Alerts - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-18
Category
Administrator Guide
Abstract

Learn more about the Alerts page in Cortex XDR.

The Alerts page displays a table of all alerts in Cortex XDR.

The Alerts page consolidates non-informational alerts from your detection sources to enable you to efficiently and effectively triage the events you see each day. By analyzing the alert, you can better understand the cause of what happened and the full story with context to validate whether an alert requires additional action. Cortex XDR supports saving 2M alerts per 4000 agents or 20 terabytes, half of the alerts are allocated for informational alerts and half for severity alerts.

You can view detailed information for an alert in the Alert Panel, Causality View and Timeline View.

By default, the Alerts page displays the alerts received over the last seven days. Every 12 hours, Cortex XDR enforces a cleanup policy to remove the oldest alerts that exceed the maximum alerts limit.

Cortex XDR processes and displays the name of users in the following standardized format, also termed “normalized user”.

<company domain>\<username>

As a result, any alert triggered based on network, authentication, or login events displays the User Name in the standardized format in the Alerts and Incidents pages. This impacts every alert for Cortex XDR Analytics and Cortex XDR Analytics BIOC, including Correlation, BIOC, and IOC alerts triggered on one of these event types.

Note

You can query data related to the Alerts and Incidents tables by using the incidents and alerts datasets. For the alerts dataset, INFO alerts are not included in this dataset. In addition, the alert fields included in this dataset are limited to certain fields available in the API. For the full list, see Get Alerts Multi-Events v2 API.

The following table describes both the default fields and additional optional fields that you can add to the alerts table using the column manager and lists the fields in alphabetical order.

Field

Description

Status Indicator (

alert-status.png

)

Identifies whether there is enough endpoint data to analyze an alert.

check-box.png

Check box to select one or more alerts on which to perform actions. Select multiple alerts to assign all selected alerts to an analyst, or to change the status or severity of all selected alerts.

ACTION

Action taken by the alert sensor, either Detected or Prevented with action status displayed in parenthesis. Options are:

  • Detected

  • Detected (Allowed The Session)

  • Detected (Download)

  • Detected (Forward)

  • Detected (Post Detected)

  • Detected (Prompt Allow)

  • Detected (Raised An Alert)

  • Detected (Reported)

  • Detected (Scanned)

  • Detected (Sinkhole)

  • Detected (Syncookie Sent)

  • Detected (Wildfire Upload Failure)

  • Detected (Wildfire Upload Success)

  • Detected (Wildfire Upload Skip)

  • Detected (XDR Managed Threat Hunting)

  • Prevented (Block)

  • Prevented (Blocked)

  • Prevented (Block-Override)

  • Prevented (Blocked The URL)

  • Prevented (Blocked The IP)

  • Prevented (Continue)

  • Prevented (Denied The Session)

  • Prevented (Dropped All Packets)

  • Prevented (Dropped The Session)

  • Prevented (Dropped The Session And Sent a TCP Reset)

  • Prevented (Dropped The Packet)

  • Prevented (Override)

  • Prevented (Override-Lockout)

  • Prevented (Post Detected)

  • Prevented (Prompt Block)

  • Prevented (Random-Drop)

  • Prevented (Silently Dropped The Session With An ICMP Unreachable Message To The Host Or Application)

  • Prevented (Terminated The Session And Sent a TCP Reset To Both Sides Of The Connection)

  • Prevented (Terminated The Session And Sent a TCP Reset To The Client)

  • Prevented (Terminated The Session And Sent a TCP Reset To The Server)

  • N/A

AGENT OS SUB TYPE

The operating system subtype of the agent from which the alert was triggered.

ALERT ID

A unique identifier that Cortex XDR assigns to each alert.

ALERT NAME

Module that triggered the alert. If the alert was generated by Cortex XDR , the Alert Name will be the specific Cortex XDR rule that created the alert (BIOC, IOC, or Correlation Rule name). If from an external system, it will carry the name assigned to it by Cortex XDR . Alerts that match an alert starring policy also display a purple star.

