https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/incident-reported-late-on-console/m-p/538717#M4123 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/236325">@Shahwaz_Md</a> ,</P> <P>What <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/163390">@KanwarSingh01</a>&nbsp; was hoping for was to provide more information about the alert that was triggered:</P> <P>- Alert name</P> <P>- Alert source</P> <P>- Alert action</P> <P>&nbsp;</P> <P>What posibility I can think of is that you have created BIOC rule or added IOC. When you add BIOC or IOC, XDR console will start searching all the existing logs in the data lake and will trigger retrospective alert. The purpose of this is to alert you if at any time in the past any of those new indicators were observed in your environment. To sum up - creating indicator IOC or BIOC will trigger automatic search for these indicators in the EDR data in the data lake, not only future detections.</P> <P>&nbsp;</P> <P>I am not completely sure if new BIOCs from Palo Alto (via content update) will also trigger retrospective alert, but it is also possible that content update have triggered your alert.</P> <P>&nbsp;</P> <P>"I am trying to understand how much time does it take for an alert to become an incident and what is the critieria for it."</P> <P>Alert will always trigger incident immidetially when it is received by XDR console (well technically it will either create new alert or it will decide to aggregate it to existing incident, but still it will immediately after alert is received by the console)</P> Fri, 14 Apr 2023 06:32:44 GMT aleksandar.astardzhiev 2023-04-14T06:32:44Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/incident-reported-late-on-console/m-p/538608#M4111 <P>Hi All,</P> <P>&nbsp;</P> <P>There are incidents on XDR Console which have alert dated 10-12 days back. Need to understand the time gap and why this incident was not observed on the same day.</P> <P>&nbsp;</P> <P>Thank you</P> <P>&nbsp;</P> Thu, 13 Apr 2023 12:48:09 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/incident-reported-late-on-console/m-p/538608#M4111 Shahwaz_Md 2023-04-13T12:48:09Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/incident-reported-late-on-console/m-p/538668#M4115 <P>Hi, Is it possible for you to post more details on your asked question?</P> Thu, 13 Apr 2023 22:55:55 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/incident-reported-late-on-console/m-p/538668#M4115 KanwarSingh01 2023-04-13T22:55:55Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/incident-reported-late-on-console/m-p/538710#M4121 <P>Hi Kanwar,</P> <P>&nbsp;</P> <P>There is one incident which got triggered on 28th march but it has an alert dated 12th march. I am trying to understand how much time does it take for an alert to become an incident and what is the critieria for it.</P> <P>&nbsp;</P> <P>Thanks</P> Fri, 14 Apr 2023 05:01:59 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/incident-reported-late-on-console/m-p/538710#M4121 Shahwaz_Md 2023-04-14T05:01:59Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/incident-reported-late-on-console/m-p/538717#M4123 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/236325">@Shahwaz_Md</a> ,</P> <P>What <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/163390">@KanwarSingh01</a>&nbsp; was hoping for was to provide more information about the alert that was triggered:</P> <P>- Alert name</P> <P>- Alert source</P> <P>- Alert action</P> <P>&nbsp;</P> <P>What posibility I can think of is that you have created BIOC rule or added IOC. When you add BIOC or IOC, XDR console will start searching all the existing logs in the data lake and will trigger retrospective alert. The purpose of this is to alert you if at any time in the past any of those new indicators were observed in your environment. To sum up - creating indicator IOC or BIOC will trigger automatic search for these indicators in the EDR data in the data lake, not only future detections.</P> <P>&nbsp;</P> <P>I am not completely sure if new BIOCs from Palo Alto (via content update) will also trigger retrospective alert, but it is also possible that content update have triggered your alert.</P> <P>&nbsp;</P> <P>"I am trying to understand how much time does it take for an alert to become an incident and what is the critieria for it."</P> <P>Alert will always trigger incident immidetially when it is received by XDR console (well technically it will either create new alert or it will decide to aggregate it to existing incident, but still it will immediately after alert is received by the console)</P> Fri, 14 Apr 2023 06:32:44 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/incident-reported-late-on-console/m-p/538717#M4123 aleksandar.astardzhiev 2023-04-14T06:32:44Z