How do you handle Low Severity alerts/issues?

PA_nts — Thu, 27 Nov 2025 11:24:08 GMT

want to know how you guys deal with low severity alerts..

do you monitor/analyze them or only focus on incidents with medium/high/critical severity?

do you run any playbook automation against these low sev alerts?

are there any best practices from PAN around handling of low severity alerts? i cannot seem to find any.

thanks in adv

Re: How do you handle Low Severity alerts/issues?

susekar — Wed, 11 Feb 2026 14:19:04 GMT

Hello @PA_nts ,

Greetings for the day.

In Cortex XSIAM, the handling of low-severity alerts is governed by a design philosophy focused on reducing alert fatigue and prioritizing actionable threats.

Monitoring and Analysis:

By default, Cortex XSIAM does not automatically create incidents for alerts with Low or Informational severity. These alerts are typically categorized as Insights, which provide contextual metadata to help analysts understand the broader attack chain within an existing incident.

Exceptions

There are specific scenarios where Low severity alerts do generate incidents automatically because they are considered high-fidelity or critical for early detection:

Identity and ITDR: Analytics and BIOC alerts related to Identity modules
Cloud Detection: Alerts generated from Cloud Detection modules
Analytics (Magnifier): Certain detections such as Large Upload, Port Scan, or Failed Connections

Playbook Automation:

Standard Automation Rules and Playbook Triggers are tied to the incident lifecycle. Since most Low severity alerts do not create incidents, they do not automatically trigger playbooks.

Workarounds for Automating Low Severity Alerts

Scheduled Jobs
Create a scheduled playbook (Job) that runs an XQL query to identify specific Low severity alerts and perform programmatic actions.
For example, a script can use:
```
setAlertStatus
```
to automatically resolve or update qualifying alerts.
Severity Elevation
Modify the source detection (BIOC, Correlation Rule, or Analytics Rule) to raise the severity to Medium.
This forces incident creation and allows standard automation rules to trigger.
Manual Execution
Analysts can manually execute playbooks directly from the Alerts table for Low severity entries.

Best Practices:

To effectively manage Low severity alert volume:

Treat as Contextual Insights:

Rather than reviewing Low alerts individually, examine them within the Alerts & Insights tab of a related Medium or High severity incident to gain a complete attack narrative.

Tune at the Source:

If specific Low severity alerts are consistently noisy and provide little value:

Use Alert Exclusions, or
Tune the originating detection rule (for example, firewall rules or analytics logic)
to prevent unnecessary alerts from reaching the console.

SOC Tiering Approach:

Use a Tier 1 or Triage Specialist role to periodically review the raw Alerts table (via XQL queries) for emerging patterns that may not yet meet the Medium severity threshold.

Future Enhancement:

A feature enhancement request is currently tracked to allow playbooks to trigger directly from Low and Informational alerts in future releases.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar

Re: How do you handle Low Severity alerts/issues?

PA_nts — Wed, 11 Feb 2026 14:43:01 GMT

Thanks for the response and appreciated.. but cannot accept AI responses as a solution being source of truth at this stage

I can ask AI and get the same response..

I was hoping to get a more personalized answer as to how you handle this in your environment.

Re: How do you handle Low Severity alerts/issues?

MDovirak — Mon, 16 Feb 2026 15:41:40 GMT

As a customer one way how to handle it is 'check-ups' for low severity/informational alerts. LIke Windows Event Log was cleared using wevtutil.exe trigger as low severity, but logs clean-up from the system is not common 'user activity'. I recommend to setup regular human process (potentially via reports/dashboards) to review low severity alerts. The most interesting alerts are those with the lowest frequency of generation (only one or two per week).

topic Re: How do you handle Low Severity alerts/issues? in Cortex XSIAM Discussions

How do you handle Low Severity alerts/issues?

Re: How do you handle Low Severity alerts/issues?

Monitoring and Analysis:

Exceptions

Playbook Automation:

Workarounds for Automating Low Severity Alerts

Best Practices:

Treat as Contextual Insights:

Tune at the Source:

SOC Tiering Approach:

Future Enhancement:

Re: How do you handle Low Severity alerts/issues?

Re: How do you handle Low Severity alerts/issues?