New Features: May 2019
|Mobile Endpoint Coverage through GlobalProtect and GlobalProtect Cloud Service|
The Cortex XDR™ – Analytics app can now detect threats on mobile endpoints that roam outside of your firewall-protected environment by examining GlobalProtect™ and GlobalProtect cloud service VPN traffic. After you identify the IP address pools of your mobile user, the app analyzes user VPN traffic and creates a Mobile VPN device type based on the username-associated traffic. The app raises the same alerts as with a firewall-only deployment, and associates the alerts to a Mobile VPN device type.
|New DNS Tunneling Alert|
When the Cortex XDR – Analytics app detects unusual DNS queries or responses, the app can now raise the DNS Tunneling alert. DNS queries are a common function of internet traffic, but DNS traffic can also be used for communication between malware and a command-and-control server or used to exfiltrate data from your network.
|New Alert for Recurring Rare IP Access|
Cortex XDR – Analytics can now raise the Recurring Rare IP Access alert when it identifies activity that is consistent with command and control activity. To identify this type of activity, the app analyzes recurring connections to external hosts to determine whether those connections are anomalous for endpoints within your network. The app can detect this behavior using either firewall or endpoint activity logs. For higher detection accuracy, you can also enable Enhanced Application logs on your firewalls.
|Alerts for Endpoint Behavior|
If you use Traps to monitor endpoint activity, Cortex XDR – Analytics can now raise the following alerts based on uncommon or rare endpoint behavior:
|Additional Endpoint-Generated Alert Support|
The app can now detect alerts, which previously required firewall logs, in Traps-only deployments without next-generation firewalls:
See Possible Cortex XDR – Analytics Alerts for all alerts by log source.
Cortex XDR – Analytics Alert Reference
Cortex XDR – Analytics Alert reference includes symptoms of the alert, how the symptoms are detected, and what should be done about the alert. ...
Possible Cortex XDR – Analytics Alerts
All possible Cortex XDR – Analytics alerts grouped by attack category. ...
Uncommon Local Scheduled Task Creation via schtasks.exe
Uncommon Local Scheduled Task Creation via schtasks.exe The Cortex XDR – Analytics Uncommon Local Scheduled Task Creation via schtasks.exe alert indicates an uncommonly scheduled task ...
Uncommon Remote Scheduled Task Creation via schtasks.exe
Uncommon Remote Scheduled Task Creation via schtasks.exe The Uncommon Remote Scheduled Task Creation via schtasks.exe alert indicates the uncommon scheduling of a task on a ...
Uncommon ARP Cache Listing via arp.exe
Uncommon ARP Cache Listing via arp.exe The Uncommon ARP Cache Listing via arp.exe alert indicates the uncommon listing of the ARP cache through the arp.exe ...
Uncommon Net Group Execution
Uncommon Net Group Execution The Cortex XDR – Analytics Uncommon Net Group Execution alert indicates the net group command was used on an endpoint. Synopsis ...
Cortex XDR – Analytics Command and Control Alerts
Cortex XDR – Analytics Command and Control alerts. ...
Get Started with Cortex XDR – Analytics
Cortex XDR – Analytics is a network security tool designed to automatically detect and report on malicious network intrusions. ...
Cortex XDR – Analytics detectors require data to operate. Usually this data is found in specific next-generation log files. ...