Cortex XDR Alerts

Cortex XDR provides an Alerts table that you can use to view all the alerts reported to and surfaced from your Cortex XDR instance.
The
Alerts
page displays a table of all alerts in Cortex XDR.
alerts-main.png
The
Alerts
page consolidates non-informational alerts from your detection sources to enable you to efficiently and effectively triage the events you see each day. By analyzing the alert, you can better understand the cause of what happened and the full story with context to validate whether an alert requires additional action. Cortex XDR supports saving 2M alerts per 4000 agents or 20 terabyte, half of the alerts are allocated for informational alerts, and half for severity alerts.
To view detailed information for an alert, you can also view details in the Causality View. From these views you can also view related informational alerts that are not presented on the
Alerts
page.
By default, the
Alerts
page displays the alerts that it received over the last seven days (to modify the time period, use the page filters). Every 12 hours, Cortex XDR enforces a cleanup policy to remove the oldest alerts that exceed the maximum alerts limit.
The following table describes both the default fields and additional optional fields that you can add to the alerts table using the column manager and lists the fields in alphabetical order.
Field
Description
Status Indicator ( alert-status.png )
Identifies whether there is enough endpoint data to analyze an alert.
check-box.png
Check box to select one or more alerts on which to perform actions. Select multiple alerts to assign all selected alerts to an analyst, or to change the status or severity of all selected alerts.
ACTION
Action taken by the alert sensor, either
Detected
or
Prevented
with action status displayed in parenthesis. Options are:
  • Detected
  • Detected (Allowed The Session)
  • Detected (Download)
  • Detected (Forward)
  • Detected (Post Detected)
  • Detected (Prompt Allow)
  • Detected (Raised An Alert)
  • Detected (Reported)
  • Detected (Scanned)
  • Detected (Sinkhole)
  • Detected (Syncookie Sent)
  • Detected (Wildfire Upload Failure)
  • Detected (Wildfire Upload Success)
  • Detected (Wildfire Upload Skip)
  • Detected (XDR Managed Threat Hunting)
  • Prevented (Block)
  • Prevented (Blocked)
  • Prevented (Block-Override)
  • Prevented (Blocked The URL)
  • Prevented (Blocked The IP)
  • Prevented (Continue)
  • Prevented (Denied The Session)
  • Prevented (Dropped All Packets)
  • Prevented (Dropped The Session)
  • Prevented (Dropped The Session And Sent a TCP Reset)
  • Prevented (Dropped The Packet)
  • Prevented (Override)
  • Prevented (Override-Lockout)
  • Prevented (Post Detected)
  • Prevented (Prompt Block)
  • Prevented (Random-Drop)
  • Prevented (Silently Dropped The Session With An ICMP Unreachable Message To The Host Or Application)
  • Prevented (Terminated The Session And Sent a TCP Reset To Both Sides Of The Connection)
  • Prevented (Terminated The Session And Sent a TCP Reset To The Client)
  • Prevented (Terminated The Session And Sent a TCP Reset To The Server)
  • N/A
AGENT OS SUB TYPE
The operating system subtype of the agent from which the alert was triggered.
ALERT ID
A unique identifier that Cortex XDR assigns to each alert.
ALERT NAME
Module that triggered the alert.
If the alert was generated by Cortex XDR, the Alert Name will be the specific Cortex XDR rule that created the alert (BIOC or IOC rule name). If from an external system, it will carry the name assigned to it by Cortex XDR.
Alerts that match an alert starring policy also display a purple star.
For alerts coming from firewalls, if duplicate alerts with the same name and host are raised within 24 hours, they are aggregated and identified by a
+n
tag.
ALERT SOURCE
Source of the alert:
BIOC, Analytics BIOC, IOC,
XDR Agent
, Firewall, or Analytics
.
APP-ID
Related App-ID for an alert. App-ID is a traffic classification system that determines what an application is irrespective of port, protocol, encryption (SSH or SSL) or any other evasive tactic used by the application. When known, you can also pivot to the Palo Alto Networks Applipedia entry that describes the detected application.
APP CATEGORY
APP-ID category name associated with a firewall alert.
APP SUBCATEGORY
APP-ID subcategory name associated with a firewall alert.
APP TECHNOLOGY
APP-ID technology name associated with a firewall alert.
CATEGORY
Alert category based on the alert source. An example of an XDR Agent alert category is Exploit Modules.
An example of a BIOC alert category is Evasion. If a URL filtering category is known, this field also displays the name of the URL filtering category.
CGO CMD
Command-line arguments of the Causality Group Owner.
CGO MD5
The MD5 value of the CGO that initiated the alert.
CGO NAME
The name of the process that started the causality chain based on Cortex XDR causality logic.
CGO SHA256
The SHA256 value of the CGO that initiated the alert.
CGO SIGNATURE
Signing status of the CGO:
  • Unsigned
  • Signed
  • Invalid Signature
  • Unknown
CGO SIGNER
The name of the software publishing vendor that signed the file in the causality chain that led up to the alert.
CID
Unique identifier of the causality instance generated by Cortex XDR.
DESCRIPTION
Text summary of the event including the alert source, alert name, severity, and file path.
For alerts triggered by BIOC and IOC rules, Cortex XDR displays detailed information about the rule.
DESTINATION ZONE NAME
The destination zone of the connection for firewall alerts.
DOMAIN
The domain on which an alert was triggered.
EMAIL RECIPIENT
The email recipient value of a firewall alerts triggered on a the content of a malicious email.
EMAIL SENDER
The email sender value of a firewall alerts triggered on a the content of a malicious email.
EMAIL SUBJECT
The email subject value of a firewall alerts triggered on a the content of a malicious email.
EVENT TYPE
The type of event on which the alert was triggered:
  • File Event
  • Injection Event
  • Load Image Event
  • Network Event
  • Process Execution
  • Registry Event
EXCLUDED
Whether the alert is excluded by an exclusion configuration.
EXTERNAL ID
The alert ID as recorded in the detector from which this alert was sent.
FILE PATH
When the alert triggered on a file (the Event Type is File) this is the path to the file on the endpoint. If not, then N/A.
FILE MACRO SHA256
SHA256 hash value of an Microsoft Office file macro
FILE MD5
MD5 hash value of the file.
FILE SHA256
SHA256 hash value of the file.
FW NAME
Name of firewall on which a firewall alert was raised.
FW RULE ID
The firewall rule ID that triggered the firewall alert.
FW RULE NAME
The firewall rule name that matches the network traffic that triggered the firewall alert.
FW SERIAL NUMBER
The serial number of the firewall that raised the firewall alert.
HOST
The hostname of the endpoint or server on which this alert triggered.
HOST FQDN
The fully qualified domain name (FQDN) of the Windows endpoint or server on which this alert triggered.
HOST IP
IP address of the endpoint or server on which this alert triggered.
HOST MAC ADDRESS
MAC address of the endpoint or server on which this alert triggered.
HOST OS
Operating system of the endpoint or server on which this alert triggered.
INCIDENT ID
The ID of the any incident that includes the alert.
INITIATED BY
The name of the process that initiated an activity such as a network connection or registry change.
INITIATOR MD5
The MD5 value of the process which initiated the alert.
INITIATOR SHA256
The SHA256 hash value of the initiator.
INITIATOR CMD
Command-line used to initiate the process including any arguments.
INITIATOR SIGNATURE
Signing status of the process that initiated the activity:
  • Unsigned
  • Signed
  • Invalid Signature
  • Unknown
INITIATOR PATH
Path of the initiating process.
INITIATOR PID
Process ID (PID) of the initiating process.
INITIATOR SIGNER
Signer of the process that triggered the alert.
INITIATOR TID
Thread ID (TID) of the initiating process.
IS PHISHING
Indicates whether a firewall alert is classified as phishing.
LOCAL IP
If the alert triggered on network activity (the Event Type is Network Connection) this is the IP address of the host that triggered the alert. If not, then N/A.
LOCAL PORT
If the alert triggered on network activity (the Event Type is Network Connection) this is the port on the endpoint that triggered the alert. If not, then N/A.
MAC ADDRESS
The MAC address on which the alert was triggered.
MISC
Miscellaneous information about the alert.
MITRE ATT&CK TACTIC
Displays the type of MITRE ATT&CK tactic on which the alert was triggered.
MITRE ATT&CK TECHNIQUE
Displays the type of MITRE ATT&CK technique and sub-technique on which the alert was triggered.
MODULE
For XDR Agent alerts, this field identifies the protection module that triggered the alert.
NGFW VSYS NAME
Name of the virtual system for the Palo Alto Networks firewall that triggered an alert.
OS PARENT CREATED BY
Name of the parent operating system that created the alert.
OS PARENT CMD
Command-line used to by the parent operating system to initiate the process including any arguments.
OS PARENT SIGNATURE
Signing status of the operating system of the activity:
  • Unsigned
  • Signed
  • Invalid Signature
  • Unknown
OS PARENT SIGNER
Parent operating system signer.
OS PARENT SH256
Parent operating system SHA256 hash value.
OS PARENT ID
Parent operating system ID.
OS PARENT PID
OS parent process ID.
OS PARENT TID
OS parent thread ID.
OS PARENT USER NAME
Name of the user associated with the parent operating system.
PROCESS EXECUTION SIGNATURE
Signature status of the process that triggered the alert:
  • Unsigned
  • Signed
  • Invalid Signature
  • Unknown
PROCESS EXECUTION SIGNER
Signer of the process that triggered the alert.
REGISTRY DATA
If the alert triggered on registry modifications (the Event Type is Registry) this is the registry data that triggered the alert. If not, then N/A.
REGISTRY FULL KEY
If the alert triggered on registry modifications (the Event Type is Registry) this is the full registry key that triggered the alert. If not, then N/A.
REMOTE HOST
If the alert triggered on network activity (the Event Type is Network Connection) this is the the remote host name that triggered the alert. If not, then N/A.
REMOTE IP
The remote IP address of a network operation that triggered the alert.
REMOTE PORT
The remote port of a network operation that triggered the alert.
RULE ID
The ID that matches the rule that triggered the alert.
SEVERITY
The severity that was assigned to this alert when it was triggered (or modified): Informational, Low, Medium, High, or Unknown.
For BIOC and IOCs, you define the severity when you create the rule.
Insights
are low and informational severity alerts that do not raise incidents, but provide additional details when investigating an event.
STARRED
Whether the alert is starred by starring configuration.
SOURCE ZONE NAME
The source zone name of the connection for firewall alerts.
TARGET FILE SHA256
The SHA256 hash vale of an external DLL file that triggered the alert.
TARGET PROCESS CMD
The command-line of the process whose creation triggered the alert.
TARGET PROCESS NAME
The name of the process whose creation triggered the alert.
TARGET PROCESS SHA256
The SHA256 value of the process whose creation triggered the alert.
TIMESTAMP
The date and time when the alert was triggered.
URL
The URL destination address of the domain triggering the firewall alert.
USER NAME
The name of the user that initiated the behavior that triggered the alert. If the user is a domain user account, this field also identifies the domain.
XFF
X-Forwarded-For value from the HTTP header of the IP address connecting with a proxy.
From the
Alerts
page, you can also perform additional actions to manage alerts and pivot on specific alerts for deeper understanding of the cause of the event.

Recommended For You