Note

For alerts coming from firewalls, if duplicate alerts with the same name and host are raised within 24 hours, they are aggregated and identified by a +n tag.

Alerts that contain a Featured Alert Field are displayed with featured-alert-field-flag.png flag.

Alerts associated with Identity Analytics are displayed with an Identity Analytics tag.

ALERT SOURCE

Source of the alert: BIOC, Analytics BIOC, Correlation, IOC, XDR Agent, Firewall, or Analytics.

ALERT TRIGGERED AN AUTOMATION RULE

alert_automation_rule_thunder.JPG indicates that the alert triggered an automation rule.

APP-ID

Related App-ID for an alert. App-ID is a traffic classification system that determines what an application is irrespective of port, protocol, encryption (SSH or SSL) or any other evasive tactic used by the application. When known, you can also pivot to the Palo Alto Networks Applipedia entry that describes the detected application.

APP CATEGORY

APP-ID category name associated with a firewall alert.

APP SUBCATEGORY

APP-ID subcategory name associated with a firewall alert.

APP TECHNOLOGY

APP-ID technology name associated with a firewall alert.

CATEGORY

Alert category based on the alert source. An example of an XDR Agent alert category is Exploit Modules. An example of a BIOC alert category is Evasion. If a URL filtering category is known, this field also displays the name of the URL filtering category.

CGO CMD

Command-line arguments of the Causality Group Owner.

CGO MD5

The MD5 value of the CGO that initiated the alert.

CGO NAME

The name of the process that started the causality chain is based on Cortex XDR causality logic.

CGO SHA256

The SHA256 value of the CGO that initiated the alert.

CGO SIGNATURE

Signing status of the CGO:

  • Unsigned

  • Signed

  • Invalid Signature

  • Unknown

CGO SIGNER

The name of the software publishing vendor that signed the file in the causality chain that led up to the alert.

Note

Cortex XDR can display both the O (Organization) value and the CN (Common Name).

CLOUD IDENTITY TYPE

Classification is used to map the identity type that initiated an operation that triggered an alert. For example, Service, Application, and Temporary Credentials.

CLOUD IDENTITY SUB-TYPE

A more specific classification of the identity initiated the operation. For example, for Identity Type: Temporary Credentials the subtype could be Assumed Role.

CLOUD OPERATION TYPE

Represents what has happened because of the identity operation. For example, Create, Delete, and Modify.

CLOUD PROJECT

Represents the cloud provider folders or projects. For example, AWS Accounts and Azure Subscriptions.

CLOUD PROVIDER

The name of the cloud provider where the alert occurred:

  • AWS

  • GCP

  • Azure

CLOUD REFERENCED RESOURCE

Represents the resources that are referenced in the alert log. In most cases, the referred resource will be where the operation was initiated on.

CLOUD RESOURCE TYPE

Classifications are used to map similar types of resources across different cloud providers. For example, EC2, Google Compute Engine, and Microsoft Compute are all mapped to Compute.

CLOUD RESOURCE SUB-TYPE

A more specific classification is used to map the types of resources. For example, DISK, VPC, and Subnet are all mapped to Compute.

CONTAINS FEATURED HOST

Displays whether the alert includes a host name that has been flagged as a Featured Alert Field.

CONTAINS FEATURED USER

Displays whether the alert includes a user name that has been flagged as a Featured Alert Field.

CONTAINS FEATURED IP ADDRESS

Displays whether the alert includes an IP address name that has been flagged as a Featured Alert Field.

CID

Unique identifier of the causality instance generated by Cortex XDR .

DESCRIPTION

Text summary of the event including the alert source, alert name, severity, and file path. For alerts triggered by BIOC, IOC, and Correlation Rules, Cortex XDR displays detailed information about the rule.

DESTINATION ZONE NAME

The destination zone of the connection for firewall alerts.

DNS Query Name

The domain name is queried in the DNS request.

DOMAIN

The domain on which an alert was triggered.

