This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Basic Doubt - Analytics

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Basic Doubt - Analytics

Go to solution
EMARTINS BERNARDES
L0 Member

‎03-06-2026 06:26 AM

Hello everyone,
 
I’m configuring some features in Cortex and noticed that a few alerts are being generated by the Analytic Rules. How can I automatically create a CASE based on these alerts?
My intention is to open incidents (i.e., “Cases”) in the console.
This is meant to improve visibility and ensure proper alert monitoring.
sync
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
susekar
L5 Sessionator

‎03-06-2026 06:33 AM

Hello @EMARTINS BERNARDES ,

 

Greetings for the day.

 

In Cortex XDR, Cases (referred to in the console as Incidents) are automatically created based on the Severity of the alerts generated. By default, only alerts with Medium, High, or Critical severity trigger the creation of a new Incident. Alerts with Low or Informational severity are classified as Insights and do not create standalone cases; they are only added to existing incidents if they can be correlated with higher-severity activity.

 

If your Analytic Rules are generating alerts that are not appearing as cases, they are likely set to Low severity. To automatically create cases for these alerts, use one of the following methods.

 

Method 1: Use Correlation Rules (Recommended)

This is the most effective way to promote a specific analytic alert to an incident. You create a custom rule that monitors for the analytic alert and generates a new alert with a higher severity.

Steps

  1. Navigate to Detection > Detection Rules > Correlations.

  2. Click + Add Correlation.

  3. In the XQL Search section, write a query to target your specific Analytic Alert. For example:

dataset = alerts
| filter alert_source = ENUM.XDR_ANALYTICS_BIOC and alert_name = "Your Analytic Alert Name"
 

Use dataset = alerts to find the existing analytic triggers.

  1. In the Action section, select Generate Alert.

  2. Set the Severity to Medium or High. This ensures that when the rule triggers, a case is automatically created.

  3. In Alerts Fields Mapping, ensure the fields are mapped correctly to maintain incident grouping logic.

 

Method 2: Use Incident Configuration (Scoring Rules)

You can override the default severity of specific alerts using Incident Scoring rules. This elevates the alert's score so it meets the threshold for incident creation.

Steps

  1. Navigate to Settings > Configuration > Incident Configuration.

  2. Select + Add New Rule under Incident Scoring.

  3. Define the scope by filtering for your Analytic Rule (for example, by Alert Source or Alert Name).

  4. Set a Manual Score or severity level that is Medium or higher.

  5. Save and activate the rule. Future alerts matching this configuration will now generate incidents.

 

Important Considerations:

Immutability
Built-in Analytic Rules and Analytic BIOC rules are predefined by Palo Alto Networks. You cannot directly change their severity or incident generation logic within the rule itself.

 

Automation Rules
Automation Rules can modify alert fields, but they primarily apply to alerts that are already grouped into incidents. If a low-severity alert does not create an incident, it may not appear in the Create Automation Rule wizard.

 

Incident Creation Policy
Ensure your global Incident Creation Policy (located under Settings > Configuration > Detections > Incident Creation Policy) does not exclude the alert sources or severities you want to monitor.

 

View solution in original post

0 Likes Likes
1 REPLY 1

Go to solution
susekar
L5 Sessionator

‎03-06-2026 06:33 AM

Hello @EMARTINS BERNARDES ,

 

Greetings for the day.

 

In Cortex XDR, Cases (referred to in the console as Incidents) are automatically created based on the Severity of the alerts generated. By default, only alerts with Medium, High, or Critical severity trigger the creation of a new Incident. Alerts with Low or Informational severity are classified as Insights and do not create standalone cases; they are only added to existing incidents if they can be correlated with higher-severity activity.

 

If your Analytic Rules are generating alerts that are not appearing as cases, they are likely set to Low severity. To automatically create cases for these alerts, use one of the following methods.

 

Method 1: Use Correlation Rules (Recommended)

This is the most effective way to promote a specific analytic alert to an incident. You create a custom rule that monitors for the analytic alert and generates a new alert with a higher severity.

Steps

  1. Navigate to Detection > Detection Rules > Correlations.

  2. Click + Add Correlation.

  3. In the XQL Search section, write a query to target your specific Analytic Alert. For example:

dataset = alerts
| filter alert_source = ENUM.XDR_ANALYTICS_BIOC and alert_name = "Your Analytic Alert Name"
 

Use dataset = alerts to find the existing analytic triggers.

  1. In the Action section, select Generate Alert.

  2. Set the Severity to Medium or High. This ensures that when the rule triggers, a case is automatically created.

  3. In Alerts Fields Mapping, ensure the fields are mapped correctly to maintain incident grouping logic.

 

Method 2: Use Incident Configuration (Scoring Rules)

You can override the default severity of specific alerts using Incident Scoring rules. This elevates the alert's score so it meets the threshold for incident creation.

Steps

  1. Navigate to Settings > Configuration > Incident Configuration.

  2. Select + Add New Rule under Incident Scoring.

  3. Define the scope by filtering for your Analytic Rule (for example, by Alert Source or Alert Name).

  4. Set a Manual Score or severity level that is Medium or higher.

  5. Save and activate the rule. Future alerts matching this configuration will now generate incidents.

 

Important Considerations:

Immutability
Built-in Analytic Rules and Analytic BIOC rules are predefined by Palo Alto Networks. You cannot directly change their severity or incident generation logic within the rule itself.

 

Automation Rules
Automation Rules can modify alert fields, but they primarily apply to alerts that are already grouped into incidents. If a low-severity alert does not create an incident, it may not appear in the Create Automation Rule wizard.

 

Incident Creation Policy
Ensure your global Incident Creation Policy (located under Settings > Configuration > Detections > Incident Creation Policy) does not exclude the alert sources or severities you want to monitor.

 
0 Likes Likes
  • 1 accepted solution
  • 1156 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks