Incidents
Cortex XDR provides an Incidents table that you can use
to view all the incidents reported to and surfaced from your Cortex
XDR instance.
An attack can affect several hosts or users and raises different
alert types stemming from a single event. All artifacts, assets,
and alerts from a threat event are gathered into an
Incident.
The logic behind which alert the
Cortex
XDR
app assigns to an incident is based on a set of rules
which take into account different attributes. Examples of alert
attributes include alert source, type, and time period. The app
extracts a set of artifacts related to the threat event, listed
in each alert, and compares it with the artifacts appearing in existing
alerts in the system. Alerts on the same causality chain are grouped
with the same incident if an open incident already exists. Otherwise,
the new incoming alert will create a new incident. To keep incidents fresh and relevant,
Cortex
XDR
provides thresholds after which an incident stops adding
alerts:- 30 days after the incident was created
- 14 days since the last alert in the incident was detected (excludes backward scan alerts)
After the incident reaches either threshold, it stops accepting
alerts and
Cortex
XDR
groups
subsequent related alerts in a new incident. You can track the grouping
threshold status in the Alerts Grouping Status
field
in the Incidents table: - Enabled—The incident is open to accepting new related alerts.
- Disabled—Grouping threshold is reached and the incident is closed to further alerts or if the incident reached the 1,000 alert limit. To view the exact reason for a Disabled status, hover over the status field.
You can select to view the Incidents page in a table format or
split pane mode. Use
to toggle
between the views. By default,
to toggle
between the views. By default, Cortex
XDR
displays the split pane mode. Any changes you make to
the incident fields, such as description, resolution status, filters,
and sort selections persist when you toggle between the modes. The split pane mode displays a side-by-side view of the your
incidents list and the corresponding incident details.
The table view displays only the incident fields in a table format.
Right-click an incident to view the incident details, and investigate
the related assets, artifacts, and alerts. For more information
see Investigate Incidents.
The following table describes both the default and additional
optional fields that you can view in the Incidents table and lists
the fields in alphabetical order.
Incidents created prior to
Cortex
XDR
version 2.9 are updated as follows:- MITRE Attack Tactics, MITRE Attack Techniques, and Alert Categories fields will remain empty.
- WildFire Hits field will begin with an empty value, however when a new alert is added to the incident the filed is updated.
- Critical, High Severity, Medium Severity, Low Severity, Alert Grouping Status fields are updated with the corresponding value.
- If an incident is merged or moved with other incidents,CortexXDRwill recalculate and update the fields.
Field | Description |
|---|---|
| Check box to select one or more incidents on
which to perform the following actions.
|
Alert Categories | Type of alert categories triggered by the incident alerts. |
Alerts Grouping Status | Displays whether Alert Grouping is currently enabled. |
Alerts Breakdown | The total number of alerts and number of alerts
by severity. |
Assignee Email | Email address associated with the assigned
incident owner. |
Assigned To | The user to which the incident is assigned.
The assignee tracks which analyst is responsible for investigating
the threat. Incidents that have not been assigned have a status
of Unassigned . |
Creation Time | Date and time when the incident was created. |
High Severity Alerts | Number of high severity alerts that are part
of the incident. |
Hosts | Displays the host names affected by the incident. |
Incident Description | The description is generated from the alert
name from the first alert added to the incident, the host and user
affected, or number of users and hosts affected. |
Incident ID | A unique number to identify the incident. |
Incident Name | A user-defined incident name. |
Incident Sources | List of sources that raised high and medium severity
alerts in the incident. |
Last Updated | The last time a user took an action or an alert
was added to the incident. |
Low Severity Alerts | Number of low severity alerts that are part
of the incident. |
Medium Severity | Number of medium severity alerts that are part
of the incident. |
MITRE ATT&CK Tactic | Displays the types of MITRE ATT&CK tactics triggered
by the alerts that are part of the incident. |
MITRE ATT&CK Technique | Displays the type of MITRE ATT&CK technique
and sub-technique triggered by the alerts that are part of the incident. |
Resolve Comment | The user-added comment when the user changes the
incident status to a Resolved status. |
Resolved Timestamp | Displays the date and time when the incident
was set with a resolved status. |
Severity | The highest alert in the incident or the user-defined severity. |
Starred | The incident includes alerts that match your incident
prioritization policy. Incidents that have alert matches include
a star by the incident name in the Incident details view and a value
of Yes in this field. |
Status | Incidents have the status set to New when
they are generated. To begin investigating
an incident,
set the status to Under Investigation . The
Resolved status is subdivided into resolution reasons:
|
Tags | Displays the Endpoint Groups, Endpoint Tags,
and Data Sources associated with the alert. |
Total Alerts | The total number of alerts in the incident. |
Users | Users affected by the alerts in the incident.
If more than one user is affected, click on + <n>
more to see the list of all users in the incident. |
WildFire Hits | Number of the Malware, Phishing, and Greyware artifacts
that are part of the incident. |
