04-16-2026 08:54 AM
Hi everyone,
We recently integrated Palo Alto Firewall with Cortex XDR and incidents are coming in successfully. However, we're facing an issue with how cases are being created.
The problem is: when a case is opened, other issues with different names are automatically being grouped under the same case simply because they share the same affected asset (IP address). This makes investigation difficult as unrelated alerts end up under one case.
We want each issue to open as its own separate case, regardless of whether the affected IP is the same. Manual unlinking is not feasible as the volume is too high.
Is there any way to manage or configure case grouping behavior in XDR to prevent this?
Thanks in advance!
04-16-2026 10:54 PM - edited 04-16-2026 11:03 PM
To do this, Cortex XDR looks at shared attributes between alerts. The most influential of these are the endpoint (IP address), user account, process activity, file hashes, and the timing of events. When multiple alerts share the same IP address and occur within a similar timeframe, the system assumes they could be part of the same attack sequence. For example, if one alert shows suspicious network traffic and another shows a potential exploit attempt on the same IP, Cortex XDR may group them together under one incident, even if they are actually unrelated in reality.
This grouping is not random—it is driven by an internal correlation engine that tries to reconstruct an attack chain. The platform links alerts into what is called a causality chain, showing how one activity might have led to another. This helps security teams understand the bigger picture, such as how an attacker gained access, moved laterally, and executed actions on a host. In many cases, this reduces investigation time because analysts can see the full context in one place instead of jumping between separate alerts.
However, this same logic becomes problematic in environments like yours, where many different alerts originate from the same IP address—especially from firewall integrations. In such cases, the shared IP becomes a strong correlation signal, and Cortex XDR ends up grouping alerts that are not actually related. As a result, a single incident may contain multiple unrelated issues, making investigation more confusing rather than easier.
It’s important to understand that this behavior cannot be completely turned off. In Palo Alto Cortex XDR, the concept of an “incident” is fundamentally built on correlation. The platform does not operate on a simple “one alert equals one case” model, and there is no setting to fully disable grouping. This is because doing so would remove key capabilities like attack story visualization, root cause tracking, and automated analysis.
That said, you do have control over how aggressively this grouping happens. By tuning detection rules, refining alert attributes, and reducing overly broad or repetitive alerts, you can influence how Cortex XDR decides what belongs together. The goal is not to eliminate grouping, but to make it more accurate—so that only truly related alerts are combined into a single incident, while unrelated ones remain separate.
For official reference, you can review Palo Alto’s documentation on incidents and alert correlation here:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
