07-24-2025 08:24 PM
Hello everyone, I have a question about alert stitching in Cortex XSIAM/XDR. I created two correlation rules:
Policy - Violation Root Detection (Medium severity)
Policy - Successful Sudo Command (Low severity)
However, when I check the incidents, the alerts are not being stitched together. I believe they should be stitched because the user, source IP, and host are the same. Can you please give me a reason or explanation 🙂
07-25-2025 08:58 AM
Hi G.Anshar,
Even if some alerts have same user, ip, hostname, might be they are not stitched to the same incident if XDR considers that they are not related to the same malicious activities, so 2 different incidents might be created for same hostname.
You have the possibility to move alerts to other incidents if yoiu consider that some alerts should belong to other incidents.
Bear in mind that low alerts do not create an incident. They could be stitched to an incident created by another alert of higher severity, or just stay as orphans (so to say) themselves without being stitched/included in any incident.
Im not sure if you expected that alerts created by different correlation rules should be in the same incident if user name, ip, hostname are the same?
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.
KR,
Luis
07-25-2025 10:51 AM
Hello Eluis, thanks for your answer.
"
@eluis wrote:Im not sure if you expected that alerts created by different correlation rules should be in the same incident if user name, ip, hostname are the same?
Yes, this is what I expected, because based on the raw event, the user successfully executed a sudo command. The command was /bin/su, which indicates a switch to the root user.
08-01-2025 05:58 AM
There many reasons why ML and AI could belive that they should be different incidents, Im not sure now the inner logic that might have triggered different incidents.
For us, humans, it makes sense that if a user in linux tries to elavate privileges, same user, IP, hostname.... all should be grouped together under the same malicious activity and incident.
Anyways you can group them manually at your convenience.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.
KR,
Luis
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
