifications are used to map similar types of resources across different cloud providers. For example, | |
CLOUD RESOURCE SUB-TYPE | Specific classification is used to map the types of resources. For example, | |
CONTAINS FEATURED HOST | Whether the alert includes a host name that has been flagged as a Featured Alert Field. | |
CONTAINS FEATURED USER | Whether the alert includes a user name that has been flagged as a Featured Alert Field. | |
CONTAINS FEATURED IP ADDRESS | Whether the alert includes an IP address name that has been flagged as a Featured Alert Field. | |
CID | Unique identifier of the causality instance generated by Cortex XDR . | |
DESCRIPTION | Text summary of the event including the alert source, alert name, severity, and file path. For alerts triggered by BIOC, IOC, and Correlation Rules, Cortex XDR displays detailed information about the rule. | |
DESTINATION ZONE NAME | Destination zone of the connection for firewall alerts. | |
DNS Query Name | Domain name is queried in the DNS request. | |
EMAIL RECIPIENT | Email recipient value of a firewall alerts triggered on the content of a malicious email. | |
EMAIL SENDER | Email sender value of a firewall alerts triggered on the content of a malicious email. | |
EMAIL SUBJECT | Email subject value of a firewall alerts triggered on the content of a malicious email. | |
EVENT TYPE | Type of event on which the alert was triggered. | |
EXCLUDED | Whether the alert is excluded by an exclusion configuration. | |
EXTERNAL ID | Alert ID as recorded in the detector from which this alert was sent. | |
FILE PATH | Path to the file on the endpoint, for alerts that are triggered on a file (the Event Type is File). | |
FILE MACRO SHA256 | SHA256 hash value of a Microsoft Office file macro. | |
FILE MD5 | MD5 hash value of the file. | |
FILE SHA256 | SHA256 hash value of the file. | |
FW NAME | Name of firewall on which a firewall alert was raised. | |
FW RULE ID | Firewall rule ID that triggered the firewall alert. | |
FW RULE NAME | Firewall rule name that matches the network traffic that triggered the firewall alert. | |
FW SERIAL NUMBER | Serial number of the firewall that raised the firewall alert. | |
HOST | Hostname of the endpoint or server on which this alert was triggered. The hostname is generally available for XDR agent alerts or alerts that are stitched with EDR data. When the hostname is unknown, this field is blank. | |
HOST FQDN | Fully qualified domain name (FQDN) of the Windows endpoint or server on which this alert was triggered. | |
HOST IP | IP address of the endpoint or server on which this alert was triggered. | |
HOST IPv6 | IPv6 address of the endpoint or server on which this alert was triggered. | |
HOST MAC ADDRESS | MAC address of the endpoint or server on which this alert was triggered. | |
HOST OS | Operating system of the endpoint or server on which this alert was triggered. | |
INCIDENT ID | ID of any incident that includes the alert. | |
INITIATED BY | Name of the process that initiated an activity such as a network connection or registry change. | |
INITIATOR MD5 | MD5 value of the process which initiated the alert. | |
INITIATOR SHA256 | SHA256 hash value of the initiator. | |
INITIATOR CMD | Command-line used to initiate the process including any arguments. | |
INITIATOR SIGNATURE | Signing status of the process that initiated the activity. | |
INITIATOR PATH | Path of the initiating process. | |
INITIATOR PID | Process ID (PID) of the initiating process. | |
INITIATOR SIGNER | Signer of the process that triggered the alert. NoteCortex XDR can display both the O (Organization) value and the CN (Common Name). | |
INITIATOR TID | Thread ID (TID) of the initiating process. | |
IS PHISHING | Whether a firewall alert is classified as phishing. | |
LOCAL IP | IP address of the host that triggered the alert, for alerts that are triggered on network activity (the Event Type is Network Connection). | |
LOCAL PORT | Port on the endpoint that triggered the alert, for alerts that are triggered on network activity (the Event Type is Network Connection). | |
MAC ADDRESS | MAC address on which the alert was triggered. | |
MISC | Miscellaneous information about the alert. | |
MITRE ATT&CK TACTIC | Type of MITRE ATT&CK tactic on which the alert was triggered. | |
