In Cortex XDR, Cases (referred to in the console as Incidents) are automatically created based on the Severity of the alerts generated. By default, only alerts with Medium, High, or Critical severity trigger the creation of a new Incident. Alerts with Low or Informational severity are classified as Insights and do not create standalone cases; they are only added to existing incidents if they can be correlated with higher-severity activity.

If your Analytic Rules are generating alerts that are not appearing as cases, they are likely set to Low severity. To automatically create cases for these alerts, use one of the following methods.

Method 1: Use Correlation Rules (Recommended)

This is the most effective way to promote a specific analytic alert to an incident. You create a custom rule that monitors for the analytic alert and generates a new alert with a higher severity.

Steps

Navigate to Detection > Detection Rules > Correlations.
Click + Add Correlation.
In the XQL Search section, write a query to target your specific Analytic Alert. For example:

dataset = alerts 
| filter alert_source = ENUM.XDR_ANALYTICS_BIOC and alert_name = "Your Analytic Alert Name"

Use dataset = alerts to find the existing analytic triggers.

In the Action section, select Generate Alert.
Set the Severity to Medium or High. This ensures that when the rule triggers, a case is automatically created.
In Alerts Fields Mapping, ensure the fields are mapped correctly to maintain incident grouping logic.

Method 2: Use Incident Configuration (Scoring Rules)

You can override the default severity of specific alerts using Incident Scoring rules. This elevates the alert's score so it meets the threshold for incident creation.

Steps

Navigate to Settings > Configuration > Incident Configuration.
Select + Add New Rule under Incident Scoring.
Define the scope by filtering for your Analytic Rule (for example, by Alert Source or Alert Name).
Set a Manual Score or severity level that is Medium or higher.
Save and activate the rule. Future alerts matching this configuration will now generate incidents.

Important Considerations:

Immutability
Built-in Analytic Rules and Analytic BIOC rules are predefined by Palo Alto Networks. You cannot directly change their severity or incident generation logic within the rule itself.

Automation Rules
Automation Rules can modify alert fields, but they primarily apply to alerts that are already grouped into incidents. If a low-severity alert does not create an incident, it may not appear in the Create Automation Rule wizard.

Incident Creation Policy
Ensure your global Incident Creation Policy (located under Settings > Configuration > Detections > Incident Creation Policy) does not exclude the alert sources or severities you want to monitor.

topic Re: Basic Doubt - Analytics in Cortex XDR Discussions

Basic Doubt - Analytics

Re: Basic Doubt - Analytics

Method 1: Use Correlation Rules (Recommended)

Method 2: Use Incident Configuration (Scoring Rules)

Important Considerations: