For example, Cortex might generate alerts from
Cortex Traps which you would classify according to the information
in those events either as a dedicated Traps incident type or maybe
Authentication or Malware. Also, you might have EWS configured to
ingest both phishing and malware alerts which you want to classify
to their respective incident types based on some information in
the event. By classifying the events as different incident types,
you can process them with different playbooks suited to their respective
requirements.