Alerts
Cortex XDR provides an Alerts table that you can use
to view all the alerts reported to and surfaced from your Cortex
XDR instance.
The
Alerts
page displays a table of all
alerts in Cortex
XDR
. The
Alerts
page consolidates non-informational
alerts from your detection sources to enable you to efficiently
and effectively triage the events you see each day. By analyzing
the alert, you can better understand the cause of what happened
and the full story with context to validate whether an alert requires
additional action. Cortex
XDR
supports
saving 2M alerts per 4000 agents or 20 terabytes, half of the alerts
are allocated for informational alerts, and half for severity alerts.To view detailed information for an alert, you can also view
details in the Causality View. From these
views you can also view related informational alerts that are not
presented on the
Alerts
page.By default, the
Alerts
page displays the
alerts that it received over the last seven days (to modify the
time period, use the page filters). Every 12 hours, Cortex
XDR
enforces a cleanup policy to
remove the oldest alerts that exceed the maximum alerts limit.Cortex
XDR
processes
and displays the name of users in the following standardized format,
also termed “normalized user”.<company domain>
\<username>
As a result, any alert triggered based on network,
authentication, or login events, displays the
User Name
in
the standardized format in the Alerts
and Incidents
pages.
This impacts every alert for Cortex
XDR
Analytics and Cortex
XDR
Analytics BIOC, including BIOC
and IOC alerts triggered on one of these event types.The following table describes both the default fields and additional
optional fields that you can add to the alerts table using the column
manager and
lists the fields in alphabetical order.
Field | Description |
|---|---|
Status Indicator (
) | Identifies whether there is enough endpoint
data to analyze an alert. |
| Check box to select one or more alerts on which
to perform actions. Select multiple alerts to assign all selected
alerts to an analyst, or to change the status or severity of all
selected alerts. |
ACTION | Action taken by the alert sensor, either Detected or Prevented with
action status displayed in parenthesis. Options are:
|
AGENT OS SUB TYPE | The operating system subtype of the agent from
which the alert was triggered. |
ALERT ID | A unique identifier that Cortex XDR assigns to each alert. |
ALERT NAME | Module that triggered the alert. Alerts that match an alert starring policy also
display a purple star. |
ALERT
SOURCE | Source of the alert: XDR Agent. |
APP-ID | Related App-ID for an alert. App-ID is a traffic
classification system that determines what an application is irrespective
of port, protocol, encryption (SSH or SSL) or any other evasive
tactic used by the application. When known, you can also pivot to
the Palo Alto Networks Applipedia entry that describes the detected
application. |
APP CATEGORY | APP-ID category name associated with a firewall
alert. |
APP SUBCATEGORY | APP-ID subcategory name associated with a firewall
alert. |
APP TECHNOLOGY | APP-ID technology name associated with a firewall
alert. |
CATEGORY | Alert category based on the alert source. An
example of an XDR Agent alert category is Exploit Modules. |
CGO CMD | Command-line arguments of the Causality Group
Owner. |
CGO MD5 | The MD5 value of the CGO that initiated the
alert. |
CGO NAME | The name of the process that started the causality
chain based on Cortex XDR causality
logic. |
CGO SHA256 | The SHA256 value of the CGO that initiated
the alert. |
CGO SIGNATURE | Signing status of the CGO:
|
CGO SIGNER | The name of the software publishing vendor
that signed the file in the causality chain that led up to the alert. Cortex XDR can display both the O (Organization)
value and the CN (Common Name). |
CLOUD IDENTITY TYPE | Classification used to map identity type that
initiated an operation which triggered an alert. For example, Service, Application and Temporary Credentials . |
CLOUD IDENTITY SUB-TYPE | A more specific classification of the identity
initiated operation. For example, for Identity Type: Temporary Credentials the
sub type could be Assumed Role . |
CLOUD OPERATION TYPE | Represents what has happened because of the
identity operation. For example, Create , Delete ,
and Modify . |
CLOUD PROJECT | Represents the cloud provider folders or projects.
