1. Home
    2. Cortex
    3. Cortex XDR
    4. Cortex XDR™ Pro Administrator’s Guide
    5. Investigation and Response
    6. Investigate Alerts
    7. Manage Alerts

    Manage Alerts

    You can manage Cortex XDR alerts and view alert details from the Alerts page.

    Copy Alerts

    You can copy an alert into memory as follows:
    • Copy the URL of the alert record
    • Copy the value for an alert field
    • Copy the entire row of alert record
    With either option, you can paste the contents of memory into an email to send. This is helpful if you need to share or discuss a specific alert with someone. If you copy a field value, you can also easily paste it into a search or begin a query.
    • Create a URL for an alert record:
      1. From the
        Alerts
         page, right-click the alert you want to send.
      2. Select
        Copy alert URL
        .
        Cortex XDR saves the URL to memory.
      3. Paste the URL into an email or use as needed to share the alert.
    • Copy a field value in an alert record:
      1. From the
        Alerts
         page, right-click the field in the alert that you want to copy.
      2. Select
        Copy text to clipboard
        .
        Cortex XDR saves the field contents to memory.
      3. Paste the value into an email or use as needed to share information from the alert.
    • Copy the entire row of alert record
      1. From the
        Alerts
         page, right-click on one or more alerts you want to copy.
      2. Select
        Copy entire row(s)
        .
      3. Paste the value into an email or use as needed to share information from the alert.

    Analyze an Alert

    To help you understand the full context of an alert, Cortex XDR provides a powerful analysis view that empowers you to make a thorough analysis very quickly.
    The Causality View is available for XDR agent alerts that are based on endpoint data and for alerts raised on network traffic logs that have been stitched with endpoint data.
    To view the analysis:
    1. From the
      Alerts
       page, locate the alert you want to analyze.
    2. Right-click anywhere in the alert, and select
      Investigate Causality Chain
      .
    3. Choose whether to open the Causality View card for an alert in a new tab or the same tab.
      You can also view the causality chain over time using the Timeline view.
    4. Review the chain of execution and available data for the process and, if available, navigate through the processes tree.

    Create Profile Exceptions

    For XDR Agent alerts, you can create profile exceptions for Window processes, BTP, and JAVA deserialization alerts directly from the
    Alerts
     table.
    1. Right-click an
      XDR Agent
       alert which has a category of
      Exploit
       and
      Create alert exception
      .
    2. Select an
      Exception Scope
      :
      • Global
        —Apply the exception across your organization.
      • Profile
        —Apply the exception to an existing profile or click and enter a
        Profile Name
         to create a new profile.
    3. Add
       the scope.
    4. (
      Optional
      ) View your profile exceptions.
      1. Navigate to
        Endpoints
        Policy Management
        Profiles
        .
      2. In the
        Profiles
         table, locate the OS in which you created your global or profile exception and right-click to view or edit the exception properties.

    Create a Featured Alert Field

    To better highlight alerts that are significant to you, Cortex XDR enables you to label specific alert attributes as Featured Alert Fields. Featured alert fields help you track in the Alerts Table alerts that involve a specific host names, user names, and IP addresses.
    1. Navigate to
      Investigation
      Incident Management
      Featured Fields
       and select a type of featured field:
      • Hosts
      • Users
      • IP Addresses
      • Active Directory
    2. In the field type table,
      Add featured
      Field Name
       to define a list of alert fields you want flagged in the Alerts Table. You can either
      Create New
       featured alert field from scratch or
      Upload from File
      .
      • To create a new alert field:
      1. Enter one or more field values and
        Add
         to the list.
      2. (
        Optional
        ) Add a comment.
      3. Add the featured alert field.
      • To import fields:
      1. Browse
         or
        Drag and Drop
         your
        CSV
         file of field values.
        Download example file
         to ensure you using the correct format.
      2. Import
         your file.
    3. (
      Optional
      ) Manage your featured alert field list.
      • Locate the alert field you want to edit or delete.
      • Right-click and
        Edit
        Field Name
         to modify the field definition, or
        Delete
        Field Name
         to remove the featured flag.
    4. Investigate alerts that contain the featured alert fields.
      • Navigate to the Alerts Table.
      • In the Alerts table, sort according to the following fields:
        • Contains Featured Host
        • Contains Featured User
        • Contains Featured IP Address
      • In the
        Alert Name
         field, Cortex XDR displays alerts that contain a matching featured field value with a featured-alert-field-flag.png flag.
        Featured Active Directory values are displayed in the User and Host fields accordingly.
      • (
        Optional
        ) Create an incident scoring rule using the Alert table
        Contains Featured
        Field Name
         fields to further highlight and prioritize alerts containing the Host, User, and IP address attributes.

    View Generating BIOC or IOC Rule

    Easily view the BIOC or IOC rules that generated alerts directly from the Alerts table.
    1. From the
      Alerts
       page, locate alerts with
      Alert Sources
      :
      XDR BIOC
       and
      XDR IOC
      .
    2. Right-click the row, and select
      View generating rule
      .
      Cortex XDR opens the BIOC rule that generated the alert in the
      BIOC Rules
       page. If the rule has been deleted, an empty table is displayed.
    3. Review the rule, if necessary, right-click to perform available actions.

    Retrieve Additional Alert Details

    To easily access additional information relating to an alert:
    1. From the
      Alerts
       page, locate the alert for which you want to retrieve information.
    2. Right-click anywhere in the alert, and select one of the following options:
      • Retrieve alert data
        —Cortex XDR can provide additional analysis of the memory contents when an exploit protection module raises an XDR Alert. To perform the analysis you must first retrieve alert data consisting of the memory contents at the time the alert was raised. This can be done manually for a specific alert, or you can enable Cortex XDR to automatically retrieve alert data for every relevant XDR Alert. After Cortex XDR receives the data and performs the analysis, it issues a verdict for the alert. You can monitor the retrieval and analysis progress from the
        Action Center
         (pivot to view
        Additional data
        ). When analysis is complete, Cortex XDR displays the verdict in the
        Advanced Analysis
         field.
      • Retrieve related files
        —To further examine files that are involved in an alert, you can request the Cortex XDR agent send them to the Cortex XDR management console. If multiple files are involved, Cortex XDR supports up to 20 files and 200MB in total size. The agent collects all requested files into one archive and includes a log in JSON format containing additional status information. When the files are successfully uploaded, you can download them from the Action Center for up to one week.
      • View full endpoint details
        —Jump to a filtered view of the Endpoint Administration page by endpoint ID. This unique ID is assigned by the Cortex XDR agent to identify the endpoint.
      • For
        PAN NGFW
         source type alerts,
        Download triggering packet
        —Download the session PCAP containing the first 100 bytes of the triggering packet directly from Cortex XDR. To access the PCAP, you can download the file from the Alerts table, Incident, or Causality view.
    3. Navigate to
      Response
      Action Center
       to view retrieval status.

    Export Alert Details to a File

    To archive, continue investigation offline, or parse alert details, you can export alerts to a tab-separated values (TSV) file.
    1. From the
      Alerts
       page, adjust the filters to identify the alerts you want to export.
    2. When you are satisfied with the results, click the download icon ( download-to-file-icon.png ).
      The icon is grayed out when there are no results.
      Cortex XDR exports the filtered result set to the TSV file.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2021 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo