XDR Best Practices: Focus on Alerts That Matter

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Community Team Member

XDR-best-practices_palo-alto-networks.jpg

 

When security teams become inundated with an immensely high volume of alerts, their ability to react quickly and effectively to critical threats diminishes. Alert fatigue sets in as unfiltered and unmanaged incoming notifications persist. Unfortunately, many SOC team members are stuck manually reviewing alerts that aren’t vital to the business. In fact, 63% of threats reviewed in a typical workday are low priority or false positives. This leaves very little time and energy to triage and respond to high priority threats. 

 

In order to focus on alerts that really matter, we recommend creating starring policies within XDR to help your analysts filter and prioritize incoming alerts. Starring policies cut down on unnecessary alerts and eliminate redundancy as alerts are grouped into incidents for better correlation. This helps provide context around trends and reduce alert fatigue, allowing analysts to focus on other critical tasks. 

 

What is Starring? 

 

Starring allows you to put what matters most in front of the analyst, signifying which alerts you want to investigate. It should be noted that nothing is automatically starred within Cortex XDR. Therefore, you can star incidents in two ways: (1) by manually starring an incident after reviewing it, or (2) by creating an incident starring configuration that automatically categorizes and stars incidents when a related alert contains the specific attributes you deem important. 

 

It should be noted that starring policies are applied at the alert level. Therefore, once you define an incident starring configuration, Cortex XDR adds a star indicator to any incidents that contain a starred alert. 

 

You can sort or filter the Incidents table for incidents containing starred alerts and similarly filter the Alerts table for starred alerts. You can also choose whether to display all incidents or only starred incidents on the Incidents Dashboard.

 

How to Create a Starring Configuration

 

As stated previously, incidents can be starred after reviewing by simply selecting the star icon next to it in the incidents tab. However, we recommend proactively creating starring configurations so you can focus on the right alerts. To create a starring configuration:

 

  1. Select Incident ResponseIncident ConfigurationStarred Alerts.
  2. Click on + Add Starring Configuration.
  3. Enter a Configuration Name to identify your starring configuration.
  4. Enter a descriptive Comment that identifies the reason or purpose of the starring configuration.
  5. Use the alert filters to build the match criteria for the policy.
    You can also right-click a specific value in the alert to add it as match criteria. The app refreshes to show you which alerts in the incident would be included.

 

Tips for Using Starring Policies

 

Generally a good practice for configuring starring policies is to first look at the number of alerts your organization is receiving. XDR defaults at a 7 day window, which should provide a good indication of volume. Since a majority of alerts are low severity, opting to only star those labeled medium, high and critical can alleviate a large number of alerts analysts will need to review. From there, you can create more granular configurations relative to your business. 

 

Here are some other tips we recommend when using starring configurations:

 

Further Prioritize Alerts: While starred incidents already provide you with a list of what alerts to focus on, sorting the starred alerts by their smart scores or severity enables you to find which are the highest and prioritize accordingly. You also have the option to add your own parameters to smart scoring to customize the scores based on your organization’s security needs. (For more on smart scoring, check out this video: Cortex XDR How-To Video: SmartScore

 

Integrate Starring Configurations with XSOAR: If you also are deploying Cortex XSOAR and using it as your SIEM for triaging, you can utilize the XDR integration within XSOAR to only show starred incidents . This is an efficient way to see what matters without overloading XDR. Furthermore, you can utilize automation playbooks that XSOAR has to bolster the alert details and perform manual functions. These functions can include adding in virus total lookups to a suspicious IP in an incident, or simply sending an automated email to the victim of an incident to gather more information. 

 

Add in Alert Exclusions

 

If you want to completely filter out alerts so they do not show up in the XDR system, you can add in alert exclusions. An Alert Exclusion is a rule that contains a set of alert match criteria that you want to suppress from Cortex XDR. You can add an Alert Exclusion rule from scratch or you can base the exclusion off of alerts that you investigate in an incident. After you create an exclusion rule, Cortex XDR excludes and no longer saves any of the future alerts that match the criteria from incidents and search query results. 

 

Analysts are constantly inundated with alerts that often don’t affect the day to day operations of the business. And unless you have enough analysts to investigate hundreds to thousands of alerts or do hunting on a daily basis, chances are alert fatigue will happen. This not only slows down an analyst's ability to do their job properly, but can also impact productivity across the organization. Plus, the more time spent on low severity alerts and false positives, the higher the risk for more damaging threats to skate by.

 

By implementing starring configurations in XDR, you can cut through unnecessary alerts and define what’s critical to the business, ensuring you’re reviewing what actually matters. 

 

Additional Resources

XDR Administrator Guide: Starring Configuration 

XDR Administrator Guide: Alert Exclusions

Cortex XDR How-To Video: SmartScore

  • 5794 Views
  • 0 comments
  • 3 Likes
Register or Sign-in
Labels