- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-02-2022 11:39 PM
hello.
Please tell me about the alerts for CortexXDR.
What criteria are used to determine when an alert is included in an incident and when it is not included in an incident?
And are alerts that are not included in incidents not "threats"?
10-03-2022 11:11 PM
Ideally, you should look at it from an overall incident perspective to begin with. The reason is what I mentioned earlier - XDR will stitch alerts that match criteria into a single incident. For example, if there's a malicious acitivity of the same nature observed across multiple hosts - each activity will trigger an alert but should be clubbed in the same incident. This allows incident responders to agree on a unified action for all those alerts, and track them within the same incident. Having them investigated in a silo-ed manner leads to the lack of contextual awareness that is critical for incident analysis.
10-04-2022 08:14 PM
Hi @suzu1986 by that, you're referring to alerts that are not stitched to any incident (usually Low severity alerts). You should take a look at them too, and then tag them to a specific incident if your analysis leads towards the same.
10-03-2022 01:35 AM - edited 10-03-2022 01:35 AM
Hi @suzu1986 you can refer to the documentation here:
The logic behind which alert the Cortex XDR app assigns to an incident is based on a set of rules which take into account different attributes. Examples of alert attributes include alert source, type, and time period. The app extracts a set of artifacts related to the threat event, listed in each alert, and compares it with the artifacts appearing in existing alerts in the system. Alerts on the same causality chain are grouped with the same incident if an open incident already exists. Otherwise, the new incoming alert will create a new incident.
10-03-2022 08:42 PM
Thank you.
Can you provide any detailed literature or other information on the rules for a series of incidents?
We are having a discussion internally about whether we should monitor security on an incident-by-incident or alert-by-alert basis.
10-03-2022 11:11 PM
Ideally, you should look at it from an overall incident perspective to begin with. The reason is what I mentioned earlier - XDR will stitch alerts that match criteria into a single incident. For example, if there's a malicious acitivity of the same nature observed across multiple hosts - each activity will trigger an alert but should be clubbed in the same incident. This allows incident responders to agree on a unified action for all those alerts, and track them within the same incident. Having them investigated in a silo-ed manner leads to the lack of contextual awareness that is critical for incident analysis.
10-04-2022 06:14 PM
It was very helpful.
Thank you.
10-04-2022 06:27 PM
Let me ask one more question.
I understand that the ideal analysis is on an incident-by-incident basis, but that would mean that we would not see alerts that are not part of an incident.
Is it correct to assume that we do not see alerts that are not "threats"?
10-04-2022 08:14 PM
Hi @suzu1986 by that, you're referring to alerts that are not stitched to any incident (usually Low severity alerts). You should take a look at them too, and then tag them to a specific incident if your analysis leads towards the same.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!