Analytics Concepts - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-18
Category
Administrator Guide
Abstract

The Cortex XDR app uses an Analytics Engine to examine logs and data from your sensors.

Safeguarding a network requires a defense-in-depth strategy which utilizes current and patched software and hardware. Most strategies designed to keep unwanted users out of a network stop intrusion attempts at the network perimeter, defending only against known threats. For example, systems scanning for malicious software rely on previously identified MD5 signature databases. However, attackers constantly modify virus signatures to circumvent virus scanners.

Your network defense-in-depth strategy must include software and processes designed to detect and respond to an intruder who penetrates your systems. The Cortex XDR app efficiently and automatically identifies abnormal activity on your network, while providing you with the exact information you need to rapidly evaluate, isolate and remove potential threats.

Analytics Engine

The Cortex XDR app uses its Analytics Engine to examine logs and data retrieved from your sensors on the Cortex XDR tenants to build an activity baseline, and recognize abnormal activity when it occurs. The Analytics Engine accesses your logs as they are streamed to the Cortex XDR tenant, including any Firewall data, and analyzes the data as soon as it arrives. Cortex XDR raises an Analytics alert when the Analytics Engine determines an anomaly.

The Analytics Engine examines traffic and data from a variety of sources such as network activity from firewall logs, VPN logs (from Prisma Access from the Panorama plugin), endpoint activity data (on Windows endpoints), Active Directory or a combination of these sources, to identify the endpoints and users on your network. After identifying the endpoints and the users, the Analytics Engine collects relevant details about each asset based on the information it obtains from the logs to create profiles. The Analytics Engine can detect threats from only network data or only endpoint data, but for more context when investigating an alert, we recommend using a combination of data sources.

The Analytics Engine creates and maintains the profiles to view the activity of the endpoint or user in context by comparing it to similar endpoints or users. The large number of Profile types can generally be placed into one of three categories.

  • Peer Group Profiles—A statistical analysis of an entity or an entity relation that compares activities from multiple entities in a peer group. For example, a domain can have a cross-organization popularity profile or per peer group popularity profile.

  • Temporal Profiles—A statistical analysis of an entity or an entity relation that compares the same entity to itself over time. For example, a host can have a Profile depending on the number of ports it accessed in the past.

  • Entity classification—A model detecting the role of an entity. For example, users can be classified as service accounts, and hosts as domain controllers.

Analytics Sensors

To detect anomalous behavior, Cortex XDR can analyze logs and data from a variety of sensors.

Note

Cortex XDR Pro per Endpoint agents without the XTH add-on can enable Analytics and Identity Analytics, however, due to the limits and filters applied to the data collected results will differ from agents with the XTH add-on. See the Cortex XDR Analytics Alert Reference guide for a complete list of supported sensors.

Sensor

Description

Palo Alto Networks sensors

Firewall traffic logs

Palo Alto Networks Firewalls perform traditional and next-generation firewall activities. The Cortex XDR Analytics Engine can analyze Palo Alto Networks firewall logs to obtain intelligence about the traffic on your network. A Palo Alto Networks firewall can also enforce Security policies based on IP addresses and domains associated with Analytics alerts with external dynamic lists.

Enhanced application logs (EAL)

To provide greater coverage and accuracy, you can enable enhanced application logging on your Palo Alto Networks firewalls. Enhanced Application Logs (EAL) are collected by the firewall to increase visibility into network activity for Palo Alto Networks apps and services, like Cortex XDR.

Examples of the types of data that enhanced application logs gather include records of DNS queries, the HTTP header User Agent field that specifies the web browser or tool used to access a URL, and information about DHCP automatic IP address assignment. For example, with DHCP information, Cortex XDR can raise an alert when it detects unusual activity based on hostname instead of IP address. This enables the security analyst to meaningfully assess whether the user’s activity is within the scope of their role, and if not, to stop the activity.

GlobalProtect and Prisma Access logs

If you use GlobalProtect or Prisma Access to extend your firewall security coverage to your mobile users, Cortex XDR can analyze VPN traffic to detect anomalous behavior on mobile endpoints.

Firewall URL logs (part of firewall threat logs)

Palo Alto Networks firewalls can log Threat log entries when traffic matches one of the Security Profiles attached to a security rule on the firewall. Cortex XDR can analyze entries for Threat logs relating to URLs and raise alerts that indicate malicious behavior such as command and control and exfiltration.

