Alerts - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2024-02-26
Last date published
2024-06-09
Category
Administrator Guide
Abstract

Learn more about the Alerts page in Cortex XDR.

The Alerts page displays a table of all alerts in Cortex XDR.

The Alerts page consolidates non-informational alerts from your detection sources to enable you to efficiently and effectively triage the events you see each day. By analyzing the alert, you can better understand the cause of what happened and the full story with context to validate whether an alert requires additional action. Cortex XDR supports saving 2M alerts per 4000 agents or 20 terabytes, half of the alerts are allocated for informational alerts and half for severity alerts.

You can view detailed information for an alert in the Alert Panel, Causality View and Timeline View.

By default, the Alerts page displays the alerts received over the last seven days. Every 12 hours, Cortex XDR enforces a cleanup policy to remove the oldest alerts that exceed the maximum alerts limit.

Cortex XDR processes and displays the name of users in the following standardized format, also termed “normalized user”.

<company domain>\<username>

As a result, any alert triggered based on network, authentication, or login events displays the User Name in the standardized format in the Alerts and Incidents pages. This impacts every alert for Cortex XDR Analytics and Cortex XDR Analytics BIOC, including Correlation, BIOC, and IOC alerts triggered on one of these event types.

Note

You can query data related to the Alerts and Incidents tables by using the incidents and alerts datasets. For the alerts dataset, INFO alerts are not included in this dataset. In addition, the alert fields included in this dataset are limited to certain fields available in the API. For the full list, see Get Alerts Multi-Events v2 API.

The following table describes both the default fields and additional optional fields that you can add to the alerts table using the column manager and lists the fields in alphabetical order.