Analytics Concepts

The Cortex XDR™ app uses an analytics engine to examine logs and data from your sensors.
Network security professionals know that safeguarding a network requires a defense-in-depth strategy. This layered approach to network security means ensuring that software is always patched and current, while running hardware and software systems that are designed to keep attackers out. Many strategies exist to keep unwanted users out of a network, most of these work by stopping intrusion attempts at the network perimeter.
As good and necessary as those strategies and products are, they all can defend only against known threats. Systems that looks for malicious software, for example, traditionally do its work based on previously identified MD5 signatures. But authors of these viruses constantly make trivial modifications to these signatures of the virus to avoid virus scanners until their MD5 database is updated with the modified and newly discovered signatures.
In other words, defensive network systems are constantly trying to keep up with the best efforts of aggressive, nimble attackers. Your defensive network software must be 100% correct 100% of the time to prevent successful attacks. A determined attacker, on the other hand, must be successful only once to ruin your day.
Consequently, your network defense-in-depth strategy must include software and processes that are designed to detect and respond to an intruder who has successfully penetrated your systems. This is the position that Cortex XDR takes in your enterprise. The app efficiently and automatically identifies abnormal activity on your network while providing you with the exact information you need to rapidly evaluate potential threats and then isolate and remove those threats from your network before they can perform real damage.

Analytics Engine

The Cortex XDR™ app uses an analytics engine to examine logs and data from your sensors. The analytics engine retrieves logs from Cortex Data Lake to understand the normal behavior (creates a baseline) so that it can raise alerts when abnormal activity occurs. The analytics engine accesses your logs as they are streamed to Cortex Data Lake and analyzes the data as soon as it arrives. Cortex XDR raises an Analytics alert when the analytics engine determines an anomaly.
The analytics engine is built to process—in parallel—large amounts of data stored in Cortex Data Lake. The ultimate goal is to identify normal behavior so the Cortex apps can recognize and use alerts to notify you of that abnormal behavior. The analytics engine can examine traffic and data from a variety of sources such as network activity from firewall logs, VPN logs (from Prisma Access from the Panorama plugin), endpoint activity data (on Windows endpoints), Active Directory or a combination of those sources, to identify endpoints and users on your network. After endpoints and users are identified, the analytics engine collects relevant details about every asset that it sees based on the information it obtains from the logs. The analytics engine can detect threats from only network data or only endpoint data, but for more context when investigating an alert, a combination of data sources are recommended.
The list of what the engine looks for is large, varied, and constantly growing but, as a consequence of this analysis, the analytics engine is able to build profiles about every endpoint and user of which it knows about. Profiles allow the engine to put the activity of the endpoint or user in context by comparing it against similar endpoints or users. The analytics engine creates and maintains a very large number of profile types but, generally, they can all be placed into three categories:
  • Peer Group Profiles—A statistical analysis of an entity or an entity relation that compares activities from multiple entities in a peer group. For example, a domain might have a cross organization popularity profile or per peer group popularity profile.
  • Temporal Profiles—A statistical analysis of an entity or an entity relation that compares the same entity to itself over time. For example, a host might have a profile for how many ports did it access in the past.
  • Entity classification—A model detecting the role of an entity. For example, users can be classified as service accounts, host as domain controllers.

Analytics Sensors

To detect anomalous behavior, Cortex XDR can analyze logs and data from a variety of sensors.
Palo Alto Networks sensors
Firewall traffic logs
Palo Alto Networks Firewalls perform traditional and next-generation firewall activities. The Cortex XDR analytics engine can analyze Palo Alto Networks firewall logs to obtain intelligence about the traffic on your network. A Palo Alto Networks firewall can also enforce Security policy based on IP addresses and domains associated with Analytics alerts with external dynamic lists.
Enhanced application logs (EAL)
To provide greater coverage and accuracy, you can enable enhanced application logging on your Palo Alto Networks firewalls. EAL are collected by the firewall to increase visibility into network activity for Palo Alto Networks apps and services, like Cortex XDR. Only firewalls sending logs to Cortex Data Lake can generate enhanced application logs.
Examples of the types of data that enhanced application logs gather includes records of DNS queries, the HTTP header User Agent field that specifies the web browser or tool used to access a URL, and information about DHCP automatic IP address assignment. With DHCP information, for example, Cortex XDR can alert on unusual activity based on hostname instead of IP address. This allows the security analyst using Cortex XDR to meaningfully assess whether the user’s activity is within the scope of his or her role, and if not, to more quickly take action to stop the activity.
GlobalProtect and Prisma Access logs
If you use GlobalProtect or Prisma Access to extend your firewall security coverage to your mobile users, Cortex XDR can also analyze VPN traffic to detect anomalous behavior on mobile endpoints.
Firewall URL logs (part of firewall threat logs)
Palo Alto Networks firewalls can log Threat log entries when traffic matches one of the Security Profiles attached to a security rule on the firewall. Cortex XDR can analyze entries for Threat logs relating to URLs and raise alerts that indicate malicious behavior such as command and control and exfiltration.
Cortex XDR agent endpoint data
With a Cortex XDR Pro per Endpoint license, you can deploy Cortex XDR agents on your endpoints to protect them from malware and software exploits. The analytics engine can also analyze the EDR data collected by the Cortex XDR agent to raise alerts. To collect EDR data, you must install Cortex XDR agent 6.0 or a later release on your Windows endpoints (Windows 7 SP1 or later).
The Cortex XDR analytics engine can analyze activity and traffic based solely on endpoint activity data sent from Cortex XDR agents. For increased coverage and greater insight during investigations, use a combination of Cortex XDR agent data and firewalls to supply activity logs for analysis.
Pathfinder data collector
In a firewall-only deployment where the Cortex XDR agent is not installed on your endpoints, you can use of Pathfinder to monitor endpoints. Pathfinder scans unmanaged hosts, servers, and workstations for malicious activity. The analytics engine can also analyze Pathfinder the data collector in combination with other data sources to increase coverage of your network and endpoints, and to provide more context when investigating alerts.
Directory Sync logs
If you use the Directory Sync service to provide Cortex XDR with Active Directory data, the analytics engine can also raise alerts on your Active Directory logs.
External sensors
Third-party firewall logs
If you use non-Palo Alto Networks firewalls—Check Point, Fortinet, Cisco ASA—or in addition to or instead of Palo Alto Networks firewalls, you can set up a syslog collector to facilitate log and alert ingestion. By sending your firewall logs to Cortex XDR, you can increase detection coverage and take advantage of Cortex XDR analysis capabilities. When Cortex XDR analyzes your firewall logs and detects anomalous behavior, it raises an alert.
Third-party authentication service logs
If you use an authentication service—Microsoft Azure AD, Okta, or PingOne—you can set up log collection to ingest authentication logs and data into authentication stories.
Windows Event Collector logs
The Windows Event Collector (WEC) runs on the broker VM collecting event logs from Domain Controllers (DCs). The analytics engine can analyze these event logs to raise alerts such as for credential access and defense evasion.

Coverage of the MITRE Attack Tactics

Network attacks follow predictable patterns. If you interfere with any portion of this pattern, the attack will be neutralized.
The analytics engine can alert on any of the following attack tactics as defined by the MITRE ATT&CK™ knowledge base of tactics.
After attackers gain a foothold in your network, they can use various techniques to execute malicious code on a local or remote endpoint.
The Cortex XDR app detects malware and grayware on your network using a combination of network activity, Pathfinder data collector of your unmanaged endpoints, endpoint data from your Cortex XDR agents, and evaluation of suspicious files using the WildFire® cloud service.
To carry out a malicious action, an attacker can try techniques that maintain access in a network or on an endpoint. An attacker can initiate configuration changes—such as a system restart or failure—that require the endpoint to restart a remote access tool or open a backdoor that allows the attacker to regain access on the endpoint.
After an attacker has access to a part of your network, discovery techniques to explore and identify subnets, and discover servers and the services that are hosted on those endpoints. The idea is to identify vulnerabilities within your network.
The app detects attacks that use this tactic by looking for symptoms in your internal network traffic such as changes in connectivity patterns that including increased rates of connections, failed connections, and port scans.
Lateral Movement
To expand the footprint inside your network, and attacker uses lateral movement techniques to obtain credentials to gain additional access to more data in the network.
The analytics engine detects attacks during this phase by examining administrative operations (such as SSH, RDP, and HTTP), file share access, and user credential usage that is beyond the norm for your network. Some of the symptoms the app looks for are increased administrative activity, SMB usage, and remote code execution.
Command and Control
The command and control tactic allows an attacker to remotely issue commands to and endpoint and receive information from it. The analytics engine identifies intruders using this tactic by looking for anomalies in outbound connections, DNS lookups, and endpoint processes with bound ports. The app is looking for unexplained changes in the periodicity of connections and failed DNS lookups, changes in random DNS lookups, and other symptoms that suggest an attacker has gained initial control of a system.
Exfiltration tactics are techniques to receive data from a network, such as valuable enterprise data. The app seeks to identify it by examining outbound connections with a focus on the volume of data being transferred. Increases in this volume are an important symptom of data exfiltration.

