https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/life-of-a-case/m-p/1255643#M423 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/170701">@JohanBogema</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.</P> <P>&nbsp;</P> <P data-end="157" data-start="0">In Cortex XSIAM, the behavior when a new matching issue occurs for a resolved case depends on the specific resolution status and the timing of the new alert.</P> <P data-end="157" data-start="0">&nbsp;</P> <H4 data-end="208" data-start="159" data-section-id="u2voj8">1. Automatic Reopening (Within 6-Hour Window):</H4> <P data-end="382" data-start="209">If a case is resolved with the status <STRONG data-end="274" data-start="247">Resolved - Auto Resolve</STRONG>, Cortex XSIAM will automatically reopen the case if a matching issue occurs within a six-hour grace period.</P> <UL data-end="668" data-start="384"> <LI data-end="499" data-start="384" data-section-id="d44lqo"><STRONG data-end="404" data-start="386">Status Change:</STRONG> The case status reverts from <STRONG data-end="446" data-start="434">Resolved</STRONG> back to <STRONG data-end="462" data-start="455">New</STRONG> to ensure it is visible to analysts.</LI> <LI data-end="668" data-start="500" data-section-id="9au7re"><STRONG data-end="525" data-start="502">Window Calculation:</STRONG> This six-hour window is based on the timestamp of the last issue that was grouped into the case, not the time the case was marked as resolved.</LI> </UL> <H4 data-end="716" data-start="670" data-section-id="q3iq15">2. New Case Creation (After 6-Hour Window):</H4> <P data-end="860" data-start="717">Once the six-hour grouping window has passed, any new matching issues will trigger the creation of a <STRONG data-end="830" data-start="818">new case</STRONG> for a separate investigation.</P> <P data-end="860" data-start="717">&nbsp;</P> <H4 data-end="895" data-start="862" data-section-id="1hf9wwz">3. Manual Resolution Behavior:</H4> <P data-end="1113" data-start="896">If a case is resolved manually (for example, using statuses such as <STRONG data-end="992" data-start="964">Resolved - True Positive</STRONG> or <STRONG data-end="1025" data-start="996">Resolved - False Positive</STRONG>), the system behavior changes to preserve the integrity of the completed investigation.</P> <UL data-is-only-node="" data-is-last-node="" data-end="1409" data-start="1115"> <LI data-end="1220" data-start="1115" data-section-id="sx15x9"><STRONG data-end="1139" data-start="1117">Grouping Disabled:</STRONG> Manual resolution typically sets the <STRONG data-end="1203" data-start="1177">Alerts Grouping Status</STRONG> to <STRONG data-end="1219" data-start="1207">Disabled</STRONG>.</LI> <LI data-is-last-node="" data-end="1409" data-start="1221" data-section-id="gmn7n9"><STRONG data-end="1234" data-start="1223">Effect:</STRONG> New matching alerts generally do not reopen the manually resolved case and may instead generate a new case or remain unassociated, depending on the applicable grouping logic.</LI> </UL> <P>If you feel this has answered your query, please let us know by clicking&nbsp;<STRONG>like&nbsp;</STRONG>and on&nbsp;<STRONG>"mark this as a Solution"</STRONG>.</P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> Mon, 08 Jun 2026 18:54:11 GMT susekar 2026-06-08T18:54:11Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/life-of-a-case/m-p/1255614#M420 <P>Hi all,</P> <P>&nbsp;</P> <P>I am trying to figure out the life of a case and run into a question I can't seem to find the documentation about:<BR /><BR />What happens when a case has been set to resolved but a new matching issue pops up? Is a new case created or is the resolved case re-opened?</P> Mon, 08 Jun 2026 09:49:29 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/life-of-a-case/m-p/1255614#M420 JohanBogema 2026-06-08T09:49:29Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/life-of-a-case/m-p/1255643#M423 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/170701">@JohanBogema</a>&nbsp;,</P> <P>&nbsp;</P> <P>Greetings for the day.</P> <P>&nbsp;</P> <P data-end="157" data-start="0">In Cortex XSIAM, the behavior when a new matching issue occurs for a resolved case depends on the specific resolution status and the timing of the new alert.</P> <P data-end="157" data-start="0">&nbsp;</P> <H4 data-end="208" data-start="159" data-section-id="u2voj8">1. Automatic Reopening (Within 6-Hour Window):</H4> <P data-end="382" data-start="209">If a case is resolved with the status <STRONG data-end="274" data-start="247">Resolved - Auto Resolve</STRONG>, Cortex XSIAM will automatically reopen the case if a matching issue occurs within a six-hour grace period.</P> <UL data-end="668" data-start="384"> <LI data-end="499" data-start="384" data-section-id="d44lqo"><STRONG data-end="404" data-start="386">Status Change:</STRONG> The case status reverts from <STRONG data-end="446" data-start="434">Resolved</STRONG> back to <STRONG data-end="462" data-start="455">New</STRONG> to ensure it is visible to analysts.</LI> <LI data-end="668" data-start="500" data-section-id="9au7re"><STRONG data-end="525" data-start="502">Window Calculation:</STRONG> This six-hour window is based on the timestamp of the last issue that was grouped into the case, not the time the case was marked as resolved.</LI> </UL> <H4 data-end="716" data-start="670" data-section-id="q3iq15">2. New Case Creation (After 6-Hour Window):</H4> <P data-end="860" data-start="717">Once the six-hour grouping window has passed, any new matching issues will trigger the creation of a <STRONG data-end="830" data-start="818">new case</STRONG> for a separate investigation.</P> <P data-end="860" data-start="717">&nbsp;</P> <H4 data-end="895" data-start="862" data-section-id="1hf9wwz">3. Manual Resolution Behavior:</H4> <P data-end="1113" data-start="896">If a case is resolved manually (for example, using statuses such as <STRONG data-end="992" data-start="964">Resolved - True Positive</STRONG> or <STRONG data-end="1025" data-start="996">Resolved - False Positive</STRONG>), the system behavior changes to preserve the integrity of the completed investigation.</P> <UL data-is-only-node="" data-is-last-node="" data-end="1409" data-start="1115"> <LI data-end="1220" data-start="1115" data-section-id="sx15x9"><STRONG data-end="1139" data-start="1117">Grouping Disabled:</STRONG> Manual resolution typically sets the <STRONG data-end="1203" data-start="1177">Alerts Grouping Status</STRONG> to <STRONG data-end="1219" data-start="1207">Disabled</STRONG>.</LI> <LI data-is-last-node="" data-end="1409" data-start="1221" data-section-id="gmn7n9"><STRONG data-end="1234" data-start="1223">Effect:</STRONG> New matching alerts generally do not reopen the manually resolved case and may instead generate a new case or remain unassociated, depending on the applicable grouping logic.</LI> </UL> <P>If you feel this has answered your query, please let us know by clicking&nbsp;<STRONG>like&nbsp;</STRONG>and on&nbsp;<STRONG>"mark this as a Solution"</STRONG>.</P> <P>&nbsp;</P> <P>Thanks &amp; Regards,<BR />S. Subashkar Sekar</P> Mon, 08 Jun 2026 18:54:11 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/life-of-a-case/m-p/1255643#M423 susekar 2026-06-08T18:54:11Z