MITRE ATT&CK TECHNIQUE | Type of MITRE ATT&CK technique and sub‑technique on which the alert was triggered. | |
MODULE | For Cortex XDR agent alerts, this field identifies the protection module that triggered the alert. | |
NGFW VSYS NAME | Name of the virtual system for the Palo Alto Networks firewall that triggered an alert. | |
OS PARENT CREATED BY | Name of the parent operating system that created the alert. | |
OS PARENT CMD | Command line used by the parent operating system to initiate the process including any arguments. | |
OS PARENT SIGNATURE | Signing status of the operating system of the activity. | |
OS PARENT SIGNER | Parent operating system signer. NoteCortex XDR can display both the O (Organization) value and the CN (Common Name). | |
OS PARENT SH256 | Parent operating system SHA256 hash value. | |
OS PARENT ID | Parent operating system ID. | |
OS PARENT PID | OS parent process ID. | |
OS PARENT TID | OS parent thread ID. | |
OS PARENT USER NAME | Name of the user associated with the parent operating system. | |
PHONE NUMBER | Shows the phone number that triggered the alert. This is the number that sent a malicious URL/spam or was blocked. | |
PROCESS EXECUTION SIGNATURE | Signature status of the process that triggered the alert. | |
PROCESS EXECUTION SIGNER | Signer of the process that triggered the alert. NoteCortex XDR can display both the O (Organization) value and the CN (Common Name). | |
REGISTRY DATA | Registry data that triggered the alert, for alerts that are triggered on registry modifications (the Event Type is Registry). | |
REGISTRY FULL KEY | Full registry key that triggered the alert, for alerts that are triggered on registry modifications (the Event Type is Registry). | |
REMOTE HOST | Remote host name that triggered the alert, for alerts that are triggered on network activity (the Event Type is Network Connection). | |
REMOTE IP | Remote IP address of a network operation that triggered the alert. | |
REMOTE PORT | Remote port of a network operation that triggered the alert. | |
RESOLUTION STATUS | Status that was assigned to this alert when it was triggered (or modified). Right-click an alert to change the status. If you set the status to Resolved, select a resolution reason, for more information see Resolution Reasons for Incidents and Alerts. Any update made to an alert impacts the associated incident. An incident with all its associated alerts marked as resolved is automatically set to Auto-Resolved. Cortex XDR continues to group alerts to an Auto-Resolved Incident for up to six hours. In the case where an alert is triggered during this duration, Cortex XDR re-opens the incident. | |
RULE ID | ID that matches the rule that triggered the alert. | |
SEVERITY | Severity that was assigned to this alert when it was triggered (or modified). For BIOC, IOCs, and Correlation Rules, you define the severity when you create the rule. Insights are low and informational severity alerts that do not raise incidents but provide additional details when investigating an event. | |
STARRED | Whether the alert is starred by starring configuration. | |
SOURCE ZONE NAME | Source zone name of the connection for firewall alerts. | |
TAGS | Displays one or more of the following categories, which is used to filter the results according to the selected tag:
| |
TARGET FILE SHA256 | SHA256 hash value of an external DLL file that triggered the alert. | |
TARGET PROCESS CMD | Command line of the process whose creation triggered the alert. | |
TARGET PROCESS NAME | Name of the process whose creation triggered the alert. | |
TARGET PROCESS SHA256 | SHA256 value of the process whose creation triggered the alert. | |
TIMESTAMP | Date and time when the alert was triggered. Right-click to show rows 30 days prior or 30 days after the selected timestamp field value. | |
URL | URL destination address of the domain triggering the firewall alert. | |
USER NAME | Name of the user that initiated the behavior that triggered the alert. If the user is a domain user account, this field also identifies the domain. Any alert triggered based on network, authentication, or login events, displays the User Name in the follow standardized format in the Alerts and Incidents pages.
| |
XFF | X-Forwarded-For value from the HTTP header of the IP address connecting with a proxy. |