What the different of alert sources and definition of its.

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

What the different of alert sources and definition of its.

L1 Bithead

XDR Analytics BIOC
XDR Analytics
XDR Managed Threat Hunting
XDR Agent


L2 Linker

Would also love to hear or see more about this question.

Responding to it in hopes it will pop on the top of the queue for more folks to see and perhaps share info or resources

L0 Member

XDR Analytics BIOC - These are analytics alerts based (mainly) on single events. They are similar to BIOCs, except they also account for a  profile of how common or rare something is. Examples are "Uncommon local scheduled task creation via schtasks.exe",  "Microsoft Office Process Spawning a Suspicious One-Liner" and "Uncommon user management via net.exe". They are single event (execution of something) that is rarely seen in the environment.
XDR BIOC - These are behavioral IOCs, looking for abnormal behavior but not with specific hashes, IPs or domains. An example is 
"Binary file being created to disk with a double extension" - this rule is not looking at who created the file or what the file is, it's looking for the fact that a file was created with this attribute. Another example is "PowerShell runs base64-encoded commands", "Windows certificate management tool makes a network connection" and "Script file added to startup-related Registry keys".

NGFW - These are alerts generated by Palo Alto Network Next Gen Firewall as traffic is going through it. 

XDR IOC - These are simple IOC matches, including hashes, IPs, domains, files, etc.
XDR Analytics - There alerts are similar to Analytics BIOCs, however they are multi-event. An example can be "Random-Looking Domain Names" - this alert groups multiple DNS queries that seem random and alerts when it sees several of them. Additional examples are "Recurring Rare Domain Access", "Failed Connections" and "DNS Tunneling".
XDR Managed Threat Hunting - These are alert generated by our Managed Service.
XDR Agent - These are alerts generated by the agent itself on the machines. All other alert type above (expect the FW) are generated using the telemetry XDR collects in the cloud, but this one is done by the agent locally when it sees suspicious behavior in real time. Alerts can be malware related, restrictions, exploits and more.

L1 Bithead

Where can I go to see the exact definition of the alerts? Specifically trying to see the definition of XDR's Analytics BIOC "A Successful login from TOR"

L4 Transporter

Hi @JamesWiggins,


Thanks for reaching out on LIVEcommunity!


The alert you're mentioning is a known false positive.  A bad BIOC rule went out with a Content Update and it is currently being investigated.  There will more than likely be updates to the situation on this thread if you'd like to follow.



Perfect, thank you! Is the exact definition of that alert not listed anywhere? 

  • 5 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!