Investigate Cortex XDR – Analytics Alerts
Investigate Cortex XDR – Analytics alerts to understand the source and reason for the alert, so you can decide what to do about the alert.
Every alert in the Cortex XDR™ – Analytics system is important and should be reviewed by you and your team. However, some alerts are more important and deserve investigative priority. When prioritizing alerts, consider the following:
- Most of the time, Cortex XDR – Analytics will automatically set the status to Low when raising the alert. If it sets the status to Medium or High, there is more certainty that the app detected malicious behavior.You can look in the Administrative Interface audit log to discover if it was Cortex XDR – Analytics that set an alert to Medium. Sort the audit log by host or user (click on the column header) to quickly drill down to the alert you are investigating.
- The quantity of alerts associated with the host or user. Something or someone with a large number of alerts deserves your attention more than an entity with just one or two alerts.
- Variation in the category of alerts. A host or user exhibiting a varying range of alerts should also receive priority in your investigative efforts.
- The importance of the host or user receiving the alert. An asset that is of great importance to your enterprise arguably should receive priority attention from you even if the number and variation of alerts is low. (For example, a host that is performing database activities should probably receive your attention because the goal of many network attacks is to obtain data.) When prioritizing alerts, consider the risk to your organization if a given asset has been compromised, and set your priorities accordingly.You can frequently identify what actions a host is performing by examining the Behaves like description in the host or user network Profile.
In the Cortex XDR – Analytics Triage page, you can click on the headers for the table columns to sort the table by the information in that table. For example, you can sort by alert severity or number of alerts to help you better prioritize your investigative efforts.
When investigating alerts, do the following:
- Understand the source of the alert. The Cortex XDR – Analytics Analyst interface shows you the host and/or user that exhibited the suspicious behavior, and whether the alert was generated from endpoint activity, or detected through network traffic. If the source of the behavior is a device, the Analyst interface also identifies the user of the device, if that information is available to Cortex XDR – Analytics.
- Understand the reason for the alert. The alert description will briefly indicate what caused the alert to be raised. You can also review the detailed tables that are available through the host or user details page to gain more insight into the alert. These tables can help you understand the actions that Cortex XDR – Analytics found suspicious, and the network destinations that the host or user accessed. Investigate the source of the threat further in Cortex XDR™ – Investigation and Response by selecting Investigate and see the causality chain of activity. Finally, you can review the alert documentation for more information about what causes Cortex – XDR Analytics to raise any given alert.
- Decide if the flagged behavior is legitimate. It is possible for Cortex XDR – Analytics to raise an alert on sanctioned activity.
During the course of your investigation, you should change the alert status as you gain a better understanding of why the alert was raised. You change an alert status by using the Actions menu at the top of the alert details page.
If you believe that the alert:
- Might be valid, then mark it as Medium.
- Is absolutely valid, meaning that an intrusion is in-progress on your network, then mark it as High.
Once you have investigated the alert so that you understand it, you can triage it.
Manage Cortex XDR – Analytics Alerts
To manage Cortex XDR – Analytics alerts, you investigate them, determine the severity of the alert, and then take appropriate action to resolve the security issue. ...
Cortex XDR – Analytics Alert Severity Statuses
Cortex XDR – Analytics security alerts are assigned a severity status that indicate the likelihood of the alert being a true attack. ...
Get Started with Cortex XDR – Analytics
Cortex XDR – Analytics is a network security tool designed to automatically detect and report on malicious network intrusions. ...
Cortex XDR – Analytics Detectors
Cortex XDR – Analytics detectors are algorithms that examine logs, create baselines, and raise alerts as needed. ...
Check the WildFire Report
Check the WildFire Report Alerts that belong in the family are raised as the result of Cortex XDR – Analytics interactions with WildFire. For this class ...
Triaging Cortex XDR – Analytics alerts involves deciding if the alert is valid, and then take any appropriate actions. ...
Cortex XDR – Analytics detectors require data to operate. Usually this data is found in specific next-generation log files. ...
Cortex XDR – Analytics Alerts
PANW Cortex XDR – Analytics raises security alerts based on host and user activity that is markedly outside of the measured norm. ...
How to Use the Cortex XDR – Analytics Interface
Cortex XDR – Analytics provides a browser-based user interface that is used to investigate and manage possible network attacks, and to administer the application. ...