Using Hash View, but no Incidents are shown related when they should

Reply
Highlighted
L2 Linker

Using Hash View, but no Incidents are shown related when they should

Hello LIVEcommunity, 

I am wondering if anyone else is using Hash View in Cortex XDR and finding that even if a Key Artifacts of a Incident lists a hash, when you view that detail in Hash View (right click on the artifact, bring up the Hash View screen) the area where one might think there would reflect a "Related Incident" is blank?

KRisselada_0-1595012463964.png

KRisselada_1-1595012581537.png

I have opened a Support case to report what seems to be a bug, but wondered if others had seen this also.


Accepted Solutions
Highlighted
L2 Linker

Received update on the Support case I opened and Support team had escalated to Engineering, the answer back was:

Per Engineering - The reason why the customer does not see the incident in Hash, because we are filtering and show only open incident (new/under investigation).
It is expected behavior.

So at least this is now answered.
I also asked to have a Enduser Enhancement request put in that would more clearly indicate that this Filtering is taking place on this Hash View page and if possible, even expose the ability to apply a DIFFERENT filter  than the one that is being "invisibly" applied currently.

View solution in original post


All Replies
Highlighted
L2 Linker

just a quick update to this discussion.  I spoke with support and this bounced a bit around support but ended up in " Endpoint Security Support" team.  They setup a quick zoom call to confirm (and also record what was being seen)
And have since escalated the question and discussion to Engineering, via a Engineering Escalation.
Will update once have additional info.

Interested if others within the LIVEcommunity also see this behavior in their Cortex instance

Highlighted
L2 Linker

Received update on the Support case I opened and Support team had escalated to Engineering, the answer back was:

Per Engineering - The reason why the customer does not see the incident in Hash, because we are filtering and show only open incident (new/under investigation).
It is expected behavior.

So at least this is now answered.
I also asked to have a Enduser Enhancement request put in that would more clearly indicate that this Filtering is taking place on this Hash View page and if possible, even expose the ability to apply a DIFFERENT filter  than the one that is being "invisibly" applied currently.

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!