For example, AWS Accounts and Azure Subscriptions. |
CLOUD PROVIDER | The name of the cloud provider where the alert
occurred:
|
CLOUD REFERENCED RESOURCE | Represents the resources that are referenced
in the alert log. In most cases, the referred resource will be where
the operation was initiated on. |
CLOUD RESOURCE TYPE | Classifications used to map similar types of
resources across different cloud providers. For example, EC2 , Google Compute Engine , and Microsoft Compute are
all mapped to Compute . |
CLOUD RESOURCE SUB-TYPE | A more specific classification used to map
the types of resources. For example, DISK,VPC, Subnet are
all mapped to Compute . |
CID | Unique identifier of the causality instance
generated by Cortex XDR . |
DESCRIPTION | Text summary of the event including the alert
source, alert name, severity, and file path. |
DESTINATION ZONE NAME | The destination zone of the connection for
firewall alerts. |
DNS Query Name | The domain name queried in the DNS request. |
DOMAIN | The domain on which an alert was triggered. |
EMAIL RECIPIENT | The email recipient value of a firewall alerts
triggered on a the content of a malicious email. |
EMAIL SENDER | The email sender value of a firewall alerts
triggered on a the content of a malicious email. |
EMAIL SUBJECT | The email subject value of a firewall alerts
triggered on a the content of a malicious email. |
EVENT TYPE | The type of event on which the alert was triggered:
|
EXCLUDED | Whether the alert is excluded by an exclusion
configuration. |
EXTERNAL ID | The alert ID as recorded in the detector from
which this alert was sent. |
FILE PATH | When the alert triggered on a file (the Event
Type is File) this is the path to the file on the endpoint. If not,
then N/A. |
FILE MACRO SHA256 | SHA256 hash value of an Microsoft Office file
macro |
FILE MD5 | MD5 hash value of the file. |
FILE SHA256 | SHA256 hash value of the file. |
FW NAME | Name of firewall on which a firewall alert
was raised. |
FW RULE ID | The firewall rule ID that triggered the firewall
alert. |
FW RULE NAME | The firewall rule name that matches the network
traffic that triggered the firewall alert. |
FW SERIAL NUMBER | The serial number of the firewall that raised
the firewall alert. |
HOST | The hostname of the endpoint or server on which
this alert triggered. The hostname is generally available for XDR
agent alerts or alerts that are stitched with EDR data. When the
hostname is unknown, this field is blank. |
HOST FQDN | The fully qualified domain name (FQDN) of the
Windows endpoint or server on which this alert triggered. |
HOST IP | IP address of the endpoint or server on which
this alert triggered. |
HOST MAC ADDRESS | MAC address of the endpoint or server on which
this alert triggered. |
HOST OS | Operating system of the endpoint or server
on which this alert triggered. |
INCIDENT ID | The ID of the any incident that includes the
alert. |
INITIATED BY | The name of the process that initiated an activity
such as a network connection or registry change. |
INITIATOR MD5 | The MD5 value of the process which initiated
the alert. |
INITIATOR SHA256 | The SHA256 hash value of the initiator. |
INITIATOR CMD | Command-line used to initiate the process including
any arguments. |
INITIATOR SIGNATURE | Signing status of the process that initiated
the activity:
|
INITIATOR PATH | Path of the initiating process. |
INITIATOR PID | Process ID (PID) of the initiating process. |
INITIATOR SIGNER | Signer of the process that triggered the alert. Cortex XDR can display both the O (Organization)
value and the CN (Common Name). |
INITIATOR TID | Thread ID (TID) of the initiating process. |
IS PHISHING | Indicates whether a firewall alert is classified
as phishing. |
LOCAL IP | If the alert triggered on network activity
(the Event Type is Network Connection) this is the IP address of
the host that triggered the alert. If not, then N/A. |
LOCAL PORT | If the alert triggered on network activity
(the Event Type is Network Connection) this is the port on the endpoint
that triggered the alert. If not, then N/A. |
MAC ADDRESS | The MAC address on which the alert was triggered. |
MISC | Miscellaneous information about the alert. |
