11-20-2020 01:29 AM
XDR Analytics BIOC - These are analytics alerts based (mainly) on single events. They are similar to BIOCs, except they also account for a profile of how common or rare something is. Examples are "Uncommon local scheduled task creation via schtasks.exe", "Microsoft Office Process Spawning a Suspicious One-Liner" and "Uncommon user management via net.exe". They are single event (execution of something) that is rarely seen in the environment.
XDR BIOC - These are behavioral IOCs, looking for abnormal behavior but not with specific hashes, IPs or domains. An example is
"Binary file being created to disk with a double extension" - this rule is not looking at who created the file or what the file is, it's looking for the fact that a file was created with this attribute. Another example is "PowerShell runs base64-encoded commands", "Windows certificate management tool makes a network connection" and "Script file added to startup-related Registry keys".
NGFW - These are alerts generated by Palo Alto Network Next Gen Firewall as traffic is going through it.
XDR IOC - These are simple IOC matches, including hashes, IPs, domains, files, etc.
XDR Analytics - There alerts are similar to Analytics BIOCs, however they are multi-event. An example can be "Random-Looking Domain Names" - this alert groups multiple DNS queries that seem random and alerts when it sees several of them. Additional examples are "Recurring Rare Domain Access", "Failed Connections" and "DNS Tunneling".
XDR Managed Threat Hunting - These are alert generated by our Managed Service.
XDR Agent - These are alerts generated by the agent itself on the machines. All other alert type above (expect the FW) are generated using the telemetry XDR collects in the cloud, but this one is done by the agent locally when it sees suspicious behavior in real time. Alerts can be malware related, restrictions, exploits and more.
