Alert to Incident

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Alert to Incident

L4 Transporter

Hey dear community, 

 

do I have the chance to elevate a alert to an incident? I tried allready to set the severity of an alert to critical, but nothing happened. This alert doesn't get an Incident ID. 

 

I thought this was possible in the past, but I can't remember if I am doing it right. 

 

BR

 

Rob

6 REPLIES 6

L3 Networker

May consider to Build you own BIOC rule and play around with XQL query 

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Create-a-BI...

Life is full of surprise,
Just embrace it!

Sorry, my fail. The alert is a low alert and I need to elevate this low alert to an incident with an ID, because I need to fill in some informations. 

I know how to build BIOC rules and I know XQL a bit. 

 

BR

 

Rob

L1 Bithead

Maybe the Correlation Rule will do the job, 
You can use the following XQL Query to capture the targeted alerts:
dataset = alerts
| filter alert_name = "TARGETED_ALERT_NAME"

Make sure to consider enabling Alert Suppression. Also, the new alert should have a medium severity so a new incident will be opened.
From the below-mentioned ref: "Whenever the severity type is Medium or above for the alert generated, an incident is automatically opened."

Ref: Create a Correlation Rule • Cortex XDR Pro Administrator Guide • Reader • Palo Alto Networks documen...

Just another IT Sec guy

L4 Transporter

Hi @Belhaj_a 

 

Good try. However just to update here "Correlations over alerts source are not allowed" hence your above approach won't help. For BIOC's as shared above by @RFeyertag one can create their own correlation rule based on the BIOC logic and thus you will have Incidents but Incident source will be correlation this time.

 

Hope this clarifies!

 

Thanks

 

L4 Transporter

Hello @Belhaj_a @PiyushKohli @SeanDeHarris 

 

I just need to create from a normal low alert an incident. Like you have your IOCs. I need an elevation. 

What is the right way, when an alert is true positive, but there is no incident created?

 

BR

 

Rob

L1 Bithead

Hi RFeyertag 

I could be late but I hope this will help you.

This method works in critical, high and medium level alerts.

SmartIT
  • 2299 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!