topic Re: How Cortex XDR alert/incident severity is decided or generated on tool in Cortex XDR Discussions

How Cortex XDR alert/incident severity is decided or generated on tool

tejaspatil12 — Mon, 29 Apr 2024 07:30:50 GMT

Hello all,

Please help me to understand how Cortex XDR assign the severity to incident and alert.

Re: How Cortex XDR alert/incident severity is decided or generated on tool

aspatil — Tue, 30 Apr 2024 06:13:35 GMT

Hello @tejaspatil12 ,

Thanks for reaching out on LiveCommunity!

Unfortunately, this information cannot be shared as it is an IP.

However, to understand what parameters are defined to look upon alerts and incidents to perform a stitching or what we call a “story” to create alerts and incidents, customer can go through this video. The first 10 minutes are enough to understand the concept.

If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.

Re: How Cortex XDR alert/incident severity is decided or generated on tool

tejaspatil12 — Tue, 30 Apr 2024 06:21:58 GMT

Hi @aspatil ,

Thanks for response on this topic.

i can understand about the IP however do we have any official document by palo alto which shows Cortex XDR system itself understood its severity and assign to the incident/alert.

Re: How Cortex XDR alert/incident severity is decided or generated on tool

jmazzeo — Tue, 30 Apr 2024 13:28:49 GMT

Hi @tejaspatil12, as mentioned before by @aspatil , the details about how the alerts are classified can't be shared, but is a mechanism that uses the information from the type of malware, Mitre technichs used, criticity of the IOCs found, and some many other flags to set the severity.

Abount Incidents, is defined by the highest alert severity contained into the incident. Details here in the "severity" field: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Incidents

If this post answers your question, please mark it as the solution.