Investigate Incidents

Cortex® XDR™ enables you to track and investigate incidents, assign analysts to investigate, and document the incident resolution.
An attack event can affect several users or hosts and raise different types of alerts caused by a single event.
You can track incidents, assign analysts to investigate, and document the resolution. For a record log of all actions taken by analysts in the incident, see Monitor Administrative Activity.
Use the following steps to investigate an incident:
  1. Navigate to
  2. From the
    table, locate the incident you want to investigate.
    Filter and sort your incidents. Recommended ways include:
    • In the
      field filter for
      incidents to view only the incidents that have not yet been investigated.
    • In the
      field, identify the incidents with the highest threat impact.
    • In the
      Incident Sources
      field, filter according to the sources that raised the alerts which make up the incident.
    • In the timestamp fields, such as
      Last Updated
      Creation Time
      , right-click to
      Show rows 30 days prior
      30 days after
      the selected timestamp field value.
    After you locate an incident you want to investigate, right-click it and select
    View Incident
    details page aggregates all alerts, insights, and affected assets and artifacts from those alerts in a single location. From the Incident details page you can manage the alert and investigate an event within the context and scope of a threat. Select the pencil icon to edit the incident name and description.
  3. Assign an incident to an analyst.
    Select the assignee (or
    in the case of a new incident) below the incident description and begin typing the analyst’s email address for automated suggestions. Users must have logged in to the app to appear in the auto-generated list.
  4. Assign an incident status.
    Select the incident status to update the status from
    Under Investigation
    , or
    to indicate which incidents have been reviewed and to filter by status in the incidents table.
  5. Review the details of the incident, such as alerts and insights related to the event, and affected assets and artifacts.
    • Investigate
      Key Artifacts
      Key Artifacts
      list files and file hashes, signers, processes, domains, and IP addresses that are related to the threat event. Each alert type contains certain key artifacts, and the app weighs and sorts alerts into
      based on the key artifacts. Different key artifacts have different weights according to their impact and case. The app analyzes the alert type, related causality chains, and key artifacts to determine which incident has the highest correlation with the alert, and the Cortex XDR app groups the alert with that incident.
      The app also displays any available threat intelligence for the artifact. The
      Threat Intelligence
      column in the
      Key Artifacts
      panel lists the WildFire (WF) verdicts associated with each artifact and identifies any malware with a red malware icon. If WildFire flips the file verdict, the hash verdict in the Cortex XDR incident is updated immediately. If a hash is unknown to WildFire at the time of incident creation, it remains unknown until WildFire reaches a verdict. Then, the new WildFire verdict is updated in the incident within 24 hours.
      To analyze the WildFire report, see Review WildFire® Analysis Details.
      Right-click a file or process under
      Key Artifacts
      to view the entire artifact report from the threat intelligence source.
      • View
      • Add to Allow List
        . Artifacts added to the allow list are displayed with
      • Add to Block List
        . Artifacts added to the block list are displayed with
    • Investigate
      Key Assets
      Key Assets
      identify the scope of endpoints and users affected by the threat. Right-click an asset to
      Filter Alerts
      by that asset .
    • Investigate
      Incidents are created from high or medium severity alerts. Low severity Analytics alerts sometimes also create an incident depending on the nature of the alert. Low and informational severity alerts are categorized as Insights and are available on the
      tab. In the incident, review the alerts and, if additional context is required, review the related insights. You can also view high, medium, and low severity alerts in the main Alerts table.
      During your investigation, you can also perform additional management of alerts, which include further analysis, investigation, and administrative response.
  6. (
    ) Take action on the incident.
    • Change the incident severity.
      The default severity is based on the highest alert in the incident. To manually change the severity select
      Change Incident Severity
      and choose the new severity. The smaller severity bubble indicates the original severity.
    • Change the incident status.
      Change Incident Status
      to update the status from
      Under Investigation
    • Create an exclusion.
      Create Exclusion
      to pivot to the
      Create New Exclusion
    • Merge incidents.
      To merge incidents you think belong together, select
      Merge Incidents
      . Enter the target incident ID you want to merge the incident with.
      Incident assignees are managed as follows:
      • If both incidents have been assigned—Merged incident takes the target incident assignee.
      • If both incidents are unassigned—Merged incident remains unassigned.
      • If the target incident is assigned and the source incident unassigned —Merged incident takes the target assignee
      • If the target incident is unassigned and the source incident is assigned—Merged incident takes the existing assignee
  7. Track and share your investigation progress.
    Add notes or comments to track your investigative steps and any remedial actions taken.
    • Select the Incident Notepad ( ) to add and edit the incident notes. You can use notes to add code snippets to the incident or add a general description of the threat.
    • Use the comments to coordinate the investigation between analysts and track the progress of the investigation. Select the comments to view or manage comments.
      Collapse the comment threads for an overview of the discussion.
      If needed,
      to find specific words or phrases in the comments.
  8. Resolve the incident.
    After the incident is resolved:
    1. Set the status to
      Select the status from the Incident details or select
      Change Incident Status
    2. Select the reason the resolution was resolved.
    3. Add a comment that explains the reason for closing the incident.
    4. Select
      The Cortex XDR app no longer adds new alerts to the resolved incident and instead adds incoming alerts to a new incident.

Recommended For You