Manage Alerts - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-18
Category
Administrator Guide
Abstract

You can manage alerts and view alert details from the Alerts page in Cortex XDR.

In the Incident ResponseIncidentsAlerts Table, you can manage the alerts you see and the information about each alert.

The options available can change depending on the Alert Source.

Copy Alerts
Abstract

Copy an alert into memory.

You can copy an alert into memory as follows:

  • Copy the URL of the alert record

  • Copy the value for an alert field

  • Copy the entire row of alert record

With either option, you can paste the contents of memory into an email to send. This is helpful if you need to share or discuss a specific alert with someone. If you copy a field value, you can also easily paste it into a search or begin a query.

  1. Create a URL for an alert record:

    1. From the Alerts page, right-click the alert you want to send.

    2. Select Copy alert URL.

      Cortex XDR saves the URL to memory.

    3. Paste the URL into an email or use it as needed to share the alert.

  2. Copy a field value in an alert record:

    1. From the Alerts page, right-click the field in the alert that you want to copy.

    2. Select Copy text to clipboard.

      Cortex XDR saves the field contents to memory.

    3. Paste the value into an email or use it as needed to share information from the alert.

  3. Copy the entire row of alert record

    1. From the Alerts page, right-click on one or more alerts you want to copy.

    2. Select Copy entire row(s).

    3. Paste the value into an email or use it as needed to share information from the alert.

Analyze an Alert
Abstract

Learn more about analyzing alerts in the Alert Panel View and the Causality View.

To help you understand the full context of an alert, Cortex XDR provides the Alert Panel view and the Causality view that enable you to quickly make a thorough analysis.

The Causality View is available for XDR agent alerts that are based on endpoint data and for alerts raised on network traffic logs that have been stitched with endpoint data. In addition, you can use the Cloud Causality View to analyze cloud Cortex XDR alerts and Cloud Audit Logs. While the SaaS Causality View enables you to analyze and investigate software-as-a-service (SaaS) related alerts for audit stories, such as Office 365 audit logs and normalized logs.

To view the analysis:

  1. From the Alerts page, locate the alert you want to analyze.

  2. Click the alert and review the information in the Alert Panel view.

  3. Right-click anywhere in the alert, and select Investigate Causality Chain.

  4. Choose whether to open the Causality View card for an alert in a new tab or the same tab.

    You can also view the causality chain over time using the Timeline view.

  5. Review the chain of execution and available data for the process and, if available, navigate through the process tree.

Run a Playbook on an Alert

You can run or rerun a playbook on one or more alerts. If there is currently a playbook running on one or more of the selected alerts, the Run Playbook option does not appear. If a playbook is running on the alert, but has been paused (for example, waiting for a user action), you can select to rerun the playbook or select a new playbook.

  1. Right-click one or more alerts in the Alerts Table or the Alerts & Insights table within an incident and select Run Playbook.

  2. If the alerts have a playbook already assigned, choose Rerun current Playbook or Choose another Playbook. If the playbooks do not have a playbook assigned, Choose a Playbook.

  3. If you are not rerunning the current assigned playbook, select a playbook to run for the selected alert(s).

  4. Run the playbook.

Pivot to Views
Abstract

Pivot to an alert-related view.

From any listed alert you can pivot to the following alert-related views:

  • Open Asset View—Open the Asset View panel and view information related to the alert there.

  • View full endpoint details—View the full details of the endpoint to which the alert relates.

  • View related incident—View information about an incident related to the alert.

  • View Observed Behaviors—View information about observed behaviors that are related to the alert.

To pivot to any of these views:

  1. Right-click a listed alert.

  2. From the pop-up menu, select the view to which you want to pivot.

Create Profile Exceptions
Abstract

For Agent alerts, you can create profile exceptions.

For XDR Agent alerts, you can create profile exceptions for Window processes, BTP, and JAVA deserialization alerts directly from the Alerts table.

  1. Right-click an XDR Agent alert which has a category of Exploit and Create alert exception.

  2. Select an Exception Scope:

    • Global—Apply the exception across your organization.

    • Profile—Apply the exception to an existing profile or click and enter a Profile Name to create a new profile.

  3. Add the scope.

  4. (Optional) View your profile exceptions.

    1. Navigate to EndpointsPolicy ManagementProfiles.

    2. In the Profiles table, locate the OS in which you created your global or profile exception and right-click to view or edit the exception properties.

