- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-13-2023 11:32 PM
Hi @Shahwaz_Md ,
What @KanwarSingh01 was hoping for was to provide more information about the alert that was triggered:
- Alert name
- Alert source
- Alert action
What posibility I can think of is that you have created BIOC rule or added IOC. When you add BIOC or IOC, XDR console will start searching all the existing logs in the data lake and will trigger retrospective alert. The purpose of this is to alert you if at any time in the past any of those new indicators were observed in your environment. To sum up - creating indicator IOC or BIOC will trigger automatic search for these indicators in the EDR data in the data lake, not only future detections.
I am not completely sure if new BIOCs from Palo Alto (via content update) will also trigger retrospective alert, but it is also possible that content update have triggered your alert.
"I am trying to understand how much time does it take for an alert to become an incident and what is the critieria for it."
Alert will always trigger incident immidetially when it is received by XDR console (well technically it will either create new alert or it will decide to aggregate it to existing incident, but still it will immediately after alert is received by the console)