This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Alert to Incident

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Alert to Incident

RFeyertag
L4 Transporter

‎09-17-2023 02:32 PM

Hey dear community, 

 

do I have the chance to elevate a alert to an incident? I tried allready to set the severity of an alert to critical, but nothing happened. This alert doesn't get an Incident ID. 

 

I thought this was possible in the past, but I can't remember if I am doing it right. 

 

BR

 

Rob

0 Likes Likes
6 REPLIES 6

SeanDeHarris
L3 Networker

‎09-18-2023 12:11 AM

May consider to Build you own BIOC rule and play around with XQL query 

https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Create-a-BI...

Life is full of surprise,
Just embrace it!
0 Likes Likes

RFeyertag
L4 Transporter
In response to SeanDeHarris

‎09-18-2023 05:30 AM

Sorry, my fail. The alert is a low alert and I need to elevate this low alert to an incident with an ID, because I need to fill in some informations. 

I know how to build BIOC rules and I know XQL a bit. 

 

BR

 

Rob

0 Likes Likes

Belhaj_a
L1 Bithead

‎06-12-2024 12:19 AM

Maybe the Correlation Rule will do the job, 
You can use the following XQL Query to capture the targeted alerts:
dataset = alerts
| filter alert_name = "TARGETED_ALERT_NAME"

Make sure to consider enabling Alert Suppression. Also, the new alert should have a medium severity so a new incident will be opened.
From the below-mentioned ref: "Whenever the severity type is Medium or above for the alert generated, an incident is automatically opened."

Ref: Create a Correlation Rule • Cortex XDR Pro Administrator Guide • Reader • Palo Alto Networks documen...

Just another IT Sec guy
0 Likes Likes

PiyushKohli
L4 Transporter

‎06-19-2024 06:51 AM

Hi @Belhaj_a 

 

Good try. However just to update here "Correlations over alerts source are not allowed" hence your above approach won't help. For BIOC's as shared above by @RFeyertag one can create their own correlation rule based on the BIOC logic and thus you will have Incidents but Incident source will be correlation this time.

 

Hope this clarifies!

 

Thanks

 

RFeyertag
L4 Transporter

‎06-20-2024 02:58 PM

Hello @Belhaj_a @PiyushKohli @SeanDeHarris 

 

I just need to create from a normal low alert an incident. Like you have your IOCs. I need an elevation. 

What is the right way, when an alert is true positive, but there is no incident created?

 

BR

 

Rob

0 Likes Likes

E.Jafarov
L1 Bithead

‎11-22-2024 04:41 AM

Hi RFeyertag 

I could be late but I hope this will help you.

This method works in critical, high and medium level alerts.

SmartIT
Preview file
43 KB
0 Likes Likes
  • 2294 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks