Scribd
Upload
307 views3 pages

Cortex XDR Identity Analytics

Uploaded by

Andrew Ryan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
307 views3 pages

Cortex XDR Identity Analytics

Uploaded by

Andrew Ryan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Cortex XDR

Identity Analytics
Detect malicious user activities by applying machine learning & behavioral analytics to
users, machines, and entities. Efficiently and automatically identify abnormal activity
with the precise details to quickly evaluate potential threats to isolate and remove
them before they can cause further damage.

Cortex by Palo Alto Networks | Identity Analytics | Tech Brief 1


Compromised user accounts and malicious insiders continue to plague organizations of all sizes, across all
sectors. Compromised credentials, especially on privileged accounts for high-level network access can leave
the important, proprietary information susceptible to security breaches. This is amplified in organizations
where the principles of least privilege are not as strictly enforced. Resulting in identity-related risk awareness
taking a central role in preventing further exposure.

What Identity Analytics Can Do for You


1. Gain visibility into user activities including logins, authentication, SASE Gateway connections,
application executions, and much more. Identity Analytics leverages user activity data from
numerous sources including endpoints, endpoint agents, network firewalls, Active Directory,
event logs, IAM solutions, SASE gateways and clouds.
2. Locate improper credential usage and assess risks with AI or behavioral analytics. With Identity
Analytics you can implicate entities based on gathered evidence of their malicious behavior.
3. Understand user context on existing alerts with Active Directory data. Identity Analytics allows
you to examine traffic and data from a variety of sources — such as network activity from firewall
logs, VPN logs (from Prisma Access from the Panorama plugin), endpoint activity data (on
Windows endpoints), and Active Directory or a combination of those sources — so you can identify
endpoints and users on your network.
Using an analytics engine to examine logs and data from your sensors, Identity Analytics can
understand normal behaviors across your environment and create a baseline so that it can raise alerts
when abnormal activity occurs. With this function, you can detect suspicious user activity such as stolen
or misused credentials, lateral movement, credential harvesting, exfiltration, or brute-force attacks.
Cortex XDR uses Identity Analytics to help investigate suspicious user activity information that was
collected by the analytics engine. When enabled, the Identity Analytics add-on aggregates and displays
user profile information, activity, and incidents associated with a user-based Analytics type alert and
Analytics BIOC rule.
After endpoints and users are identified, the analytics engine uses information obtained from logs
to collect relevant details about every asset it sees. The analytics engine can detect threats from only
network or endpoint data, but for more context when investigating an alert, a combination of data
sources is recommended.
The list of what the engine looks for is large, varied, and constantly growing but, as a consequence,
the analytics engine is able to build profiles about every endpoint and user that it knows about. Using
the profiles, the engine can put endpoint or user activity into context by comparing it against similar
endpoints or users. The analytics engine can create and maintain a large number of profile types.
Generally, they can all be placed into three categories:
1. Peer Group Profiles: A statistical analysis of an entity or entity relation that compares activities
from multiple entities in a peer group. For example, a domain might have a cross organization
popularity profile or a per peer group popularity profile.
2. Temporal Profiles: A statistical analysis of an entity or an entity relation that compares the same
entity to itself over time. For example, a host might have a profile for how many ports it accessed
in the past.
3. Entity Classification: A model detecting the role of an entity. For example, users can be classified
as service accounts or hosts as domain controllers.

Cortex by Palo Alto Networks | Identity Analytics | Tech Brief 2


Key Features
• User-Centric Detection and Response: XDR Identity Analytics
provides user-centric detection and response functionality. A
dedicated “360-degree view” shows a given user’s risk score,
associated alerts, incidents, and activities. This view can be
toggled when investigating a specific incident, alert, or event.
• Integration with Workday®: XDR includes Workday
integration. With this integration, XDR can pull users’
information to enrich incident and causality views. During
your investigation, you can see all Workday fields for each
specific user such as their department, manager, phone
number, and hire date.
• Identity Detectors: XDR features over 30 identity detectors,
alert-to-incident roll-up and full stitching, correlation,
and enrichment.
• Users Risk Score: Each user is assigned a risk score that
includes the score trend over time.
The ML-based score is calculated by Cortex XDR, so analysts
can compare it with other users
in the system in a dedicated table view and see the trend for
the specific user over time.
• Detection: Detectors are designed to detect abnormal user login and authentication activity.
Our Administrator’s guide documents the entire list of detectors. Search for “Identity Analytics”
to see the detectors and get the full details for each one, including the detected behavior and the
required data sources.
• Alerts: A detection will trigger a new alert. Depending on the alert severity, an alert can be considered
informational or dispatched to an incident.
» Informational severity alerts will be displayed as an enrichment in an existing incident under the
“insights” table, but won’t open or add as an alert to an incident.
» Low, medium, or high severity alerts can open a new incident or be added to an existing incident
as an alert.
• Alert investigation: Analyze Identity Analytics alerts in a dedicated causality view, which is similar
to the causality view of “standard” analytics alerts. A user node enables drill-down into more details
about the specific user, such as domain, department, AD groups and OUs, and some statistics about
recent logins and authentications.

3000 Tannery Way © 2021 Palo Alto Networks, Inc. Palo Alto Networks is a registered ­
Santa Clara, CA 95054 trademark of Palo Alto Networks. A list of our trademarks can be found at
https://www.paloaltonetworks.com/company/trademarks.html. All other
Main: +1.408.753.4000 marks mentioned herein may be trademarks of their respective companies.
Sales: +1.866.320.4788
Support: +1.866.898.9087

www.paloaltonetworks.com

You might also like