Analytics Detection Time Intervals

The analytics engine for Cortex XDR retrieves logs from Cortex Data Lake to understand the normal behavior (creates a baseline) so that it can raise alerts when abnormal activity occurs. This analysis is highly sophisticated and performed on more than a thousand dimensions of data. Internally, the Cortex XDR app organizes its analytics activity into algorithms called detectors. Each detector is responsible for raising an alert when worrisome behavior is detected.
To raise alerts, each detector compares the recent past behavior to the expected baseline by examining the data found in your logs. A certain amount of log file time is required to establish a baseline and then a certain amount of recent log file time is required to identify what is currently happening in your environment.
There are several meaningful time intervals for Cortex XDR Analytics detectors:
Time Interval
Learning Period
The shortest amount of log file time before the app can raise an alert. This is typically the time from when a detector first starts running and when you see an alert but, in some cases, detectors pause after an upgrade as they enter a new learning period.
Most but not all detectors will wait until they have a learning period amount of time before they run. This learning period exists to give the detector enough data to establish a baseline, which in turn helps to avoid false positives.
The learning period is also referred to as the profiling or waiting period and, informally, it is also referred to as soak time.
Test Period
The amount of logging time that a detector uses to determine if unusual activity is occurring on your network. The detector compares test period data to the baseline created during the training period, and uses that comparison to identify abnormal behavior.
Training Period
The amount of logging time that the detector requires to establish a baseline, and to identify the behavioral limits beyond which an alert is raised. Because your network is not static in terms of its topology or usage, detectors are constantly updating the baselines that they require for their analytics. For this update process, the training period is how far back in time the detector goes to update and tune the baseline.
This period is also referred to as the baseline period.
When establishing a baseline, detectors compute limits beyond which network activity will require an alert. In some cases, detectors do not compute baseline limits; instead they are predetermined by Cortex XDR engineers. The engineers determine the values used for predetermined limits using statistical analysis of malicious activity recorded worldwide. The engineers routinely perform this statistical analysis and update the predetermined limits as needed with each release of the Cortex XDR.
Deduplication Period
The amount of time in which additional alerts for the same activity or behavior are suppressed before Cortex XDR raises another Analytics alert.
These time periods are different for every Cortex XDR Analytics detector. The actual amount of logging data (measured in time) required to raise any given Cortex XDR Analytics alert is identified in the .

Analytics Alerts and Analytics BIOCs

To raise a typical Analytics alert, the Analytics Engine establishes a baseline of activity and analyzes behavior patterns over time. The engine raises the alert when it detects suspicious behaviors (multiple events) that deviate from the baseline. To ensure the analytics detectors raise alerts efficiently and do not overcrowd your Alerts table, Cortex XDR automatically disables alerts from detectors that reach 5000 or more hits over a 24 hour period.
In addition to standard Analytics alerts, there is another category of alerts for
Analytics BIOCs
(behavioral indicators of compromise). In contrast to standard Analytics alerts, Analytics BIOCs—sometimes referred to informally as
—indicate a single event of suspicious behavior with an identified chain of causality. To identify the context and chain of causality, ABIOCs leverage user, endpoint, and network profiles. The profile is generated by the Analytics Engine and can be based on a simple statistical profile or a more complex machine-learning profile. Cortex XDR tailors each ABIOC to your specific environment after analyzing your logs and data sources and continually tunes and delivers new ABIOCs with content updates.
To help you investigate suspicious user activity information collected by the Analytics engine, Cortex XDR provides the Identity Analytics add-on. When enabled, the Identity Analytics add-on aggregates and displays user profile information, activity, and alerts associated with a user-based Analytics type alert and Analytics BIOC rule.
To easily track the alerts and Analytics BIOC rules, Cortex XDR displays an
Identity Analytics
tag in the
table >
Alert Name
field and
Analytics BIOC Rules
table >
field. In the
Analytics Alert View
, when selecting the
node, Cortex XDR details the active directory group, organizational unit, role, logins, hosts, alerts, and process executions associated with the user.
To enable the Identity Analytics add-on, you must first:
Cortex XDR sends a notification if there any problems with the configurations.
After configuring your DSS and Cortex XDR Analytics, select
Settings ( )
Cortex XDR License
and in the
Identity Analytics.
The add-on is currently free, but will incur an additional cost in the future.

Recommended For You