Cortex XDR agent endpoint data

With a Cortex XDR Pro per Endpoint license, you can deploy Cortex XDR agents on your endpoints to protect them from malware and software exploits. The Analytics Engine can also analyze the EDR data collected by the agent to raise alerts. To collect EDR data, you must install Cortex XDR agent 6.0 or a later release on your Windows endpoints (Windows 7 SP1 or later).

The Cortex XDR Analytics Engine can analyze activity and traffic based solely on endpoint activity data sent from Cortex XDR agents. For increased coverage and greater insight during investigations, use a combination of Cortex XDR agent data and firewalls to supply activity logs for analysis.

Pathfinder data collector

In a firewall-only deployment where the Cortex XDR agent is not installed on your endpoints, you can use Pathfinder to monitor endpoints. Pathfinder scans unmanaged hosts, servers, and workstations for malicious activity. The Analytics Engine can also analyze the Pathfinder data collector in combination with other data sources to increase coverage of your network and endpoints, and to provide more context when investigating alerts.

Directory Sync logs

If you use the Cloud Identity Engine to provide Cortex XDR with Active Directory data, the Analytics Engine can also raise alerts on your Active Directory logs.

External sensors

Third-party firewall logs

If you use non-Palo Alto Networks firewalls - Check Point, Fortinet, Cisco ASA - in addition to or instead of Palo Alto Networks firewalls, you can set up a syslog collector to facilitate log and alert ingestion. By sending your firewall logs to Cortex XDR , you can increase detection coverage and take advantage of Cortex XDR analysis capabilities. When Cortex XDR analyzes your firewall logs and detects anomalous behavior, it raises an alert.

Third-party authentication service logs

If you use an authentication service—Microsoft Azure AD, Okta, or PingOne—you can set up log collection to ingest authentication logs and data into authentication stories.

Windows Event Collector logs

The Windows Event Collector (WEC) runs on the Broker VM collecting event logs from Domain Controllers (DCs). The Analytics Engine can analyze these event logs to raise alerts such as for credential access and defense evasion.

Coverage of MITRE Attack Tactics

Network attacks follow predictable patterns. If you interfere with any portion of this pattern, the attack is neutralized.

attack-tactics.png

The Analytics Engine can raise an alert for any of the following attack tactics as defined by the MITRE ATT&CK™ knowledge base of tactics.

Tactic

Description

Execution

After attackers gain a foothold in your network, they can use various techniques to execute malicious code on a local or remote endpoint.

The Cortex XDR app detects malware and grayware on your network using a combination of network activity, Pathfinder data collector of your unmanaged endpoints, endpoint data from your Cortex XDR agents, and evaluation of suspicious files using the WildFire cloud service.

Persistence

To carry out a malicious action, an attacker can try techniques that maintain access in a network or on an endpoint. An attacker can initiate configuration changes—such as a system restart or failure—that require the endpoint to restart a remote access tool or open a back door that allows the attacker to regain access on the endpoint.

Discovery

When an attacker has access to a part of your network, they use discovery techniques to explore and identify subnets, servers and services that are hosted on those endpoints. They aim to identify vulnerabilities within your network.

The app detects these tactics by looking for indicators in your internal network traffic such as changes in connectivity patterns, including increased rates of connections, failed connections, and port scans.

Lateral Movement

To expand the footprint inside your network, an attacker uses lateral movement techniques to obtain credentials for additional access to more data in the network.

The Analytics Engine detects attacks during this phase by examining administrative operations (such as SSH, RDP, and HTTP), file share access, and user credential usage that is beyond the norm for your network. The app looks for indicators like increased administrative activity, SMB usage, and remote code execution.

Command and Control

The command and control tactic allows an attacker to remotely issue commands to an endpoint and receive information from it. The Analytics Engine identifies intruders using this tactic by looking for anomalies in outbound connections, DNS lookups, and endpoint processes with bound ports. The app detects unexplained changes in the periodicity of connections and failed DNS lookups, changes in random DNS lookups, and other indicators that suggest an attacker has gained initial control of a system.

Exfiltration

Exfiltration tactics are techniques used to retrieve data from a network, such as valuable enterprise data. The app identifies this type of attack by examining outbound connections with a focus on the volume of data being transferred. Increases in this volume are an important symptom of data exfiltration.

Analytics Detection Time Intervals

The Cortex XDR Analytics Engine retrieves logs from the Cortex XDR tenant to create a baseline so that it can raise alerts when abnormal activity occurs. This analysis is highly sophisticated and performed on more than a thousand dimensions of data. Internally, Cortex XDR organizes its analytics activity into algorithms called detectors. Each detector is responsible for raising an alert when suspicious behavior is detected.

