- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-03-2022 10:57 AM
Hello,
Cortex XDR is changing the status of incidents from Resolved to Under Investigation automatically. Why is this happening?
11-03-2022 12:02 PM
Hi @Aiman_Fathima ,
Thank you for writing to live community!
It is possible that when the incidents are resolved the alerts were also marked as false positive and later someone changed the status one of the alerts attached to the incidents to "Under Investigation". As a result this opens the incident back again. Please check the management audit logs if there was an alert that was opened that was attached to this incidents.
Also it is possible that there were some new alerts moved to this resolved incident which could have caused it.
Hope this helps! Please mark the answer as "Accept as Solution" if it does.
Regards.
11-03-2022 12:02 PM
Hi @Aiman_Fathima ,
Thank you for writing to live community!
It is possible that when the incidents are resolved the alerts were also marked as false positive and later someone changed the status one of the alerts attached to the incidents to "Under Investigation". As a result this opens the incident back again. Please check the management audit logs if there was an alert that was opened that was attached to this incidents.
Also it is possible that there were some new alerts moved to this resolved incident which could have caused it.
Hope this helps! Please mark the answer as "Accept as Solution" if it does.
Regards.
11-04-2022 08:30 AM
I would like to restart this topic, just to ask more details about changing incident status.
In one of incidents Cortex change the status of incident to "Resolved - Auto Resolve". I tried investigate what is the reason to this behavior and the alert associated was excluded. My question is how do I know what is the exclusion responsible for that?
Thanks!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!