Cortex XDR Alerts
Cortex XDR provides an Alerts table that you can use to view all the alerts reported to and surfaced from your Cortex XDR instance.
Alertspage displays a table of all alerts in Cortex XDR.
Alertspage consolidates non-informational alerts from your detection sources to enable you to efficiently and effectively triage the events you see each day. By analyzing the alert, you can better understand the cause of what happened and the full story with context to validate whether an alert requires additional action. Cortex XDR supports saving 2M alerts per 4000 agents or 20 terabyte, half of the alerts are allocated for informational alerts, and half for severity alerts.
By default, the
Alertspage displays the alerts that it received over the last seven days (to modify the time period, use the page filters). Every 12 hours, Cortex XDR enforces a cleanup policy to remove the oldest alerts that exceed the maximum alerts limit.
The following table describes both the default fields and additional optional fields that you can add to the alerts table using the column manager and lists the fields in alphabetical order.
Status Indicator ( )
Identifies whether there is enough endpoint data to analyze an alert.
Check box to select one or more alerts on which to perform actions. Select multiple alerts to assign all selected alerts to an analyst, or to change the status or severity of all selected alerts.
Action taken by the alert sensor, either
Preventedwith action status displayed in parenthesis. For example:
AGENT OS SUBTYPE
The operating system subtype of the agent from which the alert was triggered.
A unique identifier that Cortex XDR assigns to each alert.
Module that triggered the alert.
If the alert was generated by Cortex XDR, the Alert Name will be the specific Cortex XDR rule that created the alert (BIOC or IOC rule name). If from an external system, it will carry the name assigned to it by Cortex XDR.Alerts that match an alert starring policy also display a purple star.
For alerts coming from firewalls, if duplicate alerts with the same name and host are raised within 24 hours, they are aggregated and identified by a
Source of the alert:
BIOC, Analytics BIOC, IOC,XDR Agent
, Firewall, or Analytics.
Related App-ID for an alert. App-ID is a traffic classification system that determines what an application is irrespective of port, protocol, encryption (SSH or SSL) or any other evasive tactic used by the application. When known, you can also pivot to the Palo Alto Networks Applipedia entry that describes the detected application.
APP-ID category name associated with a firewall alert.
APP-ID subcategory name associated with a firewall alert.
APP-ID technology name associated with a firewall alert.
Alert category based on the alert source. An example of an XDR Agent alert category is Exploit Modules.
An example of a BIOC alert category is Evasion. If a URL filtering category is known, this field also displays the name of the URL filtering category.
Command-line arguments of the Causality Group Owner.
The MD5 value of the CGO which initiated the alert.
The name of the process that started the causality chain based on Cortex XDR causality logic.
Signing status of the CGO:
The name of the software publishing vendor that signed the file in the causality chain that led up to the alert.
Unique identifier of the causality instance generated by Cortex XDR.
Text summary of the event including the alert source, alert name, severity, and file path.
For alerts triggered by BIOC and IOC rules, Cortex XDR displays detailed information about the rule.
DESTINATION ZONE NAME
The destination zone of the connection for firewall alerts.
The domain on which an alert was triggered.
The email recipient value of a firewall alerts triggered on a the content of a malicious email.
The email sender value of a firewall alerts triggered on a the content of a malicious email.
The email subject value of a firewall alerts triggered on a the content of a malicious email.
The type of event on which the alert was triggered:
Whether the alert is excluded by an exclusion configuration.
The alert ID as recorded in the detector from which this alert was sent.
When the alert triggered on a file (the Event Type is File) this is the path to the file on the endpoint. If not, then N/A.
FILE MACRO SHA256
SHA256 hash value of an Microsoft Office file macro
MD5 hash value of the file.
SHA256 hash value of the file.
Name of firewall device relevant for firewall alerts.
FW RULE ID
The firewall rule ID that matches the network traffic that triggered the firewall alert.
FW RULE NAME
The firewall rule name that matches the network traffic that triggered the firewall alert.
FW SERIAL NUMBER
The firewall serial number of the firewall alerts.
The fully qualified domain name (FQDN) of the Windows endpoint or server on which this alert triggered.
IP address of the endpoint or server on which this alert triggered.
HOST MAC ADDRESS
MAC address of the endpoint or server on which this alert triggered.
The endpoint or server on which this alert triggered.
Operating system of the endpoint or server on which this alert triggered.
The name of the process that initiated an activity such as a network connection or registry change.
The MD5 value of the process which initiated the alert.
The SHA256 hash value of the initiator.
Command-line used to initiate the process including any arguments.
Signing status of the process that initiated the activity:
Process ID (PID) of the initiating process
Signer of the process that triggered the alert.
Thread ID (TID) of the initiating process.
Indicates whether a firewall alert is classified as phishing.
If the alert triggered on network activity (the Event Type is Network Connection) this is the IP address of the host that triggered the alert. If not, then N/A.
If the alert triggered on network activity (the Event Type is Network Connection) this is the port on the endpoint that triggered the alert. If not, then N/A.
The MAC address on which the alert wast triggered.
MITRE ATT&CK TACTIC
Displays the type of MITRE ATT&CK tactic the alert is attempting to trigger on.
MITRE ATT&CK TECHNIQUE
Displays the type of MITRE ATT&CK technique and sub-technique the alert is attempting to trigger on.
NGFW VSYS NAME
Name of the firewall virtual system of a firewall triggered alert.
OS PARENT CREATED BY
Name of the parent operating system that created the alert.
OS PARENT CMD
Command-line used to by the parent operating system to initiate the process including any arguments.
OS PARENT SIGNATURE
Signing status of the operating system of the activity:
OS PARENT SIGNER
Parent operating system signer.
OS PARENT SH256
Parent operating system SHA256 hash value.
OS PARENT ID
Parent operating system ID.
OS PARENT PID
OS parent process ID.
OS PARENT TID
OS parent thread ID.
PROCESS EXECUTION SIGNATURE
Signature status of the process that triggered the alert:
PROCESS EXECUTION SIGNER
Signer of the process that triggered the alert.
If the alert triggered on registry modifications (the Event Type is Registry) this is the registry data that triggered the alert. If not, then N/A.
REGISTRY FULL KEY
If the alert triggered on registry modifications (the Event Type is Registry) this is the full registry key that triggered the alert. If not, then N/A.
If the alert triggered on network activity (the Event Type is Network Connection) this is the the remote host name that triggered the alert. If not, then N/A.
The remote IP address of a network operation that triggered the alert.
The remote port of a network operation that triggered the alert.
The severity that was assigned to this alert when it was triggered (or modified): Informational, Low, Medium, High, or Unknown.
For BIOC and IOCs, you define the severity when you create the rule.
Insightsare low and informational severity alerts that do not raise incidents, but provide additional details when investigating an event.
Whether the alert is starred by starring configuration.
SOURCE ZONE NAME
The source zone name of the connection for firewall alerts.
TARGET FILE SHA256
The SHA256 hash vale of an external DLL file that triggered the alert.
TARGET PROCESS CMD
The command-line of the process whose creation triggered the alert.
TARGET PROCESS NAME
The name of the process whose creation triggered the alert.
TARGET PROCESS SHA256
The SHA256 value of the process whose creation triggered the alert.
The date and time when the alert was triggered.
The URL destination address of the domain triggering the firewall alert.
X-Forwarded-For value from the HTTP header of the IP address connecting with a proxy.
Alertspage, you can also perform additional actions to manage alerts and pivot on specific alerts for deeper understanding of the cause of the event.
Recommended For You
Recommended videos not found.