This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

How do you handle Low Severity alerts/issues?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How do you handle Low Severity alerts/issues?

PA_nts
L4 Transporter

‎11-27-2025 03:24 AM

want to know how you guys deal with low severity alerts.. 

do you monitor/analyze them or only focus on incidents  with medium/high/critical severity?

do you run any playbook automation against these low sev alerts?

are there any best practices from PAN around handling of low severity alerts? i cannot seem to find any.

thanks in adv

0 Likes Likes
3 REPLIES 3

susekar
L4 Transporter

‎02-11-2026 06:19 AM

Hello @PA_nts ,

 

Greetings for the day.

 

In Cortex XSIAM, the handling of low-severity alerts is governed by a design philosophy focused on reducing alert fatigue and prioritizing actionable threats.

 

Monitoring and Analysis:

By default, Cortex XSIAM does not automatically create incidents for alerts with Low or Informational severity. These alerts are typically categorized as Insights, which provide contextual metadata to help analysts understand the broader attack chain within an existing incident.

Exceptions

There are specific scenarios where Low severity alerts do generate incidents automatically because they are considered high-fidelity or critical for early detection:

  • Identity and ITDR: Analytics and BIOC alerts related to Identity modules

  • Cloud Detection: Alerts generated from Cloud Detection modules

  • Analytics (Magnifier): Certain detections such as Large Upload, Port Scan, or Failed Connections

 

Playbook Automation:

Standard Automation Rules and Playbook Triggers are tied to the incident lifecycle. Since most Low severity alerts do not create incidents, they do not automatically trigger playbooks.

Workarounds for Automating Low Severity Alerts

  1. Scheduled Jobs
    Create a scheduled playbook (Job) that runs an XQL query to identify specific Low severity alerts and perform programmatic actions.
    For example, a script can use:

    setAlertStatus

    to automatically resolve or update qualifying alerts.

  2. Severity Elevation
    Modify the source detection (BIOC, Correlation Rule, or Analytics Rule) to raise the severity to Medium.
    This forces incident creation and allows standard automation rules to trigger.

  3. Manual Execution
    Analysts can manually execute playbooks directly from the Alerts table for Low severity entries.

 

Best Practices:

To effectively manage Low severity alert volume:

Treat as Contextual Insights:

Rather than reviewing Low alerts individually, examine them within the Alerts & Insights tab of a related Medium or High severity incident to gain a complete attack narrative.

 

Tune at the Source:

If specific Low severity alerts are consistently noisy and provide little value:

  • Use Alert Exclusions, or

  • Tune the originating detection rule (for example, firewall rules or analytics logic)
    to prevent unnecessary alerts from reaching the console.

 

SOC Tiering Approach:

Use a Tier 1 or Triage Specialist role to periodically review the raw Alerts table (via XQL queries) for emerging patterns that may not yet meet the Medium severity threshold.

 

Future Enhancement:

A feature enhancement request is currently tracked to allow playbooks to trigger directly from Low and Informational alerts in future releases.

 

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

0 Likes Likes

PA_nts
L4 Transporter

‎02-11-2026 06:43 AM

Thanks for the response and appreciated.. but cannot accept AI responses as a solution being source of truth at this stage

I can ask AI and get the same response..

I was hoping to get a more personalized answer as to how you handle this in your environment. 

 

MDovirak
L2 Linker

‎02-16-2026 07:41 AM

As a customer one way how to handle it is 'check-ups' for low severity/informational alerts. LIke Windows Event Log was cleared using wevtutil.exe trigger as low severity, but logs clean-up from the system is not common 'user activity'. I recommend to setup regular human process (potentially via reports/dashboards) to review low severity alerts. The most interesting alerts are those with the lowest frequency of generation (only one or two per week).

Regards
  • 1131 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks