https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/learning-behaviour-of-cortex-xdr/m-p/530805#M3611 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/224150">@Aiman_Fathima</a>,<BR /><BR /><SPAN>Thank you for reaching out to Live Community. I will try to address your questions:</SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>Cortex XDR utilizes a wide variety of tools when analyzing user behavior, not just host or initiator processes. </SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>I’ll provide a few examples and concepts you need familiarize yourself with to better understand, I also highlighted the parts I think will be relevant to your question.</SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>1. </SPAN><STRONG>Analytics Engine</STRONG><SPAN>:</SPAN></P> <P><SPAN>The Cortex XDR app uses its Analytics Engine to examine logs and data retrieved from your sensors on the Cortex XDR tenants </SPAN><STRONG>to build an activity baseline, and recognize abnormal activity when it occurs</STRONG><SPAN>.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>The Analytics Engine also creates and maintains the </SPAN><I><SPAN>profiles</SPAN></I><SPAN> to </SPAN><STRONG>view the activity of the endpoint or user in context by comparing it to similar endpoints or users</STRONG><SPAN>.&nbsp;</SPAN></P> <P><SPAN>Example:</SPAN></P> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>A statistical analysis of an entity or an entity relation that compares the same entity to itself over time. For example, a host can have a Profile depending on the number of ports it accessed in the past.</SPAN></LI> </UL> <P>&nbsp;</P> <OL start="2"> <LI><STRONG>Analytics Sensors</STRONG><SPAN>&nbsp;</SPAN></LI> </OL> <P><SPAN>Cortex XDR analyzes logs and data from external and internal sensors such as: firewall traffic logs, </SPAN><SPAN>enhanced application logs, Windows events collector logs and others.</SPAN></P> <P><BR /><BR /></P> <OL start="3"> <LI><STRONG>MITRE Attack Tactics</STRONG></LI> </OL> <P><SPAN>The Analytics Engine can raise an alert for a wide variety of MITRE attack tactics, based on the </SPAN><A href="https://attack.mitre.org/" target="_blank" rel="noopener"><SPAN>&nbsp;MITRE ATT&amp;CK™ knowledge base</SPAN></A><SPAN>.</SPAN></P> <P><BR /><BR /></P> <OL start="4"> <LI><STRONG>Analytics Detection Time Intervals</STRONG></LI> </OL> <P><SPAN>This part covers how long it takes Cortex XDR to establish a baseline for analytics. Please note The actual amount of logging data (measured in time) required to raise any given Cortex XDR Analytics alert is identified in the Cortex XDR </SPAN><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Analytics-Alert-Reference/Cortex-XDR-Analytics-Alert-Reference" target="_blank" rel="noopener"><SPAN>Analytics Alert Reference Guide</SPAN></A><SPAN>.</SPAN></P> <P><SPAN>The Cortex XDR Analytics Engine retrieves logs from the Cortex XDR tenant </SPAN><STRONG>to create a baseline so that it can raise alerts when abnormal activity occurs</STRONG><SPAN>.&nbsp;</SPAN></P> <P><STRONG>To raise alerts, each detector compares the recent past behavior to the expected baseline by examining the data found in your logs</STRONG><SPAN>. A certain amount of log file time is required to establish a baseline and then a certain amount of recent log file time is required to identify what is currently happening in your environment.</SPAN></P> <P>&nbsp;</P> <OL start="5"> <LI><STRONG>Analytics BIOCs</STRONG></LI> </OL> <P><SPAN>In contrast to standard Analytics alerts, Analytics BIOCs (</SPAN><I><SPAN>ABIOCs</SPAN></I><SPAN>)—indicate a single event of suspicious behavior with an identified chain of causality. To identify the context and chain of causality, </SPAN><STRONG>ABIOCs leverage user, endpoint, and network profiles</STRONG><SPAN>. </SPAN><STRONG>The profile is generated by the Analytics Engine and can be based on a simple statistical profile or a more complex machine-learning profile</STRONG><SPAN>. </SPAN><STRONG>Cortex XDR tailors each ABIOC to your specific environment after analyzing your logs and data sources</STRONG><SPAN> and continually tunes and delivers new ABIOCs with content updates.