Learning Behaviour of Cortex XDR

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Learning Behaviour of Cortex XDR

L2 Linker

Hello,

 

We know that cortex XDR takes atleast one month to learn behaviour and then not throw similar alerts.

1. On what basis is this behaviour learning happening upon?

2. Is it based on just the Host or initiator processes that are taking place?

3. If possible, could you please provide some reference documentation on how cortex learning mechanism works. 

2 REPLIES 2

L4 Transporter

Hi @Aiman_Fathima,

Thank you for reaching out to Live Community. I will try to address your questions:

Cortex XDR utilizes a wide variety of tools when analyzing user behavior, not just host or initiator processes.

I’ll provide a few examples and concepts you need familiarize yourself with to better understand, I also highlighted the parts I think will be relevant to your question.

1. Analytics Engine:

The Cortex XDR app uses its Analytics Engine to examine logs and data retrieved from your sensors on the Cortex XDR tenants to build an activity baseline, and recognize abnormal activity when it occurs

 

The Analytics Engine also creates and maintains the profiles to view the activity of the endpoint or user in context by comparing it to similar endpoints or users

Example:

  • A statistical analysis of an entity or an entity relation that compares the same entity to itself over time. For example, a host can have a Profile depending on the number of ports it accessed in the past.

 

  1. Analytics Sensors 

Cortex XDR analyzes logs and data from external and internal sensors such as: firewall traffic logs, enhanced application logs, Windows events collector logs and others.



  1. MITRE Attack Tactics

The Analytics Engine can raise an alert for a wide variety of MITRE attack tactics, based on the  MITRE ATT&CK™ knowledge base.



  1. Analytics Detection Time Intervals

This part covers how long it takes Cortex XDR to establish a baseline for analytics. Please note The actual amount of logging data (measured in time) required to raise any given Cortex XDR Analytics alert is identified in the Cortex XDR Analytics Alert Reference Guide.

The Cortex XDR Analytics Engine retrieves logs from the Cortex XDR tenant to create a baseline so that it can raise alerts when abnormal activity occurs

To raise alerts, each detector compares the recent past behavior to the expected baseline by examining the data found in your logs. A certain amount of log file time is required to establish a baseline and then a certain amount of recent log file time is required to identify what is currently happening in your environment.

 

  1. Analytics BIOCs

In contrast to standard Analytics alerts, Analytics BIOCs (ABIOCs)—indicate a single event of suspicious behavior with an identified chain of causality. To identify the context and chain of causality, ABIOCs leverage user, endpoint, and network profiles. The profile is generated by the Analytics Engine and can be based on a simple statistical profile or a more complex machine-learning profile. Cortex XDR tailors each ABIOC to your specific environment after analyzing your logs and data sources and continually tunes and delivers new ABIOCs with content updates.

 

As you can see, Cortex XDR uses many different analytics mechanisms and sources to establish baselines for user behavior.

You can find more documentation about Cortex XDR Analytics here.



If this helps, please click ‘Accept as Solution’!

Visit our Cortex XDR Customer Corner on Live Community to access resources for your product journey, engage in discussions with community members and subject matter experts, and register for upcoming events: Cortex XDR Customer Corner

Also @Aiman_Fathima , Just to add to @mavraham , post, the learning period of activity is a continuous process and the 1 month you are mentioning is for the initial capability to digest and profile initial baseline. Besides this, analytics engine is a kind of an n-dimensional engine which works on following set of profiles:

  1. Current behaviour
  2. Time Profile
  3. Peer Profile
  4. Entity Profile

All of the behaviours have different profiling mechanism and so does their test, train and deduplication(when you say "stop throwing similar alerts") periods.

 

For example, port scan alerts may have test and dedupliaction period of 1 hour and 12 hours respectively, while Large upload may have the same for 1 day for both test train and deduplicate period.

 

Please follow Analytics Alerts Reference page in the Adminitrator Guide for detailed info

  • 1492 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!