MITRE ATT&CK TACTIC | Displays the type of MITRE ATT&CK tactic
on which the alert was triggered. |
MITRE ATT&CK TECHNIQUE | Displays the type of MITRE ATT&CK technique
and sub-technique on which the alert was triggered. |
MODULE | For XDR Agent alerts, this field identifies
the protection module that triggered the alert. |
NGFW VSYS NAME | Name of the virtual system for the Palo Alto
Networks firewall that triggered an alert. |
OS PARENT CREATED BY | Name of the parent operating system that created
the alert. |
OS PARENT CMD | Command-line used to by the parent operating
system to initiate the process including any arguments. |
OS PARENT SIGNATURE | Signing status of the operating system of the
activity:
|
OS PARENT SIGNER | Parent operating system signer. Cortex XDR can display both the O (Organization)
value and the CN (Common Name). |
OS PARENT SH256 | Parent operating system SHA256 hash value. |
OS PARENT ID | Parent operating system ID. |
OS PARENT PID | OS parent process ID. |
OS PARENT TID | OS parent thread ID. |
OS PARENT USER NAME | Name of the user associated with the parent
operating system. |
PROCESS EXECUTION SIGNATURE | Signature status of the process that triggered
the alert:
|
PROCESS EXECUTION SIGNER | Signer of the process that triggered the alert. Cortex XDR can display both the O (Organization)
value and the CN (Common Name). |
REGISTRY DATA | If the alert triggered on registry modifications
(the Event Type is Registry) this is the registry data that triggered
the alert. If not, then N/A. |
REGISTRY FULL KEY | If the alert triggered on registry modifications
(the Event Type is Registry) this is the full registry key that
triggered the alert. If not, then N/A. |
REMOTE HOST | If the alert triggered on network activity
(the Event Type is Network Connection) this is the the remote host
name that triggered the alert. If not, then N/A. |
REMOTE IP | The remote IP address of a network operation
that triggered the alert. |
REMOTE PORT | The remote port of a network operation that
triggered the alert. |
RESOLUTION STATUS | The status that was assigned to this alert
when it was triggered (or modified): New, Under Investigation, Resolved.
Right-click an alert to Change Status .Any
update made to an alert impacts the associated incident. An incident
with all its associated alerts marked as resolved is automatically
set to Auto-Resolved . Cortex XDR continues
to group Alerts to an Auto-Resolved Incident for up to 6 hours.
In the case where an alert is triggered during this duration, Cortex
XDR will re-open the Incident. |
RULE ID | The ID that matches the rule that triggered
the alert. |
SEVERITY | The severity that was assigned to this alert
when it was triggered (or modified): Informational, Low, Medium,
High, Critical, or Unknown. Right-click an alert to Change Severity . |
STARRED | Whether the alert is starred by starring configuration. |
SOURCE ZONE NAME | The source zone name of the connection for
firewall alerts. |
TARGET FILE SHA256 | The SHA256 hash vale of an external DLL file
that triggered the alert. |
TARGET PROCESS CMD | The command-line of the process whose creation
triggered the alert. |
TARGET PROCESS NAME | The name of the process whose creation triggered
the alert. |
TARGET PROCESS SHA256 | The SHA256 value of the process whose creation
triggered the alert. |
TIMESTAMP | The date and time when the alert was triggered. Right-click to Show rows 30 days
prior or 30 days after the selected
timestamp field value. |
URL | The URL destination address of the domain triggering
the firewall alert. |
USER NAME | The name of the user that initiated the behavior
that triggered the alert. If the user is a domain user account,
this field also identifies the domain. Any alert
triggered based on network, authentication, or login events, displays
the User Name in the follow standardized
format in the Alerts and Incidents pages.<company domain> \<username> |
XFF | X-Forwarded-For value from the HTTP header
of the IP address connecting with a proxy. |
From the
Alerts
page, you can also perform
additional actions to manage alerts and pivot on specific alerts
for deeper understanding of the cause of the event.