- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-30-2024 12:46 AM
Hello Community,
The BIOC Analytics has recently added these alerts and I wanted to get some insight and I hope this thread can be used in the future by others as well.
While the same seems straightforward there are some issues. The name of the alert suggests that a suspicious domain suffix was seen WITH a rare user agent.
The issue is that in the datasets the user agent field is NULL. So unless the originating process (chrome for example) is compromised it should not have a rare user agent. But I see that the domains reached out to are generally considered as normal.
06-26-2024 12:44 AM
Hello Everyone it seems that Cortex has removed the alerts for now until they fix it.
05-02-2024 08:53 AM
Hi @AvesterFahimipour, thanks for reaching us using the Live Community.
I can't find that BIOC Rules in my tenant, only "Suspicious domain suffix" and some about "abnormal" or "suspicious" user agent.
Were you able to check our Required data sources doc for the Analytics alerts? Maybe some data source is missing to fill the dataset fields.
If this post answers your question, please mark it as the solution.
05-03-2024 12:46 AM
You can see it under variations
https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR-Analytics-Alert-Reference-by-data-source/Suspi...
It does not mention anything about datasets and it is under XDR agent.
06-26-2024 12:44 AM
Hello Everyone it seems that Cortex has removed the alerts for now until they fix it.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!