</SPAN></P> <P>&nbsp;</P> <P><SPAN>As you can see, Cortex XDR uses many different analytics mechanisms and sources to establish baselines for user behavior.</SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>You can find more documentation about Cortex XDR Analytics </SPAN><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Analytics" target="_blank" rel="noopener"><STRONG>here</STRONG></A><SPAN>.</SPAN></P> <P><BR /><BR /></P> <P><SPAN>If this helps, please click ‘Accept as Solution’!</SPAN></P> Sun, 12 Feb 2023 13:48:07 GMT mavraham 2023-02-12T13:48:07Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/learning-behaviour-of-cortex-xdr/m-p/530532#M3597 <P>Hello,</P> <P>&nbsp;</P> <P>We know that cortex XDR takes atleast one month to learn behaviour and then not throw similar alerts.</P> <P>1. On what basis is this behaviour learning happening upon?</P> <P>2. Is it based on just the Host or initiator processes that are taking place?</P> <P>3. If possible, could you please provide some reference documentation on how cortex learning mechanism works.&nbsp;</P> Thu, 09 Feb 2023 18:41:09 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/learning-behaviour-of-cortex-xdr/m-p/530532#M3597 Aiman_Fathima 2023-02-09T18:41:09Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/learning-behaviour-of-cortex-xdr/m-p/530805#M3611 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/224150">@Aiman_Fathima</a>,<BR /><BR /><SPAN>Thank you for reaching out to Live Community. I will try to address your questions:</SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>Cortex XDR utilizes a wide variety of tools when analyzing user behavior, not just host or initiator processes. </SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>I’ll provide a few examples and concepts you need familiarize yourself with to better understand, I also highlighted the parts I think will be relevant to your question.</SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>1. </SPAN><STRONG>Analytics Engine</STRONG><SPAN>:</SPAN></P> <P><SPAN>The Cortex XDR app uses its Analytics Engine to examine logs and data retrieved from your sensors on the Cortex XDR tenants </SPAN><STRONG>to build an activity baseline, and recognize abnormal activity when it occurs</STRONG><SPAN>.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>The Analytics Engine also creates and maintains the </SPAN><I><SPAN>profiles</SPAN></I><SPAN> to </SPAN><STRONG>view the activity of the endpoint or user in context by comparing it to similar endpoints or users</STRONG><SPAN>.&nbsp;</SPAN></P> <P><SPAN>Example:</SPAN></P> <UL> <LI style="font-weight: 400;" aria-level="1"><SPAN>A statistical analysis of an entity or an entity relation that compares the same entity to itself over time. For example, a host can have a Profile depending on the number of ports it accessed in the past.</SPAN></LI> </UL> <P>&nbsp;</P> <OL start="2"> <LI><STRONG>Analytics Sensors</STRONG><SPAN>&nbsp;</SPAN></LI> </OL> <P><SPAN>Cortex XDR analyzes logs and data from external and internal sensors such as: firewall traffic logs, </SPAN><SPAN>enhanced application logs, Windows events collector logs and others.</SPAN></P> <P><BR /><BR /></P> <OL start="3"> <LI><STRONG>MITRE Attack Tactics</STRONG></LI> </OL> <P><SPAN>The Analytics Engine can raise an alert for a wide variety of MITRE attack tactics, based on the </SPAN><A href="https://attack.mitre.org/" target="_blank" rel="noopener"><SPAN>&nbsp;MITRE ATT&amp;CK™ knowledge base</SPAN></A><SPAN>.