Low Severity events not showing in the new Cortex XDR 2.0 dashboard.

Reply
Highlighted
L1 Bithead

Low Severity events not showing in the new Cortex XDR 2.0 dashboard.

I used to be able to see the low severity events in the old traps dashboard but no longer see them anywhere in the new Cortex XDR 2.0 dashboard that we were upgraded to over the weekend (Great looking dashboard by the way).

 

Any ideas?

 


Accepted Solutions
Highlighted
L4 Transporter

There is a chance that a low severity alert will not create an actual incident.  A typical scenario where this applies is when you have a malware prevention with no additional action required.  You will still receive the alert because it happened, but there is no action required on your part.  Incidents, on the other hand, usually require some type of response / interaction.  Incidents are essentially one or more alerts that are related to an event -- grouped together.  You may still see some low-severity incidents that come across - these require attention, but have been prioritized lower than the mediums and highs. .  


David Falcon 
MDR Systems Engineer, Cortex
Palo AltoNetworks® 

View solution in original post


All Replies
Highlighted
L4 Transporter

Hi there.  If you are talking about low severity alerts, you can view them by clicking on Investigation > Incidents.  Once in the incidents screen - on the top right of the interface, you'll see a link for the Alerts Table.  You should see them there.  

 

dfalcon_0-1586442762492.png

 


David Falcon 
MDR Systems Engineer, Cortex
Palo AltoNetworks® 
Highlighted
L1 Bithead

David,

 

Great, I see them there, thanks. But why are they not showing in the "Top Incidents (Top 10)" widget on the dashboard? It's only showing the High and Medium alerts even when there are less than 10 alerts I would expect it to show all of them.

 

The low alerts are also not showing in the "Open incidents by Severity" widget. It looks like all of the dashboard widgets are ignoring any Low level alerts.

L4 Transporter

I need a little more info here before answering.  When you list the incidents under Investigation > Incidents, are they showing up there as incidents (low severity incidents) or are they only showing up in the Alerts Table?


David Falcon 
MDR Systems Engineer, Cortex
Palo AltoNetworks® 
Highlighted
L1 Bithead

They are only showing in the Alerts Table.

 

Even when I specifically choose to show them in the Incidents they don't show up unless I choose the alerts table.

 

 

Highlighted
L1 Bithead

Screen Shot 2020-04-09 at 7.47.47 AM.png

Highlighted
L4 Transporter

There is a chance that a low severity alert will not create an actual incident.  A typical scenario where this applies is when you have a malware prevention with no additional action required.  You will still receive the alert because it happened, but there is no action required on your part.  Incidents, on the other hand, usually require some type of response / interaction.  Incidents are essentially one or more alerts that are related to an event -- grouped together.  You may still see some low-severity incidents that come across - these require attention, but have been prioritized lower than the mediums and highs. .  


David Falcon 
MDR Systems Engineer, Cortex
Palo AltoNetworks® 

View solution in original post

Highlighted
L1 Bithead

David,

 

Understood, thanks for the explanation.

 

We keep a close eye on the Low level alerts for when kids at the schools are trying to run software. Sure would be nice to be able to view them in a widget on the dashboard that we display 24/7 to the office.

 

Highlighted
L4 Transporter

On the software front, there are a few things you can do such as blocking grey-ware and enabling device control to block USB drive usage. 

 

On the widget side, I can take the feedback of having a widget that shows alert statistics back to Product Management as a possible future product enhancement.  Do you have a vision of what you would like to see in it so I can submit an enhancement request?


David Falcon 
MDR Systems Engineer, Cortex
Palo AltoNetworks® 
Highlighted
L1 Bithead

We do block grey-ware and some more well known portable programs. Since a lot of our classes let students save their work to a USB drive we cannot block those.

 

We like the three widgets below. Would love to have the same type of widgets, but have them display all alerts instead of just Incidents.

 

As of right now, there are no widgets that display anything about alerts (unless they require some type of user action to clear) that I can see.

 

Screen Shot 2020-04-09 at 8.02.30 AM.png

 

Screen Shot 2020-04-09 at 8.02.23 AM.png

 

Screen Shot 2020-04-09 at 8.02.10 AM.png

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!