- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
I have seen a few cases like that in recent days:
There was an alert by name ""Failed Connections" generated by XDR Anaytics" and inside that incident there was only one alert named "Failed connections" and alert source was XDR Analytics. But problem is that, Incident created almost 24 hour after the alert was created.
Have you experienced these type of situation before?
Thanks for reaching out on LiveCommunity!
In this case we need to check the severity of the alert. Because Analytic BIOC alerts with medium or above severity generate the incidents and however alerts with low severity not necessarily generate incidents.
Please tell us about the severity of alert and is the 24 hour period was between actual event and incident creation or between alert generation and incident generation?
Alert was generated by XDR Analytics and severity was low. After approximately 24 hours ( may be a few hours more or less, I dont remember exact timing) incident was created which contains only this alert.
Since our SOC team monitors based on incidents , these kind of latency is problem for us.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!