topic Solution: How To View Cortex XDR Behavioral Threat Protection (BTP) Rules in Cortex XDR Discussions

Solution: How To View Cortex XDR Behavioral Threat Protection (BTP) Rules

YAlhazmi — Wed, 05 May 2021 22:24:28 GMT

Hello everyone,

We have, many times, received alerts with cryptic names like heuristic.agb.4477 or heuristic.b.346. Imho, creating a support case and waiting for a response is inefficient. Also, expecting us to blindly accept the support engineer response on whether that is a FP or not is not acceptable. Additionally, sometimes, we work with developers and our in-house applications get flagged. We can't advice developers on how to alter the behavior of their applications if we don't have enough information. Further, in our experience, support is not always as useful as expected. Sometimes the support engineer answer is more cryptic than the alert itself. Sometimes, explaining the issue takes too much back-and-forth discussions that take too much time and effort.

Therefore, we digged a bit deeper into the logs and found out that we can read for ourselves what these cryptic names mean. To find out, download the alert data to your machine, then open the file Logs\trapsd.log. In that file, search for the cryptic alert name and you will be able to read the description of what it means. For example, one alert had the following description

a heuristic behavior that process created an exe file inside a system directory which isn't a subdir,copied itself,process relaunched itself,unsigned process was created,process launched external cmd. Another alert meant "suspicious Powershell AMSI string", and so on.

We are considering making our own internal DB of these descriptions so investigators can immediately take action, instead of waiting for PAN support responses.

I am sharing this with the community because I saw multiple questions about this and most answers were a variation of "talk to support".

Re: Solution: How To View Cortex XDR Behavioral Threat Protection (BTP) Rules

ocohen — Tue, 11 May 2021 10:15:13 GMT

Hi @YAlhazmi

My name is Or from the XDR product management team.

It's actually available in the UI too with a lot more data.

Click on the alert icon on top of the process and scroll down.

The text you saw is a join of all the 'behavior description', and you also have two more useful things - MITRE tags and the actual description per behavior we saw (hover over the description field, text is a bit log there).

If you have any additional questions please feel free to ping me ocohen@paloaltonetworks.com

Or.

Re: Solution: How To View Cortex XDR Behavioral Threat Protection (BTP) Rules

KRisselada — Tue, 11 May 2021 15:53:15 GMT

Thanks @ocohen are there times where perhaps the section you show where MITRE items would not show for a BTP?
On a Behavioral Threat I am seeing recently (Behavioral threat detected (rule: heuristic.agb.5637)) I am not seeing the "MITRE Attack" section of the blackbar your reflecting here. Only the first two rows. Am I just not clicking the right area perhaps?

Running on Cortex XDR V2.8

Re: Solution: How To View Cortex XDR Behavioral Threat Protection (BTP) Rules

ocohen — Tue, 11 May 2021 21:26:46 GMT

while not all BTP alerts have mitre tags (yet), you can check by clicking on this button on the right side

Re: Solution: How To View Cortex XDR Behavioral Threat Protection (BTP) Rules

ShubinBradley — Fri, 09 Sep 2022 22:05:26 GMT

Is there a list of these published somewhere? With Analytics, Analytics BIOC, and BIOCs there are published lists that enable us to pre-classify the alerts in XSOAR. So far I have not found a list of BTP rules which has caused some FP or FN when choosing to automatically isolate via XSOAR because we don't know ahead of time what rules are going to come through.

For example, there are BIOCs for DCSync attacks which trigger isolation but there is also at least one BTP rule for DCSync which we did not know about so isolation was not activated.