The Cortex XSIAM Analytics engine triggers an alert when it detects suspicious activity, composed of multiple events, that deviates from the behavior baseline it establishes over time. To ensure the Analytics detectors raise alerts efficiently and do not overcrowd your Alerts table, Cortex XSIAM automatically disables alerts from detectors that reach 5000 or more matches over a 24 hour period.
In addition to standard Analytics alerts, there is another category of alerts triggered by Analytics behavioral indicators of compromise (ABIOCs). In contrast to standard Analytics alerts, Analytics BIOCs (ABIOCs)—indicate a single event of suspicious behavior with an identified chain of causality. To identify the context and chain of causality, ABIOCs leverage user, endpoint, and network profiles. The profile is generated by the Analytics Engine and can be based on a simple statistical profile or a more complex machine-learning profile. Cortex XSIAM tailors each ABIOC to your specific environment after analyzing your logs and data sources and continually tunes and delivers new ABIOCs with content updates.