Manage Alerts

You can manage Cortex XDR alerts and view alert details from the Alerts page.

Copy Alerts

You can copy an alert into memory as follows:
  • Copy the URL of the alert record
  • Copy the value for an alert field
  • Copy the entire row of alert record
With either option, you can paste the contents of memory into an email to send. This is helpful if you need to share or discuss a specific alert with someone. If you copy a field value, you can also easily paste it into a search or begin a query.
  • Create a URL for an alert record:
    1. From the
      Alerts
      page, right-click the alert you want to send.
    2. Select
      Copy alert URL
      .
      Cortex XDR saves the URL to memory.
    3. Paste the URL into an email or use as needed to share the alert.
  • Copy a field value in an alert record:
    1. From the
      Alerts
      page, right-click the field in the alert that you want to copy.
    2. Select
      Copy text to clipboard
      .
      Cortex XDR saves the field contents to memory.
    3. Paste the value into an email or use as needed to share information from the alert.
  • Copy the entire row of alert record
    1. From the
      Alerts
      page, right-click on one or more alerts you want to copy.
    2. Select
      Copy entire row(s)
      .
    3. Paste the value into an email or use as needed to share information from the alert.

Analyze an Alert

To help you understand the full context of an alert, Cortex XDR provides a powerful analysis view that empowers you to make a thorough analysis very quickly.
The Causality View is available for XDR agent alerts that are based on endpoint data and for alerts raised on network traffic logs that have been stitched with endpoint data.
To view the analysis:
  1. From the
    Alerts
    page, locate the alert you want to analyze.
  2. Right-click anywhere in the alert, and select
    Investigate Causality Chain
    .
  3. Choose whether to open the Causality View card for an alert in a new tab or the same tab.
  4. Review the chain of execution and available data for the process and, if available, navigate through the processes tree.

Pivot to Views

From any listed alert you can pivot to the following alert-related views:
  • Open Asset View
    —Open the Asset View panel and view information related to the alert there.
  • View full endpoint details
    —View the full details of the endpoint to which the alert relates.
  • View related incident
    —View information about an incident related to the alert.
  • View Observed Behaviors
    —View information about observed behaviors that are related to the alert.
To pivot to any of these views:
  1. Right-click a listed alert.
  2. From the pop-up menu, select the view to which you want to pivot.

Create Profile Exceptions

For XDR Agent alerts, you can create profile exceptions for Window processes, BTP, and JAVA deserialization alerts directly from the
Alerts
table.
  1. Right-click an
    XDR Agent
    alert which has a category of
    Exploit
    and
    Create alert exception
    .
  2. Select an
    Exception Scope
    :
    • Global
      —Apply the exception across your organization.
    • Profile
      —Apply the exception to an existing profile or click and enter a
      Profile Name
      to create a new profile.
  3. Add
    the scope.
  4. (
    Optional
    ) View your profile exceptions.
    1. Navigate to
      Endpoints
      Policy Management
      Profiles
      .
    2. In the
      Profiles
      table, locate the OS in which you created your global or profile exception and right-click to view or edit the exception properties.

Add File Path to Malware Profile Allow List

Add a file path to an existing Malware profile allow list directly from the
Alerts
table.
  1. In the
    Alerts
    table, select the
    Initiator Path
    ,
    CGO path
    , and/or
    File Path
    field values you want to add to your malware profile allow list.
  2. Right-click and select
    Add
    <path type>
    to malware profile allow list
    .
  3. In the
    Add
    <path type>
    to malware profile allow list
    dialog, select from your existing
    Profiles
    and
    Modules
    to which you want to add the file path to the allow list.
  4. (
    Optional
    ) View your Malware profile allow list.
    1. Navigate to
      Endpoints
      Policy Management
      Prevention
      Profiles
      and locate the malware profile you selected.
    2. Right-click, select
      Edit Profile
      and locate in the
      Files / Folders in Allow List
      section the path file you added.

Retrieve Additional Alert Details

To easily access additional information relating to an alert:
  1. From the
    Alerts
    page, locate the alert for which you want to retrieve information.
  2. Right-click anywhere in the alert, and select one of the following options:
    • Retrieve alert data
      —Cortex XDR can provide additional analysis of the memory contents when an exploit protection module raises an XDR Alert. To perform the analysis you must first retrieve alert data consisting of the memory contents at the time the alert was raised. This can be done manually for a specific alert, or you can enable Cortex XDR to automatically retrieve alert data for every relevant XDR Alert. After Cortex XDR receives the data and performs the analysis, it issues a verdict for the alert. You can monitor the retrieval and analysis progress from the
      Action Center
      (pivot to view
      Additional data
      ). When analysis is complete, Cortex XDR displays the verdict in the
      Advanced Analysis
      field.
    • Retrieve related files
      —To further examine files that are involved in an alert, you can request the Cortex XDR agent send them to the Cortex XDR management console. If multiple files are involved, Cortex XDR supports up to 20 files and 200MB in total size. The agent collects all requested files into one archive and includes a log in JSON format containing additional status information. When the files are successfully uploaded, you can download them from the Action Center for up to one week.
  3. Navigate to
    Response
    Action Center
    to view retrieval status.
  4. Download the retrieved files locally.
    In the
    Action Center
    , wait for the data retrieval action to complete successfully. Then, right-click the action row and select
    Additional Data
    . From the
    Detailed Results
    view, right-click the row and select
    Download Files
    . A ZIP folder with the retrieved data is downloaded locally.
    If you require assistance from Palo Alto Networks Support to investigate the alert, ensure to provide the downloaded ZIP file.

Export Alert Details to a File

To archive, continue investigation offline, or parse alert details, you can export alerts to a tab-separated values (TSV) file.
  1. From the
    Alerts
    page, adjust the filters to identify the alerts you want to export.
  2. When you are satisfied with the results, click the download icon ( ).
    The icon is grayed out when there are no results.
    Cortex XDR exports the filtered result set to the TSV file.

Recommended For You