You can manage Cortex XDR alerts and view alert details from the Alerts page.
There are two ways you can copy an alert into memory: you can copy the URL of the alert record, or you can copy the value for an alert field. With either option, you can paste the contents of memory into an email to send. This is helpful if you need to share or discuss a specific alert with someone. If you copy a field value, you can also easily paste it into a search or begin a query.
- Create a URL for an alert record:
- From theAlertspage, right-click the alert you want to send.
- SelectCopy alert URL.Cortex XDR saves the URL to memory.
- Paste the URL into an email or use as needed to share the alert.
- Copy a field value in an alert record:
- From theAlertspage, right-click the field in the alert that you want to copy.
- SelectCopy.Cortex XDR saves the field contents to memory.
- Paste the value into an email or use as needed to share information from the alert.
Analyze an Alert
To help you understand the full context of an alert, Cortex XDR provides a powerful analysis view that empowers you to make a thorough analysis very quickly.
The Causality View is available for XDR agent alerts that are based on endpoint data and for alerts raised on network traffic logs that have been stitched with endpoint data.
To view the analysis:
- From theAlertspage, locate the alert you want to analyze.
- Right-click anywhere in the alert, and selectAnalyze.Cortex XDR opens the alert in the Causality View.
- Review the chain of execution and available data for the process and, if available, navigate through the processes tree.
Create Profile Exceptions
Quickly create exception for Window processes, BTP, and JAVA deserialization alerts directly from the
- Right-click an alert of sourceXDR Agent, categoryExploit, and selectCreate alert exception.Cortex XDR opens a Create Alert Exception window detailing the exception parameters.
- Select anException Scope:
- Global- Applies the exception across your organization.
- Profile- Select an existing profile or click and enter aProfile Nameto create a new profile.
- (Optional) View your profile exceptions.
- Navigate to.EndpointsPolicy ManagementProfiles
- In theProfilestable, locate the OS in which you created your global or profile exception and right-click to view or edit the exception properties.
Retrieve Additional Alert Details
To easily access additional information relating to an alert:
- From the Alerts page, locate the alert for which you want to retrieve information.
- Right-click anywhere in the alert, and select one of the following options:
- Retrieve alert data—Cortex XDR can provide additional analysis of the memory contents when an exploit protection module raises an XDR Alert. To perform the analysis you must first retrieve alert data consisting of the memory contents at the time the alert was raised. This can be done manually for a specific alert, or you can enable Cortex XDR to automatically retrieve alert data for every relevant XDR Alert. After Cortex XDR receives the data and performs the analysis, it issues a verdict for the alert. You can monitor the retrieval and analysis progress from theAction Center(pivot to viewAdditional data). When analysis is complete, Cortex XDR displays the verdict in theAdvanced Analysisfield.
- Retrieve related files—To further examine files that are involved in an alert, you can request the Cortex XDR agent send them to the Cortex XDR management console. If multiple files are involved, Cortex XDR supports up to 20 files and 200MB in total size. The agent collects all requested files into one archive and includes a log in JSON format containing additional status information. When the files are successfully uploaded, you can download them from the Action Center for up to one week.
- View full endpoint details—Jump to a filtered view of the Endpoint Administration page by endpoint ID. This unique ID is assigned by the Cortex XDR agent to identify the endpoint.
- Navigate toto view retrieval status.ResponseAction Center
Recommended For You
Recommended videos not found.