Using Hash View, but no Incidents are shown related when they should

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Using Hash View, but no Incidents are shown related when they should

L2 Linker

Hello LIVEcommunity, 

I am wondering if anyone else is using Hash View in Cortex XDR and finding that even if a Key Artifacts of a Incident lists a hash, when you view that detail in Hash View (right click on the artifact, bring up the Hash View screen) the area where one might think there would reflect a "Related Incident" is blank?

KRisselada_0-1595012463964.png

KRisselada_1-1595012581537.png

I have opened a Support case to report what seems to be a bug, but wondered if others had seen this also.

1 accepted solution

Accepted Solutions

Received update on the Support case I opened and Support team had escalated to Engineering, the answer back was:

Per Engineering - The reason why the customer does not see the incident in Hash, because we are filtering and show only open incident (new/under investigation).
It is expected behavior.

So at least this is now answered.
I also asked to have a Enduser Enhancement request put in that would more clearly indicate that this Filtering is taking place on this Hash View page and if possible, even expose the ability to apply a DIFFERENT filter  than the one that is being "invisibly" applied currently.

View solution in original post

2 REPLIES 2

L2 Linker

just a quick update to this discussion.  I spoke with support and this bounced a bit around support but ended up in " Endpoint Security Support" team.  They setup a quick zoom call to confirm (and also record what was being seen)
And have since escalated the question and discussion to Engineering, via a Engineering Escalation.
Will update once have additional info.

Interested if others within the LIVEcommunity also see this behavior in their Cortex instance

Received update on the Support case I opened and Support team had escalated to Engineering, the answer back was:

Per Engineering - The reason why the customer does not see the incident in Hash, because we are filtering and show only open incident (new/under investigation).
It is expected behavior.

So at least this is now answered.
I also asked to have a Enduser Enhancement request put in that would more clearly indicate that this Filtering is taking place on this Hash View page and if possible, even expose the ability to apply a DIFFERENT filter  than the one that is being "invisibly" applied currently.

  • 1 accepted solution
  • 3830 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!