topic Re: What the different of alert sources and definition of its. in Cortex XDR Discussions

What the different of alert sources and definition of its.

Komdet — Mon, 21 Sep 2020 18:50:23 GMT

XDR Analytics BIOC
XDR BIOC
PAN NGFW
XDR IOC
XDR Analytics
XDR Managed Threat Hunting
XDR Agent

Re: What the different of alert sources and definition of its.

KRisselada — Wed, 21 Oct 2020 20:38:23 GMT

Would also love to hear or see more about this question.

Responding to it in hopes it will pop on the top of the queue for more folks to see and perhaps share info or resources

Re: What the different of alert sources and definition of its.

ocohen — Fri, 20 Nov 2020 09:29:58 GMT

XDR Analytics BIOC - These are analytics alerts based (mainly) on single events. They are similar to BIOCs, except they also account for a profile of how common or rare something is. Examples are "Uncommon local scheduled task creation via schtasks.exe", "Microsoft Office Process Spawning a Suspicious One-Liner" and "Uncommon user management via net.exe". They are single event (execution of something) that is rarely seen in the environment.
XDR BIOC - These are behavioral IOCs, looking for abnormal behavior but not with specific hashes, IPs or domains. An example is
"Binary file being created to disk with a double extension" - this rule is not looking at who created the file or what the file is, it's looking for the fact that a file was created with this attribute. Another example is "PowerShell runs base64-encoded commands", "Windows certificate management tool makes a network connection" and "Script file added to startup-related Registry keys".

NGFW - These are alerts generated by Palo Alto Network Next Gen Firewall as traffic is going through it.

XDR IOC - These are simple IOC matches, including hashes, IPs, domains, files, etc.
XDR Analytics - There alerts are similar to Analytics BIOCs, however they are multi-event. An example can be "Random-Looking Domain Names" - this alert groups multiple DNS queries that seem random and alerts when it sees several of them. Additional examples are "Recurring Rare Domain Access", "Failed Connections" and "DNS Tunneling".
XDR Managed Threat Hunting - These are alert generated by our Managed Service.
XDR Agent - These are alerts generated by the agent itself on the machines. All other alert type above (expect the FW) are generated using the telemetry XDR collects in the cloud, but this one is done by the agent locally when it sees suspicious behavior in real time. Alerts can be malware related, restrictions, exploits and more.

Re: What the different of alert sources and definition of its.

JamesWiggins — Mon, 27 Mar 2023 21:14:28 GMT

Where can I go to see the exact definition of the alerts? Specifically trying to see the definition of XDR's Analytics BIOC "A Successful login from TOR"

Re: What the different of alert sources and definition of its.

anlynch — Mon, 27 Mar 2023 21:54:28 GMT

Hi @JamesWiggins,

Thanks for reaching out on LIVEcommunity!

The alert you're mentioning is a known false positive. A bad BIOC rule went out with a Content Update and it is currently being investigated. There will more than likely be updates to the situation on this thread if you'd like to follow.

Re: What the different of alert sources and definition of its.

JamesWiggins — Tue, 28 Mar 2023 12:58:16 GMT

Perfect, thank you! Is the exact definition of that alert not listed anywhere?