This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Low Severity events not showing in the new Cortex XDR 2.0 dashboard.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Low Severity events not showing in the new Cortex XDR 2.0 dashboard.

Go to solution
Rob-Basil
L1 Bithead

‎04-09-2020 07:26 AM

I used to be able to see the low severity events in the old traps dashboard but no longer see them anywhere in the new Cortex XDR 2.0 dashboard that we were upgraded to over the weekend (Great looking dashboard by the way).

 

Any ideas?

 

0 Likes Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
dfalcon
L4 Transporter
In response to Rob-Basil

‎04-09-2020 07:49 AM

There is a chance that a low severity alert will not create an actual incident.  A typical scenario where this applies is when you have a malware prevention with no additional action required.  You will still receive the alert because it happened, but there is no action required on your part.  Incidents, on the other hand, usually require some type of response / interaction.  Incidents are essentially one or more alerts that are related to an event -- grouped together.  You may still see some low-severity incidents that come across - these require attention, but have been prioritized lower than the mediums and highs. .  


David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 

View solution in original post

11 REPLIES 11

Go to solution
dfalcon
L4 Transporter

‎04-09-2020 07:33 AM

Hi there.  If you are talking about low severity alerts, you can view them by clicking on Investigation > Incidents.  Once in the incidents screen - on the top right of the interface, you'll see a link for the Alerts Table.  You should see them there.  

 

dfalcon_0-1586442762492.png

 


David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 
0 Likes Likes

Go to solution
Rob-Basil
L1 Bithead
In response to dfalcon

‎04-09-2020 07:36 AM - edited ‎04-09-2020 07:42 AM

David,

 

Great, I see them there, thanks. But why are they not showing in the "Top Incidents (Top 10)" widget on the dashboard? It's only showing the High and Medium alerts even when there are less than 10 alerts I would expect it to show all of them.

 

The low alerts are also not showing in the "Open incidents by Severity" widget. It looks like all of the dashboard widgets are ignoring any Low level alerts.

0 Likes Likes

Go to solution
dfalcon
L4 Transporter
In response to Rob-Basil

‎04-09-2020 07:42 AM

I need a little more info here before answering.  When you list the incidents under Investigation > Incidents, are they showing up there as incidents (low severity incidents) or are they only showing up in the Alerts Table?


David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 
0 Likes Likes

Go to solution
Rob-Basil
L1 Bithead
In response to dfalcon

‎04-09-2020 07:42 AM - edited ‎04-09-2020 07:47 AM

They are only showing in the Alerts Table.

 

Even when I specifically choose to show them in the Incidents they don't show up unless I choose the alerts table.

 

 

0 Likes Likes

Go to solution
Rob-Basil
L1 Bithead
In response to Rob-Basil

‎04-09-2020 07:48 AM

Screen Shot 2020-04-09 at 7.47.47 AM.png

0 Likes Likes

Go to solution
dfalcon
L4 Transporter
In response to Rob-Basil

‎04-09-2020 07:49 AM

There is a chance that a low severity alert will not create an actual incident.  A typical scenario where this applies is when you have a malware prevention with no additional action required.  You will still receive the alert because it happened, but there is no action required on your part.  Incidents, on the other hand, usually require some type of response / interaction.  Incidents are essentially one or more alerts that are related to an event -- grouped together.  You may still see some low-severity incidents that come across - these require attention, but have been prioritized lower than the mediums and highs. .  


David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 

Go to solution
Rob-Basil
L1 Bithead
In response to dfalcon

‎04-09-2020 07:53 AM

David,

 

Understood, thanks for the explanation.

 

We keep a close eye on the Low level alerts for when kids at the schools are trying to run software. Sure would be nice to be able to view them in a widget on the dashboard that we display 24/7 to the office.

 

0 Likes Likes

Go to solution
dfalcon
L4 Transporter
In response to Rob-Basil

‎04-09-2020 07:59 AM

On the software front, there are a few things you can do such as blocking grey-ware and enabling device control to block USB drive usage. 

 

On the widget side, I can take the feedback of having a widget that shows alert statistics back to Product Management as a possible future product enhancement.  Do you have a vision of what you would like to see in it so I can submit an enhancement request?


David Falcon 
Senior Solutions Architect, Cortex
Palo Alto Networks® 
0 Likes Likes

Go to solution
Rob-Basil
L1 Bithead
In response to dfalcon

‎04-09-2020 08:06 AM - edited ‎04-09-2020 08:09 AM

We do block grey-ware and some more well known portable programs. Since a lot of our classes let students save their work to a USB drive we cannot block those.

 

We like the three widgets below. Would love to have the same type of widgets, but have them display all alerts instead of just Incidents.

 

As of right now, there are no widgets that display anything about alerts (unless they require some type of user action to clear) that I can see.

 

Screen Shot 2020-04-09 at 8.02.30 AM.png

 

Screen Shot 2020-04-09 at 8.02.23 AM.png

 

Screen Shot 2020-04-09 at 8.02.10 AM.png

0 Likes Likes

Go to solution
CraigV123
L2 Linker
In response to dfalcon

‎04-16-2020 03:12 AM

I submitted a case to Palo Alto for the same thing and I was referenced to this article. Great explanation, and thank you, but yeah it'd be super helpful to be able to see them on the main dashboard even though no further actions are required. 

0 Likes Likes

Go to solution
rwalden
L0 Member

‎05-26-2021 12:50 PM

Yes, we must have this visibility without having to go dig it out and download it, we need alerts on the dashboard and notifications would be nice too.

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks