https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/a-question-from-the-endpoint-administration-part-2-webinar-alert/m-p/519399#M3054 <P>I was actually the one who asked that question during the webinar. Thanks for responding, but I don't think this applies to the behavior I was describing.&nbsp;</P> <P>&nbsp;</P> <P>I've attached two screenshots of outlier alerts. You can see Alert IDs are sorted, and most of the Timestamps for those are generated in the same order - the bigger the alert ID number, the newer the timestamps. Notice how there are some outlier examples when an older timestamp is assigned to a newer alert ID, looks like backdating was applied to something that was detected.&nbsp;</P> <P>&nbsp;</P> <P>Could you please explain this?&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 27 Oct 2022 14:45:20 GMT rufat87 2022-10-27T14:45:20Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/a-question-from-the-endpoint-administration-part-2-webinar-alert/m-p/515723#M2873 <P><SPAN>We often notice alert_id out of the numerical order, chronologically, sometimes way off. It appears like XDR is detecting something later and assigning an older timestamp but a new alert_id to detection. Can someone provide some detail/explanation on this observed behavior?</SPAN></P> <P>&nbsp;</P> <P><SPAN>Note: This question was asked during a customer success webinar: Endpoint Administration Part 2</SPAN></P> <P>&nbsp;</P> Thu, 22 Sep 2022 18:02:11 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/a-question-from-the-endpoint-administration-part-2-webinar-alert/m-p/515723#M2873 rtsedaka 2022-09-22T18:02:11Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/a-question-from-the-endpoint-administration-part-2-webinar-alert/m-p/515724#M2874 <P>A reply by the CS webinar team:&nbsp;</P> <P><SPAN>This is because the Alert table exposes only Critical to Low severity alerts and does not show "Informational Severity Alerts". In most cases, you would have more "Informational Alerts" in between the listed alerts. You would see some informational alerts under the "insights" tab of an Incident card. If you are an XDR Pro customer, to have an idea of the volume of Information Severity alerts that create the gap, go to Cortex XDR UI &gt; Detection Rules &gt; BIOC &gt; On the top right, click Analytics BIOC &gt; Expose and lock "# of Alerts field" &gt; filter for only Informational Severity Alerts &gt; Sort in descending order (It may be in millions or higher thousands for each line)</SPAN></P> <P>&nbsp;</P> Thu, 22 Sep 2022 18:04:17 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/a-question-from-the-endpoint-administration-part-2-webinar-alert/m-p/515724#M2874 rtsedaka 2022-09-22T18:04:17Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/a-question-from-the-endpoint-administration-part-2-webinar-alert/m-p/519399#M3054 <P>I was actually the one who asked that question during the webinar. Thanks for responding, but I don't think this applies to the behavior I was describing.&nbsp;</P> <P>&nbsp;</P> <P>I've attached two screenshots of outlier alerts. You can see Alert IDs are sorted, and most of the Timestamps for those are generated in the same order - the bigger the alert ID number, the newer the timestamps. Notice how there are some outlier examples when an older timestamp is assigned to a newer alert ID, looks like backdating was applied to something that was detected.&nbsp;</P> <P>&nbsp;</P> <P>Could you please explain this?&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 27 Oct 2022 14:45:20 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/a-question-from-the-endpoint-administration-part-2-webinar-alert/m-p/519399#M3054 rufat87 2022-10-27T14:45:20Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/a-question-from-the-endpoint-administration-part-2-webinar-alert/m-p/519694#M3073 <P><SPAN>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/209466">@rufat87</a>&nbsp;.&nbsp; If I understand your question correctly you’re wondering why the Alert IDs aren’t in chronological order.&nbsp; Well, Alert IDs aren’t necessarily generated in chronological order.&nbsp; It’s possible that these could be analytics alerts or alerts that are aggregated which could explain the difference between Alert ID and Timestamp.&nbsp; There are several different ways in which Cortex XDR generates alerts and some of these populate quicker than others.&nbsp; As mentioned above by @Rtsedaka it’s also possible that some of the alerts in questions are informational severity and therefore not displayed in the view in the images you posted.</SPAN></P> <P>&nbsp;</P> <P><SPAN>To get more detailed information about the Alert IDs and their correlations with timestamps I would suggest opening a support case.&nbsp; You can give them specifics about your environment that may help get to the answer you’re looking for.&nbsp;</SPAN></P> <P><BR /><SPAN>&nbsp;</SPAN><A href="https://support.paloaltonetworks.com/Support/Index" target="_blank"><SPAN>https://support.paloaltonetworks.com/Support/Index</SPAN></A></P> Mon, 31 Oct 2022 16:25:55 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/a-question-from-the-endpoint-administration-part-2-webinar-alert/m-p/519694#M3073 anlynch 2022-10-31T16:25:55Z