A question from the Endpoint Administration Part 2 webinar: Alert ID

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

A question from the Endpoint Administration Part 2 webinar: Alert ID

L4 Transporter

We often notice alert_id out of the numerical order, chronologically, sometimes way off. It appears like XDR is detecting something later and assigning an older timestamp but a new alert_id to detection. Can someone provide some detail/explanation on this observed behavior?

 

Note: This question was asked during a customer success webinar: Endpoint Administration Part 2

 

1 ACCEPTED SOLUTION

Accepted Solutions

L4 Transporter

A reply by the CS webinar team: 

This is because the Alert table exposes only Critical to Low severity alerts and does not show "Informational Severity Alerts". In most cases, you would have more "Informational Alerts" in between the listed alerts. You would see some informational alerts under the "insights" tab of an Incident card. If you are an XDR Pro customer, to have an idea of the volume of Information Severity alerts that create the gap, go to Cortex XDR UI > Detection Rules > BIOC > On the top right, click Analytics BIOC > Expose and lock "# of Alerts field" > filter for only Informational Severity Alerts > Sort in descending order (It may be in millions or higher thousands for each line)

 

View solution in original post

3 REPLIES 3

L4 Transporter

A reply by the CS webinar team: 

This is because the Alert table exposes only Critical to Low severity alerts and does not show "Informational Severity Alerts". In most cases, you would have more "Informational Alerts" in between the listed alerts. You would see some informational alerts under the "insights" tab of an Incident card. If you are an XDR Pro customer, to have an idea of the volume of Information Severity alerts that create the gap, go to Cortex XDR UI > Detection Rules > BIOC > On the top right, click Analytics BIOC > Expose and lock "# of Alerts field" > filter for only Informational Severity Alerts > Sort in descending order (It may be in millions or higher thousands for each line)

 

I was actually the one who asked that question during the webinar. Thanks for responding, but I don't think this applies to the behavior I was describing. 

 

I've attached two screenshots of outlier alerts. You can see Alert IDs are sorted, and most of the Timestamps for those are generated in the same order - the bigger the alert ID number, the newer the timestamps. Notice how there are some outlier examples when an older timestamp is assigned to a newer alert ID, looks like backdating was applied to something that was detected. 

 

Could you please explain this? 

 

 

Hi @rufat87 .  If I understand your question correctly you’re wondering why the Alert IDs aren’t in chronological order.  Well, Alert IDs aren’t necessarily generated in chronological order.  It’s possible that these could be analytics alerts or alerts that are aggregated which could explain the difference between Alert ID and Timestamp.  There are several different ways in which Cortex XDR generates alerts and some of these populate quicker than others.  As mentioned above by @Rtsedaka it’s also possible that some of the alerts in questions are informational severity and therefore not displayed in the view in the images you posted.

 

To get more detailed information about the Alert IDs and their correlations with timestamps I would suggest opening a support case.  You can give them specifics about your environment that may help get to the answer you’re looking for. 


 https://support.paloaltonetworks.com/Support/Index

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!