04-29-2024 12:30 AM
Hello all,
Please help me to understand how Cortex XDR assign the severity to incident and alert.
04-29-2024 11:13 PM
Hello @tejaspatil12 ,
Thanks for reaching out on LiveCommunity!
Unfortunately, this information cannot be shared as it is an IP.
However, to understand what parameters are defined to look upon alerts and incidents to perform a stitching or what we call a “story” to create alerts and incidents, customer can go through this video. The first 10 minutes are enough to understand the concept.
If you feel this has answered your query, please let us know by clicking on "mark this as a Solution". Thank you.
04-29-2024 11:21 PM
Hi @aspatil ,
Thanks for response on this topic.
i can understand about the IP however do we have any official document by palo alto which shows Cortex XDR system itself understood its severity and assign to the incident/alert.
04-30-2024 06:28 AM
Hi @tejaspatil12, as mentioned before by @aspatil , the details about how the alerts are classified can't be shared, but is a mechanism that uses the information from the type of malware, Mitre technichs used, criticity of the IOCs found, and some many other flags to set the severity.
Abount Incidents, is defined by the highest alert severity contained into the incident. Details here in the "severity" field: https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-Pro-Administrator-Guide/Incidents
If this post answers your question, please mark it as the solution.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