EMAIL RECIPIENT

The email recipient value of a firewall alerts triggered on the content of a malicious email.

EMAIL SENDER

The email sender value of a firewall alerts triggered on the content of a malicious email.

EMAIL SUBJECT

The email subject value of a firewall alerts triggered on the content of a malicious email.

EVENT TYPE

The type of event on which the alert was triggered:

  • File Event

  • Injection Event

  • Load Image Event

  • Network Event

  • Process Execution

  • Registry Event

EXCLUDED

Whether the alert is excluded by an exclusion configuration.

EXTERNAL ID

The alert ID as recorded in the detector from which this alert was sent.

FILE PATH

When the alert is triggered on a file (the Event Type is File) this is the path to the file on the endpoint. If not, then N/A.

FILE MACRO SHA256

SHA256 hash value of a Microsoft Office file macro

FILE MD5

MD5 hash value of the file.

FILE SHA256

SHA256 hash value of the file.

FW NAME

Name of firewall on which a firewall alert was raised.

FW RULE ID

The firewall rule ID that triggered the firewall alert.

FW RULE NAME

The firewall rule name that matches the network traffic that triggered the firewall alert.

FW SERIAL NUMBER

The serial number of the firewall that raised the firewall alert.

HOST

The hostname of the endpoint or server on which this alert was triggered. The hostname is generally available for XDR agent alerts or alerts that are stitched with EDR data. When the hostname is unknown, this field is blank.

HOST FQDN

The fully qualified domain name (FQDN) of the Windows endpoint or server on which this alert was triggered.

HOST IP

IP address of the endpoint or server on which this alert was triggered.

HOST IPv6

IPv6 address of the endpoint or server on which this alert was triggered.

HOST MAC ADDRESS

MAC address of the endpoint or server on which this alert was triggered.

HOST OS

Operating system of the endpoint or server on which this alert was triggered.

INCIDENT ID

The ID of any incident that includes the alert.

INITIATED BY

The name of the process that initiated an activity such as a network connection or registry change.

INITIATOR MD5

The MD5 value of the process which initiated the alert.

INITIATOR SHA256

The SHA256 hash value of the initiator.

INITIATOR CMD

Command-line used to initiate the process including any arguments.

INITIATOR SIGNATURE

Signing status of the process that initiated the activity:

  • Unsigned

  • Signed

  • Invalid Signature

  • Unknown

INITIATOR PATH

Path of the initiating process.

INITIATOR PID

Process ID (PID) of the initiating process.

INITIATOR SIGNER

Signer of the process that triggered the alert.

Note

Cortex XDR can display both the O (Organization) value and the CN (Common Name).

INITIATOR TID

Thread ID (TID) of the initiating process.

IS PHISHING

Indicates whether a firewall alert is classified as phishing.

LOCAL IP

If the alert is triggered on network activity (the Event Type is Network Connection) this is the IP address of the host that triggered the alert. If not, then N/A.

LOCAL PORT

If the alert is triggered on network activity (the Event Type is Network Connection) this is the port on the endpoint that triggered the alert. If not, then N/A.

MAC ADDRESS

The MAC address on which the alert was triggered.

MISC

Miscellaneous information about the alert.

MITRE ATT&CK TACTIC

Displays the type of MITRE ATT&CK tactic on which the alert was triggered.

MITRE ATT&CK TECHNIQUE

Displays the type of MITRE ATT&CK technique and sub‑technique on which the alert was triggered.

MODULE

For XDR Agent alerts, this field identifies the protection module that triggered the alert.

NGFW VSYS NAME

Name of the virtual system for the Palo Alto Networks firewall that triggered an alert.

OS PARENT CREATED BY

Name of the parent operating system that created the alert.

OS PARENT CMD

Command line used by the parent operating system to initiate the process including any arguments.

OS PARENT SIGNATURE

Signing status of the operating system of the activity:

  • Unsigned

  • Signed

  • Invalid Signature

  • Unknown

OS PARENT SIGNER

Parent operating system signer.

