Analytics Alert View

From the Cortex® XDR™ management console, you can view a detailed summary of the behavior that triggered analytics alerts.
The analytics alert view provides a detailed summary of the behavior that triggered an Analytics or Analytics BIOC alert. This view also provides a visual depiction of the behavior and additional information you can use to assess the alert. This includes the endpoint on which the activity was initiated, the user that performed the action, the technique the analytics engine observed, and activity and interactions with other hosts inside or outside of your network.
When enabling the Identity Analytics add-on, alerts associated with suspicious user activity such as stolen or misused credentials, lateral movement, credential harvesting, or brute-force data are displayed with a
User
node.
Analytics View of an Analytics Alert
Section
Description
1. Context
For Analytics alerts, the analytics view indicates the endpoint for which the alert was raised.
For Analytics BIOC alerts, the Analytics view summarizes information about the alert, including the source host name, IP address, the process name on which the alert was raised, and the corresponding process ID.
2. Alert summary
(
Analytics alerts only
) Describes the behavior that triggered the alert and activity impact.
3. Graphic summary
Similar to the Causality View, the analytics view provides a graphic representation of the activity that triggered the alert and an interactive way to view the chain of behavior for an Analytics alert. You can move the graphic, extend it, and modify it. To adjust the appearance, you can enlarge/shrink the chain for easy viewing using the size controls on the right. You can also move the chain around by selecting and dragging it. To return the chain to its original position and size, click in the lower-right of the graph.
The activity depicted in the graphic varies depending on the type of alert:
  • Analytics alerts—You can view a summary of the aggregated activity including the source host, the anomalous activity, connection count, and the destination host. You can also select the host to view any relevant profile information.
  • Analytics BIOC alerts—You can view the specific event behavior including the causality group owner that initiated the activity and related process nodes. To view the summary of the specific event, you can select the above the process node.
Right-click on the following nodes to view additional information:
  • Device—
    Open in IP View
  • Process—
    View Process Instances
  • IP Address—
    Add to EDL
Hover over the (user) node to display
User Information
and user
Analytics Profile
data.
4. Alert description
The alert description provides details and statistics related to the activity. Beneath the description, you can also view the alert name, severity assigned to the alert, time of the activity, alert tactic (category) and type, and links to the MITRE summary of the attack tactic.
When selecting a User node,
Identity User Details
, such as Active Directory Group, Organizational Unit, and Role associated with the user are displayed. If available,
Login Details
also appear.
5. Events table
Displays events related to the alert.
When selecting a User node, the table displays the logins, hosts, alerts, and process executions associated with the user aggregated by the Identity Analytics add-on 7 days prior to and after the analytics alert timestamp.
6. Response actions
Actions you can take in response to an Analytics alert. These actions can include isolating a host from the network, initiating a live terminal session, and adding an IP address or domain name to an external dynamic list (EDL) that is enforceable in your Palo Alto Networks firewall security policy.

Recommended For You