Cortex XDR Alerts

Cortex XDR provides an Alerts table that you can use to view all the alerts reported to and surfaced from your Cortex XDR instance.
The
Alerts
page displays a table of all alerts in Cortex XDR.
alerts-main.png
The
Alerts
page consolidates non-informational alerts from your detection sources to enable you to efficiently and effectively triage the events you see each day. By analyzing the alert, you can better understand the cause of what happened and the full story with context to validate whether an alert requires additional action. Cortex XDR supports saving 2M alerts per 4000 agents or 20 terabyte, half of the alerts are allocated for informational alerts, and half for severity alerts.
To view detailed information for an alert, you can also view details in the Causality View. From these views you can also view related informational alerts that are not presented on the
Alerts
page.
By default, the
Alerts
page displays the alerts that it received over the last seven days (to modify the time period, use the page filters). Every 12 hours, Cortex XDR enforces a cleanup policy to remove the oldest alerts that exceed the maximum alerts limit.
The following table describes both the default fields and additional optional fields that you can add to the alerts table using the column manager and lists the fields in alphabetical order.
Field
Description
Status Indicator ( alert-status.png )
Identifies whether there is enough endpoint data to analyze an alert.
check-box.png
Check box to select one or more alerts on which to perform actions. Select multiple alerts to assign all selected alerts to an analyst, or to change the status or severity of all selected alerts.
ACTION
Action taken by the alert sensor, either
Detected
or
Prevented
with action status displayed in parenthesis. For example:
  • Detected
  • Detected (Download)
  • Detected (Post Detected)
  • Detected (Prompt Allow)
  • Detected (Reported)
  • Detected (Scanned)
  • Prevented (Blocked)
  • Prevented (Prompt Block)
  • Prevented (Post Detected)
AGENT OS SUBTYPE
The operating system subtype of the agent from which the alert was triggered.
ALERT ID
A unique identifier that Cortex XDR assigns to each alert.
ALERT NAME
Module that triggered the alert.
If the alert was generated by Cortex XDR, the Alert Name will be the specific Cortex XDR rule that created the alert (BIOC or IOC rule name). If from an external system, it will carry the name assigned to it by Cortex XDR.
Alerts that match an alert starring policy also display a purple star.
For alerts coming from firewalls, if duplicate alerts with the same name and host are raised within 24 hours, they are aggregated and identified by a
+n
tag.
ALERT SOURCE
Source of the alert:
BIOC, Analytics BIOC, IOC,
XDR Agent
, Firewall, or Analytics
.
APP ID
Related App-ID for an alert. App-ID is a traffic classification system that determines what an application is irrespective of port, protocol, encryption (SSH or SSL) or any other evasive tactic used by the application. When known, you can also pivot to the Palo Alto Networks Applipedia entry that describes the detected application.
APP CATEGORY
APP-ID category name associated with a firewall alert.
APP SUBCATEGORY
APP-ID subcategory name associated with a firewall alert.
APP TECHNOLOGY
APP-ID technology name associated with a firewall alert.
CATEGORY
Alert category based on the alert source. An example of an XDR Agent alert category is Exploit Modules.
An example of a BIOC alert category is Evasion. If a URL filtering category is known, this field also displays the name of the URL filtering category.
CGO CMD
Command-line arguments of the Causality Group Owner.
CGO MD5
The MD5 value of the CGO which initiated the alert.
CGO NAME
The name of the process that started the causality chain based on Cortex XDR causality logic.
CGO SIGNATURE
Signing status of the CGO:
  • Unsigned
  • Signed
  • Invalid Signature
  • Unknown
CGO SIGNER
The name of the software publishing vendor that signed the file in the causality chain that led up to the alert.
CID
Unique identifier of the causality instance generated by Cortex XDR.
DESCRIPTION
Text summary of the event including the alert source, alert name, severity, and file path.
For alerts triggered by BIOC and IOC rules, Cortex XDR displays detailed information about the rule.
DESTINATION ZONE NAME
The destination zone of the connection for firewall alerts.
DOMAIN
The domain on which an alert was triggered.
EMAIL RECIPIENT
The email recipient value of a firewall alerts triggered on a the content of a malicious email.
EMAIL SENDER
The email sender value of a firewall alerts triggered on a the content of a malicious email.
EMAIL SUBJECT
The email subject value of a firewall alerts triggered on a the content of a malicious email.
EVENT TYPE
The type of event on which the alert was triggered:
  • File Event
  • Injection Event
  • Load Image Event
  • Network Event
  • Process Execution
  • Registry Event
EXCLUDED
Whether the alert is excluded by an exclusion configuration.
EXTERNAL ID
The alert ID as recorded in the detector from which this alert was sent.
FILE PATH
When the alert triggered on a file (the Event Type is File) this is the path to the file on the endpoint. If not, then N/A.
