Automatically changing the status of incidents

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Automatically changing the status of incidents

L2 Linker

Hello,

 

Cortex XDR is changing the status of incidents from Resolved to Under Investigation automatically. Why is this happening?

Aiman_Fathima_0-1667498222880.png

 

1 accepted solution

Accepted Solutions

L5 Sessionator

Hi @Aiman_Fathima ,

 

Thank you for writing to live community!

 

It is possible that when the incidents are resolved the alerts were also marked as false positive and later someone changed the status one of the alerts attached to the incidents to "Under Investigation". As a result this opens the incident back again. Please check the management audit logs if there was an alert that was opened that was attached to this incidents. 

 

Also it is possible that there were some new alerts moved to this resolved incident which could have caused it.

 

Hope this helps! Please mark the answer as "Accept as Solution" if it does.

 

Regards. 

View solution in original post

4 REPLIES 4

L5 Sessionator

Hi @Aiman_Fathima ,

 

Thank you for writing to live community!

 

It is possible that when the incidents are resolved the alerts were also marked as false positive and later someone changed the status one of the alerts attached to the incidents to "Under Investigation". As a result this opens the incident back again. Please check the management audit logs if there was an alert that was opened that was attached to this incidents. 

 

Also it is possible that there were some new alerts moved to this resolved incident which could have caused it.

 

Hope this helps! Please mark the answer as "Accept as Solution" if it does.

 

Regards. 

Thank you 

L1 Bithead

I would like to restart this topic, just to ask more details about changing incident status.

 

In one of incidents Cortex change the status of incident to "Resolved - Auto Resolve". I tried investigate what is the reason to this behavior and the alert associated was excluded. My question is how do I know what is the exclusion responsible for that?

 

Thanks!

Nice !

  • 1 accepted solution
  • 2342 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!