Analytics Alert View

From the Cortex® XDR™ management console, you can view a detailed summary of the behavior that triggered analytics alerts.
The analytics alert view provides a detailed summary of the behavior that triggered an Analytics or Analytics BIOC alert. This view also provides a visual depiction of the behavior and additional information you can use to assess the alert. This includes the endpoint on which the activity was initiated, the user that performed the action, the technique the analytics engine observed, and activity and interactions with other hosts inside or outside of your network.
When enabling the Identity Analytics, alerts associated with suspicious user activity such as stolen or misused credentials, lateral movement, credential harvesting, or brute-force data are displayed with a
User
node.
Analytics View of an Analytics Alert
Section
Description
1. Context
For Analytics alerts, the analytics view indicates the endpoint for which the alert was raised.
For Analytics BIOC alerts, the Analytics view summarizes information about the alert, including the source host name, IP address, the process name on which the alert was raised, and the corresponding process ID.
2. Alert summary
(
Analytics alerts only
) Describes the behavior that triggered the alert and activity impact.
3. Graphic summary
Similar to the Causality View, the analytics view provides a graphic representation of the activity that triggered the alert and an interactive way to view the chain of behavior for an Analytics alert. You can move the graphic, extend it, and modify it. To adjust the appearance, you can enlarge/shrink the chain for easy viewing using the size controls on the right. You can also move the chain around by selecting and dragging it. To return the chain to its original position and size, click in the lower-right of the graph.
The activity depicted in the graphic varies depending on the type of alert:
  • Analytics alerts—You can view a summary of the aggregated activity including the source host, the anomalous activity, connection count, and the destination host. You can also select the host to view any relevant profile information.
  • Analytics BIOC alerts—You can view the specific event behavior including the causality group owner that initiated the activity and related process nodes. To view the summary of the specific event, you can select the above the process node.
The following nodes display information unique to the Analytics Alert View:
User node— Hover over to display the
User Information
and user
Analytics Profile
data.
Multi-Event—Display in the Event Table all the event types associated with the alert.
Right-click on the following nodes to view additional information:
  • Device—
    Open in IP View
  • Process—
    View Process Instances
  • IP Address—
    Add to EDL
4. Alert description
The alert description provides details and statistics related to the activity. Beneath the description, you can also view the alert name, severity assigned to the alert, time of the activity, alert tactic (category) and type, and links to the MITRE summary of the attack tactic.
When selecting a User node,
Identity User Details
, such as Active Directory Group, Organizational Unit, and Role associated with the user are displayed. If available,
Login Details
also appear.
5. Events table
Displays events related to the alert.
User node—Displays the logins, hosts, alerts, and process executions associated with the user aggregated by the Identity Analytics 7 days prior to and after the analytics alert timestamp. Right-click to
Investigate Causality Chain
and
View in XQL
the associated events.
Multi-Event—Displays the events associated with the alert according to the type event type. Right-click to
View in XQL
and further
Investigate with XQL
the event details.
6. Response actions
Actions you can take in response to an Analytics alert. These actions can include isolating a host from the network, initiating a live terminal session, and adding an IP address or domain name to an external dynamic list (EDL) that is enforceable in your Palo Alto Networks firewall security policy.

Recommended For You