09-21-2020 11:50 AM
XDR Analytics BIOC
XDR BIOC
PAN NGFW
XDR IOC
XDR Analytics
XDR Managed Threat Hunting
XDR Agent
10-21-2020 01:38 PM
Would also love to hear or see more about this question.
Responding to it in hopes it will pop on the top of the queue for more folks to see and perhaps share info or resources
11-20-2020 01:29 AM
XDR Analytics BIOC - These are analytics alerts based (mainly) on single events. They are similar to BIOCs, except they also account for a profile of how common or rare something is. Examples are "Uncommon local scheduled task creation via schtasks.exe", "Microsoft Office Process Spawning a Suspicious One-Liner" and "Uncommon user management via net.exe". They are single event (execution of something) that is rarely seen in the environment.
XDR BIOC - These are behavioral IOCs, looking for abnormal behavior but not with specific hashes, IPs or domains. An example is
"Binary file being created to disk with a double extension" - this rule is not looking at who created the file or what the file is, it's looking for the fact that a file was created with this attribute. Another example is "PowerShell runs base64-encoded commands", "Windows certificate management tool makes a network connection" and "Script file added to startup-related Registry keys".
NGFW - These are alerts generated by Palo Alto Network Next Gen Firewall as traffic is going through it.
XDR IOC - These are simple IOC matches, including hashes, IPs, domains, files, etc.
XDR Analytics - There alerts are similar to Analytics BIOCs, however they are multi-event. An example can be "Random-Looking Domain Names" - this alert groups multiple DNS queries that seem random and alerts when it sees several of them. Additional examples are "Recurring Rare Domain Access", "Failed Connections" and "DNS Tunneling".
XDR Managed Threat Hunting - These are alert generated by our Managed Service.
XDR Agent - These are alerts generated by the agent itself on the machines. All other alert type above (expect the FW) are generated using the telemetry XDR collects in the cloud, but this one is done by the agent locally when it sees suspicious behavior in real time. Alerts can be malware related, restrictions, exploits and more.
03-27-2023 02:14 PM
Where can I go to see the exact definition of the alerts? Specifically trying to see the definition of XDR's Analytics BIOC "A Successful login from TOR"
03-27-2023 02:54 PM
Hi @JamesWiggins,
Thanks for reaching out on LIVEcommunity!
The alert you're mentioning is a known false positive. A bad BIOC rule went out with a Content Update and it is currently being investigated. There will more than likely be updates to the situation on this thread if you'd like to follow.
03-28-2023 05:58 AM
Perfect, thank you! Is the exact definition of that alert not listed anywhere?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
