Investigate Cortex XDR – Analytics Alerts

Investigate Cortex XDR – Analytics alerts to understand the source and reason for the alert, so you can decide what to do about the alert.
Every alert in the Cortex XDR™ – Analytics system is important and should be reviewed by you and your team. However, some alerts are more important and deserve investigative priority. When prioritizing alerts, consider the following:
  • Most of the time, Cortex XDR – Analytics will automatically set the status to Low when raising the alert. If it sets the status to Medium or High, there is more certainty that the app detected malicious behavior.
    You can look in the Administrative Interface audit log to discover if it was Cortex XDR – Analytics that set an alert to Medium. Sort the audit log by host or user (click on the column header) to quickly drill down to the alert you are investigating.
  • The quantity of alerts associated with the host or user. Something or someone with a large number of alerts deserves your attention more than an entity with just one or two alerts.
  • Variation in the category of alerts. A host or user exhibiting a varying range of alerts should also receive priority in your investigative efforts.
  • The importance of the host or user receiving the alert. An asset that is of great importance to your enterprise arguably should receive priority attention from you even if the number and variation of alerts is low. (For example, a host that is performing database activities should probably receive your attention because the goal of many network attacks is to obtain data.) When prioritizing alerts, consider the risk to your organization if a given asset has been compromised, and set your priorities accordingly.
    You can frequently identify what actions a host is performing by examining the Behaves like description in the host or user network Profile.
    behaves-like.png
In the Cortex XDR – Analytics Triage page, you can click on the headers for the table columns to sort the table by the information in that table. For example, you can sort by alert severity or number of alerts to help you better prioritize your investigative efforts.
When investigating alerts, do the following:
  1. Understand the source of the alert. The Cortex XDR – Analytics Analyst interface shows you the host and/or user that exhibited the suspicious behavior, and whether the alert was generated from endpoint activity, or detected through network traffic. If the source of the behavior is a device, the Analyst interface also identifies the user of the device, if that information is available to Cortex XDR – Analytics.
  2. Understand the reason for the alert. The alert description will briefly indicate what caused the alert to be raised. You can also review the detailed tables that are available through the host or user details page to gain more insight into the alert. These tables can help you understand the actions that Cortex XDR – Analytics found suspicious, and the network destinations that the host or user accessed. Investigate the source of the threat further in Cortex XDR™ – Investigation and Response by selecting Investigate and see the causality chain of activity. Finally, you can review the alert documentation for more information about what causes Cortex – XDR Analytics to raise any given alert.
  3. Decide if the flagged behavior is legitimate. It is possible for Cortex XDR – Analytics to raise an alert on sanctioned activity.
During the course of your investigation, you should change the alert status as you gain a better understanding of why the alert was raised. You change an alert status by using the Actions menu at the top of the alert details page.
If you believe that the alert:
  • Might be valid, then mark it as Medium.
  • Is absolutely valid, meaning that an intrusion is in-progress on your network, then mark it as High.
Once you have investigated the alert so that you understand it, you can triage it.

Related Documentation