</SPAN></P> <P><BR /><BR /></P> <OL start="4"> <LI><STRONG>Analytics Detection Time Intervals</STRONG></LI> </OL> <P><SPAN>This part covers how long it takes Cortex XDR to establish a baseline for analytics. Please note The actual amount of logging data (measured in time) required to raise any given Cortex XDR Analytics alert is identified in the Cortex XDR </SPAN><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Analytics-Alert-Reference/Cortex-XDR-Analytics-Alert-Reference" target="_blank" rel="noopener"><SPAN>Analytics Alert Reference Guide</SPAN></A><SPAN>.</SPAN></P> <P><SPAN>The Cortex XDR Analytics Engine retrieves logs from the Cortex XDR tenant </SPAN><STRONG>to create a baseline so that it can raise alerts when abnormal activity occurs</STRONG><SPAN>.&nbsp;</SPAN></P> <P><STRONG>To raise alerts, each detector compares the recent past behavior to the expected baseline by examining the data found in your logs</STRONG><SPAN>. A certain amount of log file time is required to establish a baseline and then a certain amount of recent log file time is required to identify what is currently happening in your environment.</SPAN></P> <P>&nbsp;</P> <OL start="5"> <LI><STRONG>Analytics BIOCs</STRONG></LI> </OL> <P><SPAN>In contrast to standard Analytics alerts, Analytics BIOCs (</SPAN><I><SPAN>ABIOCs</SPAN></I><SPAN>)—indicate a single event of suspicious behavior with an identified chain of causality. To identify the context and chain of causality, </SPAN><STRONG>ABIOCs leverage user, endpoint, and network profiles</STRONG><SPAN>. </SPAN><STRONG>The profile is generated by the Analytics Engine and can be based on a simple statistical profile or a more complex machine-learning profile</STRONG><SPAN>. </SPAN><STRONG>Cortex XDR tailors each ABIOC to your specific environment after analyzing your logs and data sources</STRONG><SPAN> and continually tunes and delivers new ABIOCs with content updates.</SPAN></P> <P>&nbsp;</P> <P><SPAN>As you can see, Cortex XDR uses many different analytics mechanisms and sources to establish baselines for user behavior.</SPAN><SPAN><BR /></SPAN><SPAN><BR /></SPAN><SPAN>You can find more documentation about Cortex XDR Analytics </SPAN><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Analytics" target="_blank" rel="noopener"><STRONG>here</STRONG></A><SPAN>.</SPAN></P> <P><BR /><BR /></P> <P><SPAN>If this helps, please click ‘Accept as Solution’!</SPAN></P> Sun, 12 Feb 2023 13:48:07 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/learning-behaviour-of-cortex-xdr/m-p/530805#M3611 mavraham 2023-02-12T13:48:07Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/learning-behaviour-of-cortex-xdr/m-p/530812#M3614 <P>Also&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/224150">@Aiman_Fathima</a>&nbsp;, Just to add to&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/167148">@mavraham</a>&nbsp;, post, the learning period of activity is a continuous process and the 1 month you are mentioning is for the initial capability to digest and profile initial baseline. Besides this, analytics engine is a kind of an n-dimensional engine which works on following set of profiles:</P> <OL> <LI>Current behaviour</LI> <LI>Time Profile</LI> <LI>Peer Profile</LI> <LI>Entity Profile</LI> </OL> <P>All of the behaviours have different profiling mechanism and so does their test, train and deduplication(when you say "stop throwing similar alerts") periods.</P> <P>&nbsp;</P> <P>For example, port scan alerts may have test and dedupliaction period of 1 hour and 12 hours respectively, while Large upload may have the same for 1 day for both test train and deduplicate period.</P> <P>&nbsp;</P> <P>Please follow <A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-Analytics-Alert-Reference/Required-Data-Sources" target="_blank" rel="noopener">Analytics Alerts Reference</A> page in the Adminitrator Guide for detailed info</P> Sun, 12 Feb 2023 23:16:41 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/learning-behaviour-of-cortex-xdr/m-p/530812#M3614 neelrohit 2023-02-12T23:16:41Z