Analytics engine - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-13
Category
Administrator Guide

Cortex XSIAM uses its Analytics Engine to examine logs and data retrieved from your sensors on the Cortex XSIAM tenants to build an activity baseline, and recognize abnormal activity when it occurs. The Analytics engine accesses your logs as they are streamed to the Cortex XSIAM tenant, including any firewall data, and analyzes the information as soon as it arrives. Cortex XSIAM triggers an Analytics alert when the Analytics Engine determines an anomaly.

The Analytics Engine examines traffic and data from a variety of sources such as network activity from firewall logs, VPN logs (from Prisma Access from the Panorama plugin), endpoint activity data (on Windows endpoints), Active Directory or a combination of these sources, to identify the endpoints and users on your network. After identifying the endpoints and the users, the Analytics Engine collects relevant details about each asset based on the information it obtains from the logs to create profiles. The Analytics Engine can detect threats from only network data or only endpoint data, but for more context when investigating an alert, we recommend using a combination of data sources.

Cortex XSIAM also enables analytics to run on all mapped network and authentication data. For more information, see MODEL.

The Analytics Engine creates and maintains profiles to view the activity of the endpoint or user in context by comparing it to similar endpoints or users. The large number of profile types can generally be placed into one of three categories.

  • Peer Group profiles: A statistical analysis of an entity or an entity relation that compares activities from multiple entities in a peer group. For example, a domain can have a cross-organization popularity profile or per peer group popularity profile.

  • Temporal profiles: A statistical analysis of an entity or an entity relation that compares the same entity to itself over time. For example, a host can have a profile depending on the number of ports it accessed in the past.

  • Entity classification: A model detecting the role of an entity. For example, users can be classified as service accounts, and hosts as domain controllers.