05-27-2025 12:29 AM
The severity of "Administrative Hash Exception" alerts (not incidents) is low, and since they are not created as incidents, I want to change the severity of these alerts to medium so that they are created as incidents next time.
When I go to Incident Response > Automation > Add Automation Rule, I can't create a rule for these alerts because those alerts do not appear there.
What can I do to change the severity to medium and ensure that they are created as incidents next time?
05-27-2025 01:45 AM
Hello @Aristooo ,
Administrative Hash Exception alerts are low severity by design, are not treated as detection alerts & do not appear in Automation Rules
Hence they are not eligible for incident creation, unless the product changes the behavior in future releases.
Workaround is to Send Alert to External System (SIEM/SOAR) and Re-ingest
Configure Syslog or Email forwarding of XDR alerts to a SIEM or automation platform
Create a rule to:
Match “Administrative Hash Exception”
Assign new severity and classification
Forward back to XDR (if desired via ingestion) or trigger an external case
Optionally trigger a manual or automated incident creation
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution". Thank you.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