Note

Cortex XDR can display both the O (Organization) value and the CN (Common Name).

OS PARENT SH256

Parent operating system SHA256 hash value.

OS PARENT ID

Parent operating system ID.

OS PARENT PID

OS parent process ID.

OS PARENT TID

OS parent thread ID.

OS PARENT USER NAME

Name of the user associated with the parent operating system.

PHONE NUMBER

Shows the phone number that triggered the alert. This is the number that sent a malicious URL/spam or was blocked.

PROCESS EXECUTION SIGNATURE

Signature status of the process that triggered the alert:

  • Unsigned

  • Signed

  • Invalid Signature

  • Unknown

PROCESS EXECUTION SIGNER

Signer of the process that triggered the alert.

Note

Cortex XDR can display both the O (Organization) value and the CN (Common Name).

REGISTRY DATA

If the alert is triggered on registry modifications (the Event Type is Registry) this is the registry data that triggered the alert. If not, then N/A.

REGISTRY FULL KEY

If the alert is triggered on registry modifications (the Event Type is Registry) this is the full registry key that triggered the alert. If not, then N/A.

REMOTE HOST

If the alert is triggered on network activity (the Event Type is Network Connection) this is the remote host name that triggered the alert. If not, then N/A.

REMOTE IP

The remote IP address of a network operation that triggered the alert.

REMOTE PORT

The remote port of a network operation that triggered the alert.

RESOLUTION STATUS

The status that was assigned to this alert when it was triggered (or modified): New, Under Investigation, Resolved. Right-click an alert to Change Status. If you set the status to Resolved, select a resolution reason, for more information see Resolution Reasons for Incidents and Alerts.

Any update made to an alert impacts the associated incident. An incident with all its associated alerts marked as resolved is automatically set to Auto-Resolved. Cortex XDR continues to group Alerts to an Auto-Resolved Incident for up to 6 hours. In the case where an alert is triggered during this duration, Cortex XDR re-opens the Incident.

RULE ID

The ID that matches the rule that triggered the alert.

SEVERITY

The severity that was assigned to this alert when it was triggered (or modified): Informational, Low, Medium, High, Critical, or Unknown. Right-click an alert to Change Severity.

For BIOC, IOCs, and Correlation Rules, you define the severity when you create the rule. Insights are low and informational severity alerts that do not raise incidents but provide additional details when investigating an event.

STARRED

Whether the alert is starred by starring configuration.

SOURCE ZONE NAME

The source zone name of the connection for firewall alerts.

TAGS

Displays one or more of the following categories, which is used to filter the results according to the selected tag:

  • Asset Roles

  • Data Sources

  • Detector Tags

  • Endpoint Groups / Endpoint Tags —

    Displays the tag family and the corresponding tags. If SBAC is enabled, the user can view and manage the alerts table according the user's scope settings.

    Note

    When viewing alerts as a scoped user when a tenant is set to permissive mode, the user can view the alert but not have access to entities outside their scope.

    When viewing alerts as a scoped user when a tenant is set to restrictive mode, the alert content is not visible. The user can send the alert ID to the administrator to add to the user scope so the user can view the alert.

TARGET FILE SHA256

The SHA256 hash value of an external DLL file that triggered the alert.

TARGET PROCESS CMD

The command line of the process whose creation triggered the alert.

TARGET PROCESS NAME

The name of the process whose creation triggered the alert.

TARGET PROCESS SHA256

The SHA256 value of the process whose creation triggered the alert.

TIMESTAMP

The date and time when the alert was triggered.

Right-click to Show rows 30 days prior or 30 days after the selected timestamp field value.

URL

The URL destination address of the domain triggering the firewall alert.

USER NAME

The name of the user that initiated the behavior that triggered the alert. If the user is a domain user account, this field also identifies the domain.

Any alert triggered based on network, authentication, or login events, displays the User Name in the follow standardized format in the Alerts and Incidents pages.

<company domain>\<username>

XFF

X-Forwarded-For value from the HTTP header of the IP address connecting with a proxy.