Incident creation latency

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Incident creation latency

L1 Bithead

Hi all,

I have seen a few cases like that in recent days:

 

There was an alert by name ""Failed Connections" generated by XDR Anaytics" and inside that incident there was only one alert named "Failed connections" and alert source was XDR Analytics. But problem is that, Incident created almost 24 hour after the alert was created. 

 

Have you experienced these type of situation before? 

2 REPLIES 2

L4 Transporter

Hello @orkhan_alibayli 

 

Thanks for reaching out on LiveCommunity!

In this case we need to check the severity of the alert. Because Analytic BIOC alerts with medium or above severity generate the incidents and however alerts with low severity not necessarily generate incidents. 

Please tell us about the severity of alert and is the 24 hour period was between actual event and incident creation or between alert generation and incident generation? 

Hi @nsinghvirk 

Alert was generated by XDR Analytics and severity was low. After approximately 24 hours ( may be a few hours more or less, I dont remember exact timing) incident was created which contains only this alert. 

Since our SOC team monitors based on incidents , these kind of latency is problem for us.

  • 603 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!