The Cortex XSIAM Analytics Engine retrieves logs from the Cortex XSIAM tenant to create a baseline so that it can trigger alerts when abnormal activity occurs. This analysis is highly sophisticated and performed on more than a thousand dimensions of data. Internally, Cortex XSIAM organizes its analytics activity into algorithms called detectors. Each detector is responsible for triggering an alert when suspicious behavior is detected.
To trigger alerts, each detector compares the recent past behavior to the expected baseline by examining the data found in your logs. A certain amount of log file time is required to establish a baseline and then a certain amount of recent log file time is required to identify what is currently happening in your environment.
There are several meaningful time intervals for Cortex XSIAM Analytics detectors:
Time interval | Description |
---|---|
Activation period | The shortest amount of log file time before the app can trigger an alert. This is typically the period between the time a detector first starts running and the time you see an alert. However, in some cases, detectors pause after an upgrade as they enter a new activation period. Most but not all detectors start running after the activation period ends. The activation period provides the detector enough data to establish a baseline, which in turn helps to avoid false positives. The activation period is also called the profiling or waiting period and is informally referred to as soak time. |
Test period | The amount of logging time that a detector uses to determine if unusual activity is occurring on your network. The detector compares test period data to the baseline created during the training period, and uses that comparison to identify abnormal behavior. |
Training period | The amount of logging time that the detector requires to establish a baseline, and to identify the behavioral limits beyond which an alert is triggered. Because your network is not static in terms of its topology or usage, detectors are constantly updating the baselines that they require for their analytics. For this update process, the training period is how far back in time the detector goes to update and tune the baseline. This period is also referred to as the baseline period. NoteWhen establishing a baseline, detectors compute limits beyond which network activity will require an alert. In some cases, detectors do not compute baseline limits; instead they are predetermined by Cortex XSIAM engineers. The engineers determine the values used for predetermined limits using statistical analysis of malicious activity recorded worldwide. The engineers routinely perform this statistical analysis and update the predetermined limits as needed with each release of Cortex XSIAM. |
Deduplication period | The amount of time in which additional alerts for the same activity or behavior are suppressed before Cortex XSIAM triggers another Analytics alert. |
These time periods are different for every Cortex XSIAM Analytics detector. The actual amount of logging data (measured in time) required to trigger any given Cortex XSIAM Analytics alert is specified in the Cortex XDR Analytics Alert Reference Guide.