02-23-2022 09:56 AM - edited 02-23-2022 10:00 AM
We are in process of moving from Traps 4.x to Cortex XDR Prevent . As we are onboarding endpoints we are seeing alerts generated in our Dashboard . So alerts are clubbed as Incidents . So as we onboard endpoints the number of Incidents is increasing very rapidly , so as we open each Incident we see most have Wildfire Verdict as Benign so I guess they are safe and need no response and we see 2 out of 100 incidents have Verdict as Malware , so they need to be reviewed and response surely .
So question is is there a filter option which allows us to create a Dashboard which shows only alerts/incidents which have Verdict as 'Malware' .
Please add anything else which is important in this context , so looking at daily operations and looking to find what we need to do on Daily basis in our operations Job when we have all endpoints onboarded to Cortex XDR . We have profiles and policies understand and they are configured , now we are looking at alerts/incidents and looking for guidance about how to approach them and how to handle and interpret them on day to day basis .
Also are there any other things we need to monitor ? Also is our criteria to decide actionable matters correct i.e look at only those incidents which have Wildfire verdict as Malware ?
Thanks
02-23-2022 08:58 PM - edited 02-23-2022 08:58 PM
Hi @Balaraju To answer your first question where the WF verdict is malware: create a filter where "Wildfire Hits >=1".
Firstly, please go through the Cortex XDR Beacon training from the Support portal.
Secondly, I recommend you to review all incidents, (sort by severity, if possible), and immediately start tuning your alerts to prevent alert fatigue. At the same time, assign incidents to your analysts for investigation and perform remedial actions depending on your SOP (Standard Operating Procedures). This is a very broad topic and is subjective to your organizational security standards and incident management playbooks.Take a look at https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response.... which provides you a guideline for you to start your investigations.
In addition, you should keep an eye out on the several dashboards that are provided out of the box, create custom widgets and add them to your custom dashboards based on your use case for daily monitoring/analysis. This can include anything from reviewing agent operational status to vulnerability assessments, MTTR for incidents etc. Look at : https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/monitoring.html
In summary, look at everything, and determine holistically what need not be looked in the future. Only you can determine that as you know your estate the best. Review your XDR configurations and policies periodically and work on building incident response playbooks for standardization of tasks and processes.
02-23-2022 08:58 PM - edited 02-23-2022 08:58 PM
Hi @Balaraju To answer your first question where the WF verdict is malware: create a filter where "Wildfire Hits >=1".
Firstly, please go through the Cortex XDR Beacon training from the Support portal.
Secondly, I recommend you to review all incidents, (sort by severity, if possible), and immediately start tuning your alerts to prevent alert fatigue. At the same time, assign incidents to your analysts for investigation and perform remedial actions depending on your SOP (Standard Operating Procedures). This is a very broad topic and is subjective to your organizational security standards and incident management playbooks.Take a look at https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response.... which provides you a guideline for you to start your investigations.
In addition, you should keep an eye out on the several dashboards that are provided out of the box, create custom widgets and add them to your custom dashboards based on your use case for daily monitoring/analysis. This can include anything from reviewing agent operational status to vulnerability assessments, MTTR for incidents etc. Look at : https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/monitoring.html
In summary, look at everything, and determine holistically what need not be looked in the future. Only you can determine that as you know your estate the best. Review your XDR configurations and policies periodically and work on building incident response playbooks for standardization of tasks and processes.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
