The difference between alerts that are included in an incident and those that are not

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

The difference between alerts that are included in an incident and those that are not

L1 Bithead

hello.

Please tell me about the alerts for CortexXDR.
What criteria are used to determine when an alert is included in an incident and when it is not included in an incident?
And are alerts that are not included in incidents not "threats"?

2 ACCEPTED SOLUTIONS

Accepted Solutions

Ideally, you should look at it from an overall incident perspective to begin with. The reason is what I mentioned earlier - XDR will stitch alerts that match criteria into a single incident. For example, if there's a malicious acitivity of the same nature observed across multiple hosts - each activity will trigger an alert but should be clubbed in the same incident. This allows incident responders to agree on a unified action for all those alerts, and track them within the same incident. Having them investigated in a silo-ed manner leads to the lack of contextual awareness that is critical for incident analysis.

View solution in original post

Hi @suzu1986 by that, you're referring to alerts that are not stitched to any incident (usually Low severity alerts). You should take a look at them too, and then tag them to a specific incident if your analysis leads towards the same. 

View solution in original post

7 REPLIES 7

L5 Sessionator

Hi @suzu1986 you can refer to the documentation here:

 

 

The logic behind which alert the Cortex XDR app assigns to an incident is based on a set of rules which take into account different attributes. Examples of alert attributes include alert source, type, and time period. The app extracts a set of artifacts related to the threat event, listed in each alert, and compares it with the artifacts appearing in existing alerts in the system. Alerts on the same causality chain are grouped with the same incident if an open incident already exists. Otherwise, the new incoming alert will create a new incident.

 


Ref: https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-pro-admin/investigation-and-response/... 

Thank you.

Can you provide any detailed literature or other information on the rules for a series of incidents?
We are having a discussion internally about whether we should monitor security on an incident-by-incident or alert-by-alert basis.

Ideally, you should look at it from an overall incident perspective to begin with. The reason is what I mentioned earlier - XDR will stitch alerts that match criteria into a single incident. For example, if there's a malicious acitivity of the same nature observed across multiple hosts - each activity will trigger an alert but should be clubbed in the same incident. This allows incident responders to agree on a unified action for all those alerts, and track them within the same incident. Having them investigated in a silo-ed manner leads to the lack of contextual awareness that is critical for incident analysis.

L1 Bithead

It was very helpful.
Thank you.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!