Monitor Cortex XDR Incidents

Incidents are aggregates of alerts relating to a single event.
table lists all incidents in the Cortex XDR app.
An attack can affect several hosts or users and raises different alert types stemming from a single event. All artifacts, assets, and alerts from a threat event are gathered into an
The logic behind which alert the Cortex XDR app assigns to an incident is based on a set of rules which take into account different attributes. Examples of alert attributes include alert source, type, and time period. The app extracts a set of artifacts related to the threat event, listed in each alert, and compares it with the artifacts appearing in existing alerts in the system. Alerts on the same causality chain are grouped with the same incident if an open incident already exists. Otherwise, the new incoming alert will create a new incident. The Incidents table displays all incidents including the incident severity to enable you to prioritize, track, and update incidents. For additional insight into the entire scope and cause of an event, you can view all relevant assets, suspicious artifacts, and alerts within the incident details. You can also track incidents, document the resolution, and assign analysts to investigate and take remedial action. Select multiple incidents to take bulk actions on incidents.
The following table describes both the default and additional optional fields that you can view in the Incidents table and lists the fields in alphabetical order.
Check box to select one or more incidents on which to perform the following actions.
  • Assign incidents to an analyst in bulk
  • Change the status of multiple incidents
  • Change the severity of multiple incidents
Manage multiple incidents with
Alerts Breakdown
The total number of alerts and number of alerts by severity.
Assignee Email
Email address associated with the assigned incident owner.
Assigned To
The user to which the incident is assigned. The assignee tracks which analyst is responsible for investigating the threat. Incidents that have not been assigned have a status of
Creation Time
The time the first alert was added to a new incident.
The number of hosts affected by the incident. Right-click the host count to view the list of hosts grouped by operating system.
Incident Description
The description is generated from the alert name from the first alert added to the incident, the host and user affected, or number of users and hosts affected.
Incident ID
A unique number to identify the incident.
Incident Name
A user-defined incident name.
Incident Sources
List of sources that raised high and medium severity alerts in the incident.
Last Updated
The last time a user took an action or an alert was added to the incident.
Resolve Comment
The user-added comment when the user changes the incident status to a Resolved status.
The highest alert in the incident or the user-defined severity.
The incident includes alerts that match your incident prioritization policy. Incidents that have alert matches include a star by the incident name in the Incident details view and a value of Yes in this field.
Incidents have the status set to
when they are generated. To begin investigating an incident, set the status to
Under Investigation
. The Resolved status is subdivided into resolution reasons:
  • Resolved - Threat Handled
  • Resolved - Known Issue
  • Resolved - Duplicate Incident
  • Resolved - False Positive
  • Resolved - Auto Resolve
    - Auto-resolved by Cortex XDR when all of the alerts contained in an incident have been excluded.
Total Alerts
The total number of alerts in the incident.
Users affected by the alerts in the incident. If more than one user is affected, click on
+ <n> more
to see the list of all users in the incident.
From the
page, you can right-click an incident to view the incident, and investigate the related assets, artifacts, and alerts. For more information see Investigate Incidents.

Recommended For You