topic Re: Alert to Incident in Cortex XDR Discussions

Alert to Incident

RFeyertag — Sun, 17 Sep 2023 21:32:52 GMT

Hey dear community,

do I have the chance to elevate a alert to an incident? I tried allready to set the severity of an alert to critical, but nothing happened. This alert doesn't get an Incident ID.

I thought this was possible in the past, but I can't remember if I am doing it right.

Rob

Re: Alert to Incident

SeanDeHarris — Mon, 18 Sep 2023 07:11:26 GMT

May consider to Build you own BIOC rule and play around with XQL query

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Create-a-BIOC-Rule

Re: Alert to Incident

RFeyertag — Mon, 18 Sep 2023 12:30:29 GMT

Sorry, my fail. The alert is a low alert and I need to elevate this low alert to an incident with an ID, because I need to fill in some informations.

I know how to build BIOC rules and I know XQL a bit.

Rob

Re: Alert to Incident

Belhaj_a — Wed, 12 Jun 2024 07:19:39 GMT

Maybe the Correlation Rule will do the job,
You can use the following XQL Query to capture the targeted alerts:
dataset = alerts
| filter alert_name = "TARGETED_ALERT_NAME"

Make sure to consider enabling Alert Suppression. Also, the new alert should have a medium severity so a new incident will be opened.
From the below-mentioned ref: "Whenever the severity type is Medium or above for the alert generated, an incident is automatically opened."

Ref: Create a Correlation Rule • Cortex XDR Pro Administrator Guide • Reader • Palo Alto Networks documentation portal

Re: Alert to Incident

PiyushKohli — Wed, 19 Jun 2024 13:51:51 GMT

Hi @Belhaj_a

Good try. However just to update here "Correlations over alerts source are not allowed" hence your above approach won't help. For BIOC's as shared above by @RFeyertag one can create their own correlation rule based on the BIOC logic and thus you will have Incidents but Incident source will be correlation this time.

Hope this clarifies!

Thanks

Re: Alert to Incident

RFeyertag — Thu, 20 Jun 2024 21:58:43 GMT

Hello @Belhaj_a @PiyushKohli @SeanDeHarris

I just need to create from a normal low alert an incident. Like you have your IOCs. I need an elevation.

What is the right way, when an alert is true positive, but there is no incident created?

Rob

Re: Alert to Incident

E.Jafarov — Fri, 22 Nov 2024 12:41:16 GMT

Hi RFeyertag

I could be late but I hope this will help you.

This method works in critical, high and medium level alerts.

Re: Alert to Incident

RFeyertag — Mon, 02 Dec 2024 23:05:29 GMT

Hey @E.Jafarov

I think you described the opposite way?

Because I do not want to move the alert from the incident, I want to change the severity to medium + and then I'd like to have an incident number from this alert. I cannot imagine, this feature is not implemented.

Rob