Monitor Cortex XDR Incidents
Incidents are aggregates of alerts relating to a single event, and can be monitored from the Incidents page.
An attack can affect several hosts or users and raises different alert types stemming from a single event. All artifacts, assets, and alerts from a threat event are gathered into an
The logic behind which alert the Cortex XDR app assigns to an incident is based on a set of rules which take into account different attributes. Examples of alert attributes include alert source, type, and time period. The app extracts a set of artifacts related to the threat event, listed in each alert, and compares it with the artifacts appearing in existing alerts in the system. Alerts on the same causality chain are grouped with the same incident if an open incident already exists. Otherwise, the new incoming alert will create a new incident.
To keep incidents fresh and relevant, Cortex XDR provides thresholds after which an incident stops adding alerts:
- 30 days after the incident was created
- 14 days since the last alert in the incident was detected (excludes backward scan alerts)
After the incident reaches either threshold, it stops accepting alerts and Cortex XDR groups subsequent related alerts in a new incident. You can track the grouping threshold status in the
Alerts Grouping Statusfield in the Incidents table:
- Enabled—The incident is open to accepting new related alerts.
- Disabled—Grouping threshold is reached and the incident is closed to further alerts or if the incident reached the 1,000 alert limit. To view the exact reason for a Disabled status, hover over the status field.
Incidentspage displays all incidents in the Cortex XDR management console. To help you prioritize and track the incidents, Cortex XDR enables you to filter and sort according to the incident fields, such as status, score, severity, and timestamp. For additional insight into the entire scope and cause of an event, you can view all relevant assets, suspicious artifacts, and alerts within the incident details. You can also track incidents, document the resolution, and assign analysts to investigate and take remedial action. Select multiple incidents to take bulk actions on incidents.
You can select to view the incidents in a table format or split pane mode. Use to toggle between the views. By default, Cortex XDR displays the split pane mode. Any changes you make to the incident fields, such as description, resolution status, filters, and sort selections persist when you toggle between the modes.
The split pane mode displays a side-by-side view of your incidents and the corresponding incident details.
The table view displays only the incident fields in a table format. Right-click an incident to view the incident details, and investigate the related assets, artifacts, and alerts. For more information see Investigate Incidents.
The following table describes both the default and additional optional fields that you can view in the Incidents table and lists the fields in alphabetical order.
Incidents created prior to Cortex XDR version 2.9 are updated as follows:
- MITRE Attack Tactics, MITRE Attack Techniques, and Alert Categories fields will remain empty.
- WildFire Hits field will begin with an empty value, however when a new alert is added to the incident the filed is updated.
- High Severity, Medium Severity, Low Severity, Alert Grouping Status fields are updated with the corresponding value.
- If an incident is merged or moved with other incidents, Cortex XDR will recalculate and update the fields.
Check box to select one or more incidents on which to perform the following actions.
Type of alert categories triggered by the incident alerts.
Alerts Grouping Status
Displays whether Alert Grouping is currently enabled.
The total number of alerts and number of alerts by severity.
Email address associated with the assigned incident owner.
The user to which the incident is assigned. The assignee tracks which analyst is responsible for investigating the threat. Incidents that have not been assigned have a status of
Date and time when the incident was created.
High Severity Alerts
Number of high severity alerts that are part of the incident.
Displays the host names affected by the incident.
The description is generated from the alert name from the first alert added to the incident, the host and user affected, or number of users and hosts affected.
A unique number to identify the incident.
A user-defined incident name.
List of sources that raised high and medium severity alerts in the incident.
The last time a user took an action or an alert was added to the incident.
Low Severity Alerts
Number of low severity alerts that are part of the incident.
Number of medium severity alerts that are part of the incident.
MITRE ATT&CK Tactic
Displays the types of MITRE ATT&CK tactics triggered by the alerts that are part of the incident.
MITRE ATT&CK Technique
Displays the type of MITRE ATT&CK technique and sub-technique triggered by the alerts that are part of the incident.
The user-added comment when the user changes the incident status to a Resolved status.
Displays the score defined by the incident scoring rule.
The highest alert in the incident or the user-defined severity.
The incident includes alerts that match your incident prioritization policy. Incidents that have alert matches include a star by the incident name in the Incident details view and a value of Yes in this field.
Incidents have the status set to
Newwhen they are generated. To begin investigating an incident, set the status to
Under Investigation. The Resolved status is subdivided into resolution reasons:
The total number of alerts in the incident.
Users affected by the alerts in the incident. If more than one user is affected, click on
+ <n> moreto see the list of all users in the incident.
Number of the Malware, Phishing, and Greyware artifacts that are part of the incident.
Recommended For You
Recommended videos not found.