To raise alerts, each detector compares the recent past behavior to the expected baseline by examining the data found in your logs. A certain amount of log file time is required to establish a baseline and then a certain amount of recent log file time is required to identify what is currently happening in your environment.

There are several meaningful time intervals for Cortex XDR Analytics detectors:

Time Interval

Description

Activation Period

The shortest amount of log file time before the app can raise an alert. This is typically the period between the time a detector first starts running and the time you see an alert. However, in some cases, detectors pause after an upgrade as they enter a new activation period.

Most but not all detectors start running after the activation period ends. The activation period provides the detector enough data to establish a baseline, which in turn helps to avoid false positives.

The activation period is also called the profiling or waiting period and, is informally referred to as soak time.

Test Period

The amount of logging time that a detector uses to determine if unusual activity is occurring on your network. The detector compares test period data to the baseline created during the training period, and uses that comparison to identify abnormal behavior.

Training Period

The amount of logging time that the detector requires to establish a baseline, and to identify the behavioral limits beyond which an alert is raised. Because your network is not static in terms of its topology or usage, detectors are constantly updating the baselines that they require for their analytics. For this update process, the training period is how far back in time the detector goes to update and tune the baseline.

This period is also referred to as the baseline period.

Note

When establishing a baseline, detectors compute limits beyond which network activity will require an alert. In some cases, detectors do not compute baseline limits; instead they are predetermined by Cortex XDR engineers. The engineers determine the values used for predetermined limits using statistical analysis of malicious activity recorded worldwide. The engineers routinely perform this statistical analysis and update the predetermined limits as needed with each release of Cortex XDR.

Deduplication Period

The amount of time in which additional alerts for the same activity or behavior are suppressed before Cortex XDR raises another Analytics alert.

These time periods are different for every Cortex XDR Analytics detector. The actual amount of logging data (measured in time) required to raise any given Cortex XDR Analytics alert is identified in the Cortex XDR Analytics Alert Reference Guide.

Analytics Alerts and Analytics BIOCs

The XDR Analytics Engine raises an alert when it detects suspicious activity, composed up of multiple events, that deviates from the behavior baseline it establishes over time. To ensure the Analytics detectors raise alerts efficiently and do not overcrowd your Alerts table, Cortex XDR automatically disables alerts from detectors that reach 5000 or more hits over a 24 hour period.

In addition to standard Analytics alerts, there is another category of alerts for Analytics behavioral indicators of compromise (BIOC)s. In contrast to standard Analytics alerts, Analytics BIOCs (ABIOCs)—indicate a single event of suspicious behavior with an identified chain of causality. To identify the context and chain of causality, ABIOCs leverage user, endpoint, and network profiles. The profile is generated by the Analytics Engine and can be based on a simple statistical profile or a more complex machine-learning profile. Cortex XDR tailors each ABIOC to your specific environment after analyzing your logs and data sources and continually tunes and delivers new ABIOCs with content updates.

Identity Analytics

Cortex XDR enables you investigate suspicious user activity information using Identity Analytics. When enabled, Identity Analytics aggregates and displays user profile information, activity, and alerts associated with a user-based Analytics type alert and Analytics BIOC rule.

To easily track the alerts and Analytics BIOC rules, Cortex XDR displays an Identity Analytics tag in the Alerts table > Alert Name field and Analytics BIOC Rules table > Name field. In the Analytics Alert View, when selecting the User node, Cortex XDR details the active directory group, organizational unit, role, logins, hosts, alerts, and process executions associated with the user.

To enable Identity Analytics, you must first:

After configuring your Cloud Identity Engine instance and Cortex XDR Analytics, select Settings (403822_spr.png)ConfigurationsCortex XDR - Analytics ,and in the Featured in Analytics section, Enable Identity Analytics.

Identity Threat Module

The Identity Threat module provides superior coverage for stealthy identity threat vectors, including compromised accounts and insider threats. The module is available as an add-on and includes the following UI features.

  • Automated and customizable Asset Role classification based on constant analysis of the users and host in your network. You can edit and manage the User Asset Roles and Host Asset Roles to meet the needs of your organization.

  • The Behavioral Analytics tab in the Alert Panel view that displays background information for quicker triaging and investigation. This enables you to analyze the deviation that triggered the alert against the backdrop of baseline behavior.

  • Risk Management Dashboard for reviewing the risk posture of the organization and enabling faster decision making. The dashboard contains a number of Metrics widgets that present statistical risk information for your organization.

  • User Risk View and Host Risk View which provide additional information about the asset, including score trend timeline, notable events, peer comparison, and additional asset-associated alerts and insights for easy uncovering of hidden threats.Investigate a User