From the Cortex XDR management console, you can view a detailed summary of the behavior that triggered analytics alerts.
The >analytics alert view provides a detailed summary of the behavior that triggered an Analytics or Analytics BIOC alert. This view also provides a visual depiction of the behavior and additional information you can use to assess the alert. This includes the endpoint on which the activity was initiated, the user that performed the action, the technique the analytics engine observed, and activity and interactions with other hosts inside or outside of your network.
When enabling Identity Analytics , alerts associated with suspicious user activity such as stolen or misused credentials, lateral movement, credential harvesting, or brute-force data are displayed with a User node.
For Analytics alerts, the analytics view indicates the endpoint for which the alert was raised.
For Analytics BIOC alerts, the Analytics view summarizes information about the alert, including the source host name, IP address, the process name on which the alert was raised, and the corresponding process ID.
2. Alert summary
(Analytics alerts only) Describes the behavior that triggered the alert and activity impact.
3. Graphic summary
Similar to the Causality View, the analytics view provides a graphic representation of the activity that triggered the alert and an interactive way to view the chain of behavior for an Analytics alert. You can move the graphic, extend it, and modify it. To adjust the appearance, you can enlarge/shrink the chain for easy viewing using the size controls on the right. You can also move the chain around by selecting and dragging it. To return the chain to its original position and size, click in the lower-right of the graph.
The activity depicted in the graphic varies depending on the type of alert:
The following nodes display information unique to the Analytics Alert View:
User node— Hover over to display the User Information and user Analytics Profile data.
Multi-Event—Display in the Event Table all the event types associated with the alert.
Right-click on the following nodes to view additional information:
4. Alert description
The alert description provides details and statistics related to the activity. Beneath the description, you can also view the alert name, severity assigned to the alert, time of the activity, alert tactic (category) and type, and links to the MITRE summary of the attack tactic.
When selecting a User node, Identity User Details, such as Active Directory Group, Organizational Unit, and Role associated with the user are displayed. If available, Login Details also appear.
5. Events table
Displays events related to the alert.
User node—Displays the logins, hosts, alerts, and process executions associated with the user aggregated by the Identity Analytics 7 days prior to and after the analytics alert timestamp. Right-click to Investigate Causality Chain and View in XQL the associated events.
Multi-Event—Displays the events associated with the alert according to the type of event type. Right-click to View in XQL and further Investigate with XQL the event details.
6. Response actions
Actions you can take in response to an Analytics alert. These actions can include isolating a host from the network, initiating a live terminal session, and adding an IP address or domain name to an external dynamic list (EDL) that is enforceable in your Palo Alto Networks firewall security policy.