FILE MACRO SHA256
SHA256 hash value of an Microsoft Office file macro
FILE MD5
MD5 hash value of the file.
FILE SHA256
SHA256 hash value of the file.
FW NAME
Name of firewall device relevant for firewall alerts.
FW RULE ID
The firewall rule ID that matches the network traffic that triggered the firewall alert.
FW RULE NAME
The firewall rule name that matches the network traffic that triggered the firewall alert.
FW SERIAL NUMBER
The firewall serial number of the firewall alerts.
HOST FQDN
The fully qualified domain name (FQDN) of the Windows endpoint or server on which this alert triggered.
HOST IP
IP address of the endpoint or server on which this alert triggered.
HOST MAC ADDRESS
MAC address of the endpoint or server on which this alert triggered.
HOST NAME
The endpoint or server on which this alert triggered.
HOST OS
Operating system of the endpoint or server on which this alert triggered.
INITIATED BY
The name of the process that initiated an activity such as a network connection or registry change.
INITIATOR MD5
The MD5 value of the process which initiated the alert.
INITIATOR SHA256
The SHA256 hash value of the initiator.
INITIATOR CMD
Command-line used to initiate the process including any arguments.
INITIATOR SIGNATURE
Signing status of the process that initiated the activity:
  • Unsigned
  • Signed
  • Invalid Signature
  • Unknown
INITIATOR PID
Process ID (PID) of the initiating process
INITIATOR SIGNER
Signer of the process that triggered the alert.
INITIATOR TID
Thread ID (TID) of the initiating process.
IS PHISHING
Indicates whether a firewall alert is classified as phishing.
LOCAL IP
If the alert triggered on network activity (the Event Type is Network Connection) this is the IP address of the host that triggered the alert. If not, then N/A.
LOCAL PORT
If the alert triggered on network activity (the Event Type is Network Connection) this is the port on the endpoint that triggered the alert. If not, then N/A.
MAC ADDRESS
The MAC address on which the alert wast triggered.
MITRE ATT&CK TACTIC
Displays the type of MITRE ATT&CK tactic the alert is attempting to trigger on.
MITRE ATT&CK TECHNIQUE
Displays the type of MITRE ATT&CK technique and sub-technique the alert is attempting to trigger on.
NGFW VSYS NAME
Name of the firewall virtual system of a firewall triggered alert.
OS PARENT CREATED BY
Name of the parent operating system that created the alert.
OS PARENT CMD
Command-line used to by the parent operating system to initiate the process including any arguments.
OS PARENT SIGNATURE
Signing status of the operating system of the activity:
  • Unsigned
  • Signed
  • Invalid Signature
  • Unknown
OS PARENT SIGNER
Parent operating system signer.
OS PARENT SH256
Parent operating system SHA256 hash value.
OS PARENT ID
Parent operating system ID.
OS PARENT PID
OS parent process ID.
OS PARENT TID
OS parent thread ID.
PROCESS EXECUTION SIGNATURE
Signature status of the process that triggered the alert:
  • Unsigned
  • Signed
  • Invalid Signature
  • Unknown
PROCESS EXECUTION SIGNER
Signer of the process that triggered the alert.
REGISTRY DATA
If the alert triggered on registry modifications (the Event Type is Registry) this is the registry data that triggered the alert. If not, then N/A.
REGISTRY FULL KEY
If the alert triggered on registry modifications (the Event Type is Registry) this is the full registry key that triggered the alert. If not, then N/A.
REMOTE HOST
If the alert triggered on network activity (the Event Type is Network Connection) this is the the remote host name that triggered the alert. If not, then N/A.
REMOTE IP
The remote IP address of a network operation that triggered the alert.
REMOTE PORT
The remote port of a network operation that triggered the alert.
SEVERITY
The severity that was assigned to this alert when it was triggered (or modified): Informational, Low, Medium, High, or Unknown.
For BIOC and IOCs, you define the severity when you create the rule.
Insights
are low and informational severity alerts that do not raise incidents, but provide additional details when investigating an event.
STARRED
Whether the alert is starred by starring configuration.
SOURCE ZONE NAME
The source zone name of the connection for firewall alerts.
TARGET FILE SHA256
The SHA256 hash vale of an external DLL file that triggered the alert.
TARGET PROCESS CMD
The command-line of the process whose creation triggered the alert.
TARGET PROCESS NAME
The name of the process whose creation triggered the alert.
TARGET PROCESS SHA256
The SHA256 value of the process whose creation triggered the alert.
TIMESTAMP
The date and time when the alert was triggered.
URL
The URL destination address of the domain triggering the firewall alert.
XFF
X-Forwarded-For value from the HTTP header of the IP address connecting with a proxy.
From the
Alerts
page, you can also perform additional actions to manage alerts and pivot on specific alerts for deeper understanding of the cause of the event.

Recommended For You