Add File Path to Malware Profile Allow List
Abstract

Add file path on existing Malware profile.

Add a file path to an existing Malware profile Allow List directly from the Alerts table.

  1. In the Alerts table, select the Initiator Path, CGO path, and/or File Path field values you want to add to your malware profile allow list.

  2. Right-click and select Add <path type> to malware profile allow list.

  3. In the Add <path type> to malware profile allow list dialog, select from your existing Profiles and Modules to which you want to add the file path to the allow list.

  4. (Optional) View your Malware profile allow list.

    1. Navigate to EndpointsPolicy ManagementPreventionProfiles and locate the malware profile you selected.

    2. Right-click, select Edit Profile and locate in the Files / Folders in Allow List section the path file you added.

Create a Featured Alert Field
Abstract

You can label specific alert attributes as Featured Alert Fields.

To better highlight alerts that are significant to you, Cortex XDR enables you to label specific alert attributes as Featured Alert Fields. Featured alert fields help you track in the Alerts Table alerts that involve specific host names, user names, and IP addresses.

  1. Navigate to Incident ResponseIncident ConfigurationFeatured Fields and select a type of featured field:

    • Hosts

    • Users

    • IP Addresses

    • Active Directory

  2. In the field type table, Add featured <field-type> to define a list of alert fields you want to be flagged in the Alerts Table. You can either Create New featured alert field from scratch or Upload from File.

    • To create a new alert field:

    1. Enter one or more field-type values and Add to the list.

    2. (Optional) Add a comment.

    3. Add the featured alert field.

    • To import fields:

    1. Browse or Drag and Drop your CSV file of field values. Download example file to ensure you use the correct format.

    2. Import your file.

  3. (Optional) Manage your featured alert field list.

    • Locate the alert field you want to edit or delete.

    • Right-click and Edit <field-type> to modify the field definition, or Delete Field Name to remove the featured flag.

  4. Investigate alerts that contain the featured alert fields.

    • Navigate to the Alerts Table.

    • In the Alerts table, sort according to the following fields:

      • Contains Featured Host

      • Contains Featured User

      • Contains Featured IP Address

    • In the Alert Name field, Cortex XDR displays alerts that contain a matching featured field value with a featured-alert-field-flag.png flag.

      Note

      Featured Active Directory values are displayed in the User and Host fields accordingly.

    • (Optional) Create an Incident Scoring Rule using the Alert table Contains Featured Field Name fields to further highlight and prioritize alerts containing the Host, User, and IP address attributes.

View Generating BIOC or IOC Rule
Abstract

You can view the BIOC or IOC rules that generated alerts directly from the Alerts table.

Easily view the BIOC or IOC rules that generated alerts directly from the Alerts table.

  1. From the Alerts page, locate alerts with Alert Sources: XDR BIOC and XDR IOC.

  2. Right-click the row, and select Manage AlertView generating rule.

    Cortex XDR opens the BIOC rule that generated the alert in the BIOC Rules page. If the rule has been deleted, an empty table is displayed.

  3. Review the rule, if necessary, right-click to perform available actions.

Retrieve Additional Alert Details
Abstract

You can access additional information relating to an alert.

To easily access additional information relating to an alert:

  1. From the Alerts page, locate the alert for which you want to retrieve information.

  2. Right-click anywhere in the alert, and select one of the following options:

    • Retrieve Additional DataCortex XDR can provide related files and additional analysis of the memory contents when an exploit protection module raises an Alert.

      Note

      This option exists only when the XTH add-on is enabled.

      For tenants without XTH, select Get Causlity Data to analyze additional data.

      • Select Retrieve alert data and analyze to retrieve alert data consisting of the memory contents at the time the alert was raised. You can also enable Cortex XDR to automatically retrieve alert data for every relevant Alert. After Cortex XDR receives the data and performs the analysis, it issues a verdict for the alert. You can monitor the retrieval and analysis progress from the Action Center (pivot to view Additional data). When the analysis is complete, it displays the verdict in the Advanced Analysis field.

      • Select Retrieve related files To further examine files that are involved in an alert, you can request the agent send them to the Cortex XDR tenant. If multiple files are involved, the tenant supports up to 20 files and 200MB in total size. The agent collects all requested files into one archive and includes a log in JSON format containing additional status information. When the files are successfully uploaded, you can download them from the Action Center for up to one week.

