https://live.paloaltonetworks.com/t5/next-generation-firewall/incidents-contain-many-alert-types-but-why/m-p/533855#M1004 <P>Hi&nbsp; <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/255854">@Eric_Geater</a> ,</P> <P>Looking at the Alert names it looks like those are triggered&nbsp; by Inbound traffic - public addresses trying to connect to your public resources behind the FW. My guess is the XDR is grouping all of them in the same incident either because they are targeting the same destination IP, or are sourced from the same external IP or both (both).</P> <P>&nbsp;</P> Thu, 09 Mar 2023 21:45:34 GMT aleksandar.astardzhiev 2023-03-09T21:45:34Z https://live.paloaltonetworks.com/t5/next-generation-firewall/incidents-contain-many-alert-types-but-why/m-p/527442#M769 <P>Hello, everyone.&nbsp; Our product suite now includes receiving <STRONG>alerts</STRONG> from the NGFW, in addition to XDR.&nbsp; It seems, though, that a single <STRONG>incident</STRONG> may include several different alerts.&nbsp; This seems like a strange behavior, because the list of alerts come from many hosts, or threat type, or threat vector.&nbsp; If the Incidents are grouping unrelated alerts, we'd like to understand why.</P> <P>&nbsp;</P> <P>I have one particular incident which is composed of seven wholly different alerts, and they're all being sent from the NGFW.&nbsp; It would seem more sensible that there would be seven different incidents which match the alerts.</P> <P>&nbsp;</P> <P>I welcome your replies!</P> <P>&nbsp;</P> Tue, 17 Jan 2023 18:35:05 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/incidents-contain-many-alert-types-but-why/m-p/527442#M769 Eric_Geater 2023-01-17T18:35:05Z https://live.paloaltonetworks.com/t5/next-generation-firewall/incidents-contain-many-alert-types-but-why/m-p/527552#M775 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/255854">@Eric_Geater</a> ,</P> <P>Cortex XDR console should never group unrelated alerts in the same incident. There will always be some common artifact between the alerts in order for the console to put them under the same incident. I don't believe Palo Alto are officially sharing the complete logic of alert grouping, but if you look at the documentation you can see that there are multiple factors:<BR /><BR />"The logic behind which alert the <SPAN class="phrase">Cortex XDR</SPAN> app assigns to an incident is <STRONG>based on a set of rules</STRONG> which take into <STRONG>account different attributes</STRONG>. Examples of alert <STRONG>attributes include alert source, type, and time period</STRONG>. The app extracts a set of artifacts related to the threat event, listed in each alert, and compares it with the artifacts appearing in existing alerts in the system. Alerts on the same causality chain are grouped with the same incident if an open incident already exists. Otherwise, the new incoming alert will create a new incident."</P> <P><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Prevent-Administrator-Guide/Incidents" target="_blank">Incidents • Cortex XDR Prevent Administrator Guide • Reader • Palo Alto Networks documentation portal</A></P> <P>&nbsp;</P> <P>In my experience when comes to Incidents/Alerts from PAN FW usually they are:</P> <P>- Same public source triggering different threat log</P> <P>- Same destination targeted by different sources triggering different threat log</P> <P>- and of course different addresses triggering same threat log.</P> <P>&nbsp;</P> Wed, 18 Jan 2023 14:27:40 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/incidents-contain-many-alert-types-but-why/m-p/527552#M775 aleksandar.astardzhiev 2023-01-18T14:27:40Z https://live.paloaltonetworks.com/t5/next-generation-firewall/incidents-contain-many-alert-types-but-why/m-p/527957#M789 <P>This may serve as a good example of a single alert we've received.&nbsp; I'm not saying all alerts look like this, because many do not.&nbsp; But when they do, well... it's interesting to parse.&nbsp; You hope that the bulk of detail is "false positive" or "other" in your resolution.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Eric_Geater_0-1674221584933.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/47276i486BA0376F8C3962/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Eric_Geater_0-1674221584933.png" alt="Eric_Geater_0-1674221584933.png" /></span></P> <P>&nbsp;</P> Fri, 20 Jan 2023 13:36:32 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/incidents-contain-many-alert-types-but-why/m-p/527957#M789 Eric_Geater 2023-01-20T13:36:32Z https://live.paloaltonetworks.com/t5/next-generation-firewall/incidents-contain-many-alert-types-but-why/m-p/533855#M1004 <P>Hi&nbsp; <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/255854">@Eric_Geater</a> ,</P> <P>Looking at the Alert names it looks like those are triggered&nbsp; by Inbound traffic - public addresses trying to connect to your public resources behind the FW. My guess is the XDR is grouping all of them in the same incident either because they are targeting the same destination IP, or are sourced from the same external IP or both (both).</P> <P>&nbsp;</P> Thu, 09 Mar 2023 21:45:34 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/incidents-contain-many-alert-types-but-why/m-p/533855#M1004 aleksandar.astardzhiev 2023-03-09T21:45:34Z https://live.paloaltonetworks.com/t5/next-generation-firewall/incidents-contain-many-alert-types-but-why/m-p/570860#M2308 <P>Are all Alerts present within Incidents?&nbsp;</P> Tue, 26 Dec 2023 12:31:40 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/incidents-contain-many-alert-types-but-why/m-p/570860#M2308 GRAVEREAPER 2023-12-26T12:31:40Z