Manage Alerts
You can manage Cortex XDR alerts and view alert details
from the Alerts page.
From
the
Alerts
page, you can manage the alerts
you see and the information Cortex XDR displays about each alert.The options available can change
depending on the
Alert Source
.
Copy Alerts
You can copy an alert into memory as follows:
- Copy the URL of the alert record
- Copy the value for an alert field
- Copy the entire row of alert record
With
either option, you can paste the contents of memory into an email
to send. This is helpful if you need to share or discuss a specific
alert with someone. If you copy a field value, you can also easily
paste it into a search or begin a query.
- Create a URL for an alert record:
- From theAlertspage, right-click the alert you want to send.
- SelectCopy alert URL.Cortex XDR saves the URL to memory.
- Paste the URL into an email or use as needed to share the alert.
- Copy a field value in an alert record:
- From theAlertspage, right-click the field in the alert that you want to copy.
- SelectCopy text to clipboard.Cortex XDR saves the field contents to memory.
- Paste the value into an email or use as needed to share information from the alert.
- Copy the entire row of alert record
- From theAlertspage, right-click on one or more alerts you want to copy.
- SelectCopy entire row(s).
- Paste the value into an email or use as needed to share information from the alert.
Analyze an Alert
To help you understand the full context of
an alert, Cortex XDR provides a powerful analysis view that empowers
you to make a thorough analysis very quickly.
The Causality
View is available for XDR agent alerts that are based on endpoint
data and for alerts raised on network traffic logs that have been
stitched with endpoint data.
To view the analysis:
- From theAlertspage, locate the alert you want to analyze.
- Right-click anywhere in the alert, and selectInvestigate Causality Chain.
- Choose whether to open the Causality View card for an alert in a new tab or the same tab.You can also view the causality chain over time using the Timeline view.
- Review the chain of execution and available data for the process and, if available, navigate through the processes tree.
Pivot to Views
From any listed alert you can pivot to the
following alert-related views:
- Open Asset View—Open the Asset View panel and view information related to the alert there.
- View full endpoint details—View the full details of the endpoint to which the alert relates.
- View related incident—View information about an incident related to the alert.
- View Observed Behaviors—View information about observed behaviors that are related to the alert.
To
pivot to any of these views:
- Right-click a listed alert.
- From the pop-up menu, select the view to which you want to pivot.
Create Profile Exceptions
For XDR Agent alerts, you can create profile
exceptions for Window processes, BTP, and JAVA deserialization alerts
directly from the
Alerts
table.- Right-click anXDR Agentalert which has a category ofExploitandCreate alert exception.
- Select anException Scope:
- Global—Apply the exception across your organization.
- Profile—Apply the exception to an existing profile or click and enter aProfile Nameto create a new profile.
- Addthe scope.
- (Optional) View your profile exceptions.
- Navigate to .
- In theProfilestable, locate the OS in which you created your global or profile exception and right-click to view or edit the exception properties.
Add File
Path to Malware Profile Allow List
Add a file path to an existing Malware profile
allow list directly from the
Alerts
table.- In theAlertstable, select theInitiator Path,CGO path, and/orFile Pathfield values you want to add to your malware profile allow list.
- Right-click and selectAdd.<path type>to malware profile allow list
- In theAdddialog, select from your existing<path type>to malware profile allow listProfilesandModulesto which you want to add the file path to the allow list.
- (Optional) View your Malware profile allow list.
- Navigate to and locate the malware profile you selected.
- Right-click, selectEdit Profileand locate in theFiles / Folders in Allow Listsection the path file you added.
Create a Featured Alert Field
To better highlight alerts that are significant
to you, Cortex XDR enables you to label specific alert attributes
as Featured Alert Fields. Featured alert fields help you track in
the Alerts Table alerts that involve a specific host names, user
names, and IP addresses.
- Navigate to and select a type of featured field:
- Hosts
- Users
- IP Addresses
- Active Directory
- In the field type table,Add featuredto define a list of alert fields you want flagged in the Alerts Table. You can either<field-type>Create Newfeatured alert field from scratch orUpload from File.
- To create a new alert field:
- Enter one or more field-type values of the andAddto the list.
- (Optional) Add a comment.
- Add the featured alert field.
- To import fields:
- BrowseorDrag and DropyourCSVfile of field values.Download example fileto ensure you using the correct format.
- Importyour file.
- (Optional) Manage your featured alert field list.
- Locate the alert field you want to edit or delete.
- Right-click andEditto modify the field definition, or<field-type>Deleteto remove the featured flag.Field Name
- Investigate alerts that contain the featured alert fields.
- Navigate to the Alerts Table.
- In the Alerts table, sort according to the following fields:
- Contains Featured Host
- Contains Featured User
- Contains Featured IP Address
- In theAlert Namefield, Cortex XDR displays alerts that contain a matching featured field value with a
flag.Featured Active Directory values are displayed in the User and Host fields accordingly. - (Optional) Create an incident scoring rule using the Alert tableContains Featuredfields to further highlight and prioritize alerts containing the Host, User, and IP address attributes.Field Name
View Generating BIOC or IOC Rule
Easily view the BIOC or IOC rules that generated
alerts directly from the Alerts table.
- From theAlertspage, locate alerts withAlert Sources:XDR BIOCandXDR IOC.
- Right-click the row, and select .Cortex XDR opens the BIOC rule that generated the alert in theBIOC Rulespage. If the rule has been deleted, an empty table is displayed.
- Review the rule, if necessary, right-click to perform available actions.
Retrieve Additional Alert Details
To easily access additional information relating
to an alert:
- From theAlertspage, locate the alert for which you want to retrieve information.
- Right-click anywhere in the alert, and select one of the following options:
- Retrieve alert data—Cortex XDR can provide additional analysis of the memory contents when an exploit protection module raises an XDR Alert. To perform the analysis you must first retrieve alert data consisting of the memory contents at the time the alert was raised. This can be done manually for a specific alert, or you can enable Cortex XDR to automatically retrieve alert data for every relevant XDR Alert. After Cortex XDR receives the data and performs the analysis, it issues a verdict for the alert. You can monitor the retrieval and analysis progress from theAction Center(pivot to viewAdditional data). When analysis is complete, Cortex XDR displays the verdict in theAdvanced Analysisfield.
- Retrieve related files—To further examine files that are involved in an alert, you can request the Cortex XDR agent send them to the Cortex XDR management console. If multiple files are involved, Cortex XDR supports up to 20 files and 200MB in total size. The agent collects all requested files into one archive and includes a log in JSON format containing additional status information. When the files are successfully uploaded, you can download them from the Action Center for up to one week.
- ForPAN NGFWsource type alerts,Download triggering packet—Download the session PCAP containing the first 100 bytes of the triggering packet directly from Cortex XDR. To access the PCAP, you can download the file from the Alerts table, Incident, or Causality view.
- Navigate to to view retrieval status.
- Download the retrieved files locally.In theAction Center, wait for the data retrieval action to complete successfully. Then, right-click the action row and selectAdditional Data. From theDetailed Resultsview, right-click the row and selectDownload Files. A ZIP folder with the retrieved data is downloaded locally.
If you require assistance from Palo Alto Networks Support to investigate the alert, ensure to provide the downloaded ZIP file.
Export Alert Details to a File
To archive, continue investigation offline,
or parse alert details, you can export alerts to a tab-separated
values (TSV) file.
- From theAlertspage, adjust the filters to identify the alerts you want to export.
- When you are satisfied with the results, click the download icon (
). The icon is grayed out when there are no results.Cortex XDR exports the filtered result set to the TSV file.
Exclude Alert
To exclude an alert.
- From theAlertspage, locate the alert you want to exclude.
- Right-click the row, and select .A notification displays indicating the exclusion is in progress.
Investigate Contributing Events
When managing alerts generated by a
Correlation Rule, you can
Investigate Contributing Events
,
which opens a window with all the events created for this alert.
You can have up to 1000 events per Correlation Rule. In addition,
if the alert generated for this Correlation Rule includes a Drilldown
Query
, you can select Open drilldown query
,
which opens a new browser in XQL Search to run this query.To
investigate contributing events.
- From theAlertspage, locate the alert you want to investigate contributing events.
- Right-click the row, and select .
- (Optional)Open drilldown query.If the Correlation Rule that generated this alert is configured with a Drilldown Query to provide additional information about the alert for further investigation, you can open a new browser in XQL Search to run the query. This XQL query can accept parameters from the alert output for the Correlation Rule. If the Correlation Rule that generated this alert does not include a Drilldown QUERY, no link is displayed.The time frame used to run the Drilldown Query provides more informative details about the alert generated by the Correlation Rule. The alert time frame is the minimum and maximum timestamps of the events for the alert. If there is only one event, the event timestamp is the time frame used for the query.
- Select theOpen drilldown query link.A new browser in XQL Search is opened where you can run the query and any other operations related to XQL Search.
- SelectRun.
Open Drilldown Query
When the Correlation Rule that generated
an alert is configured with a Drilldown Query to provide additional
information about the alert for further investigation, you can open
a new browser in XQL Search to run the
query. This XQL query can accept parameters from the alert output
for the Correlation Rule. If the Correlation Rule that generated
this alert does not include a Drilldown Query, the option is not
available.
The time frame used to run the Drilldown Query
provides more informative details about the alert generated by the
Correlation Rule. The alert time frame is the minimum and maximum
timestamps of the events for the alert. If there is only one event,
the event timestamp is the time frame used for the query.
To
open the Drilldown Query.
- From theAlertspage, locate the alert you want to open the Drilldown Query.
- Open Drilldown Query.You can open the Drilldown Query in the following ways.
- Select the quick actionOpen Drilldown Queryicon (
). - Right-click the row, and select .
- Right-click the row, and select . For more information, see Investigate Contributing Events.
A new browser in XQL Search is opened where you can run the query and any other operations related to XQL Search. - SelectRun.
