https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/artifacts-query/m-p/529890#M3554 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/251467">@VineethArumulla</a> ,</P> <P>I believe it is the opposite (if I may put it this way).</P> <P>- XDR could generate Alert for various reasons.</P> <P>- This alert is associated with Incident. Incident is simply "container"/aggregator for related alerts</P> <P>- XDR console will collect the key artifacts from those alerts and present them in this tab. This is mainly to give you quick way to see all the files, IP addresses and users that are involved in this incident.</P> <P>- In addition to summarizing all the files and IP addresses, XDR will give you additional context for those by showing threat intelligence information (TI) from VirusTotal and WildFire.</P> <P>&nbsp;</P> <P>Do not expect XDR to raise alert if your host tries to connect to IP that have high suspicious score on VirusTotal.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>If you want XDR to raise alert if known suspicious IP/file, domain is seen in your organization, you need to create IOC. You can integrate another Threat Intelligence Platform, which will automatically import IOCs to your XDR, but this is completely different from Key Assets &amp; Artifacts tab. The latter is only to give you additional context</P> Sat, 04 Feb 2023 21:40:37 GMT aleksandar.astardzhiev 2023-02-04T21:40:37Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/artifacts-query/m-p/529746#M3545 <P>Assume alert has been generated in the XDR, if the IP involved in the artifacts are raised as malicious or suspicious by some of the security vendors in the VT(virus total) or shown as malware by wildfire. Is that really the IP is suspicious? Please explain</P> Fri, 03 Feb 2023 10:09:37 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/artifacts-query/m-p/529746#M3545 VineethArumulla 2023-02-03T10:09:37Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/artifacts-query/m-p/529890#M3554 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/251467">@VineethArumulla</a> ,</P> <P>I believe it is the opposite (if I may put it this way).</P> <P>- XDR could generate Alert for various reasons.</P> <P>- This alert is associated with Incident. Incident is simply "container"/aggregator for related alerts</P> <P>- XDR console will collect the key artifacts from those alerts and present them in this tab. This is mainly to give you quick way to see all the files, IP addresses and users that are involved in this incident.</P> <P>- In addition to summarizing all the files and IP addresses, XDR will give you additional context for those by showing threat intelligence information (TI) from VirusTotal and WildFire.</P> <P>&nbsp;</P> <P>Do not expect XDR to raise alert if your host tries to connect to IP that have high suspicious score on VirusTotal.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>If you want XDR to raise alert if known suspicious IP/file, domain is seen in your organization, you need to create IOC. You can integrate another Threat Intelligence Platform, which will automatically import IOCs to your XDR, but this is completely different from Key Assets &amp; Artifacts tab. The latter is only to give you additional context</P> Sat, 04 Feb 2023 21:40:37 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/artifacts-query/m-p/529890#M3554 aleksandar.astardzhiev 2023-02-04T21:40:37Z