    • Retrieve related files—To further examine files that are involved in an alert, you can request the agent send them to the Cortex XDR tenant. If multiple files are involved, the tenant supports up to 20 files and 200MB in total size. The agent collects all requested files into one archive and includes a log in JSON format containing additional status information. When the files are successfully uploaded, you can download them from the Action Center for up to one week.

    • For PAN NGFW source type alerts, Download triggering packet—Download the session PCAP containing the first 100 bytes of the triggering packet directly from Cortex XDR . To access the PCAP, you can download the file from the Alerts table, Incident, or Causality view.

  3. Navigate to ResponseAction Center to view the retrieval status.

  4. Download the retrieved files locally.

    In the Action Center, wait for the data retrieval action to complete successfully. Then, right-click the action row and select Additional Data. From the Detailed Results view, right-click the row and select Download Files. A ZIP folder with the retrieved data is downloaded locally.

    Tip

    If you require assistance from Palo Alto Networks Support to investigate the alert, ensure to provide the downloaded ZIP file.

Export Alert Details to a File
Abstract

You can review alert details offline by exporting alerts to a TSV file.

To archive, continue investigation offline, or parse alert details, you can export alerts to a tab-separated values (TSV) file.

  1. From the Alerts page, adjust the filters to identify the alerts you want to export.

  2. When you are satisfied with the results, click the download icon (download-to-file-icon.png).

    The icon is grayed out when there are no results.

    Cortex XDR exports the filtered result set to the TSV file.

Exclude Alert
Abstract

You can exclude alerts.

To exclude an alert.

  1. From the Alerts page, locate the alert you want to exclude.

  2. Right-click the row, and select Manage AlertExclude Alert.

    A notification displays indicating the exclusion is in progress.

Investigate Contributing Events
Abstract

You can go over events created by an alert.

When managing alerts generated by a Correlation Rule, you can Investigate Contributing Events, which opens a window with all the events created for this alert. You can have up to 1000 events per Correlation Rule. In addition, if the alert generated for this Correlation Rule includes a Drilldown Query, you can select Open drilldown query, which opens a new browser in XQL Search to run this query.

To investigate contributing events.

  1. From the Alerts page, locate the alert you want to investigate contributing events.

  2. Right-click the row, and select Manage AlertInvestigate Contributing Events.

  3. (Optional) Open drilldown query.

    If the Correlation Rule that generated this alert is configured with a Drilldown Query to provide additional information about the alert for further investigation, you can open a new browser in to run the query. This Cortex Query Language (XQL) query can accept parameters from the alert output for the Correlation Rule. If the Correlation Rule that generated this alert does not include a Drilldown QUERY, no link is displayed.XQL Search

    The time frame used to run the Drilldown Query provides more informative details about the alert generated by the Correlation Rule. The alert time frame is the minimum and maximum timestamps of the events for the alert. If there is only one event, the event timestamp is the time frame used for the query.

    1. Select the Open drilldown query link.

      A new browser in XQL Search is opened where you can run the query and any other operations related to XQL Search.

    2. Select Run.

Open Drilldown Query
Abstract

You can drilldown to examine additional information.

When the Correlation Rule that generated an alert is configured with a Drilldown Query to provide additional information about the alert for further investigation, you can open a new browser in to run the query. This Cortex Query Language (XQL) query can accept parameters from the alert output for the Correlation Rule. If the Correlation Rule that generated this alert does not include a Drilldown Query, the option is not available.XQL Search

The time frame used to run the Drilldown Query provides more informative details about the alert generated by the Correlation Rule. The alert time frame is the minimum and maximum timestamps of the events for the alert. If there is only one event, the event timestamp is the time frame used for the query.

To open the Drilldown Query.

  1. From the Alerts page, locate the alert you want to open the Drilldown Query.

  2. Open Drilldown Query.

    You can open the Drilldown Query in the following ways.

    • Select the quick action Open Drilldown Query icon (drilldown-icon.png).

    • Right-click the row, and select Manage AlertOpen Drilldown Query.

    • Right-click the row, and select Manage AlertInvestigate Contributing Events.

    A new browser in XQL Search is opened where you can run the query and any other operations related to XQL Search.

  3. Select Run.

Manage Automation Rules