This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Solution: How To View Cortex XDR Behavioral Threat Protection (BTP) Rules

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Solution: How To View Cortex XDR Behavioral Threat Protection (BTP) Rules

YAlhazmi
L1 Bithead

‎05-05-2021 03:24 PM

Hello everyone,

 

We have, many times, received alerts with cryptic names like heuristic.agb.4477 or heuristic.b.346. Imho, creating a support case and waiting for a response is inefficient. Also, expecting us to blindly accept the support engineer response on whether that is a FP or not is not acceptable. Additionally, sometimes, we work with developers and our in-house applications get flagged. We can't advice developers on how to alter the behavior of their applications if we don't have enough information. Further, in our experience, support is not always as useful as expected. Sometimes the support engineer answer is more cryptic than the alert itself. Sometimes, explaining the issue takes too much back-and-forth discussions that take too much time and effort.

 

Therefore, we digged a bit deeper into the logs and found out that we can read for ourselves what these cryptic names mean. To find out, download the alert data to your machine, then open the file Logs\trapsd.log. In that file, search for the cryptic alert name and you will be able to read the description of what it means. For example, one alert had the following description

a heuristic behavior that process created an exe file inside a system directory which isn't a subdir,copied itself,process relaunched itself,unsigned process was created,process launched external cmd. Another alert meant "suspicious Powershell AMSI string", and so on.

 

We are considering making our own internal DB of these descriptions so investigators can immediately take action, instead of waiting for PAN support responses. 

 

I am sharing this with the community because I saw multiple questions about this and most answers were a variation of "talk to support".

(1)
4 REPLIES 4

ocohen
L2 Linker

‎05-11-2021 03:15 AM

Hi @YAlhazmi 

My name is Or from the XDR product management team.

It's actually available in the UI too with a lot more data.

Click on the alert icon on top of the process and scroll down.

The text you saw is a join of all the 'behavior description', and you also have two more useful things - MITRE tags and the actual description per behavior we saw (hover over the description field, text is a bit log there).

ocohen_0-1620728101946.png

 

 


If you have any additional questions please feel free to ping me ocohen@paloaltonetworks.com 

Or.

(1)

KRisselada
L2 Linker

‎05-11-2021 08:53 AM

Thanks @ocohen  are there times where perhaps the section you show where MITRE items would not show for a BTP?
On a Behavioral Threat I am seeing recently (Behavioral threat detected (rule: heuristic.agb.5637)) I am not seeing the "MITRE Attack" section of the blackbar your reflecting here.  Only the first two rows.  Am I just not clicking the right area perhaps?

KRisselada_1-1620748347017.png

Running on Cortex XDR V2.8

0 Likes Likes

ocohen
L2 Linker
In response to KRisselada

‎05-11-2021 02:26 PM

while not all BTP alerts have mitre tags (yet), you can check by clicking on this button on the right side

ocohen_0-1620768390656.png

 

0 Likes Likes

ShubinBradley
L1 Bithead
In response to ocohen

‎09-09-2022 03:05 PM

Is there a list of these published somewhere? With Analytics, Analytics BIOC, and BIOCs there are published lists that enable us to pre-classify the alerts in XSOAR. So far I have not found a list of BTP rules which has caused some FP or FN when choosing to automatically isolate via XSOAR because we don't know ahead of time what rules are going to come through.

For example, there are BIOCs for DCSync attacks which trigger isolation but there is also at least one BTP rule for DCSync which we did not know about so isolation was not activated.

0 Likes Likes
  • 7862 Views
  • 4 replies
  • 6 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks