Cortex Cloud uses a specific case grouping logic to build cases.
Case grouping is a Precision AI™-powered capability that eliminates alert fatigue by automatically consolidating related issues and artifacts into a single unified case. Case grouping links issues that originate from the same attack flow or involve the same entity to reveal the full scope of a case. This approach replaces manual correlation with automated context, allowing you to focus on resolving complete problems rather than triaging isolated events.
Grouping methodologies
The key grouping methodologies of case grouping are:
Artifact association: Groups issues that share core artifacts (for example, SHA256, HostName, UserName).
Exact match detection: Groups similar detections for the same entities.
Related entities: Groups detections involving related assets within a close timeframe to highlight possible connections.
Case qualification for issues
Not all issues create cases. When a new issue is created, it is evaluated to determine if it meets the criteria for case promotion. If the issue qualifies, the system attempts to correlate it with an existing case; if no match is found, a new case is generated. Issues that do not meet these requirements are categorized as Insights.
The qualification logic varies by domain. For the Security domain, the system promotes issues with Medium severity and above, as well as select Low-severity analytics. Other domains employ more selective promotion based on specific criteria. This logic is dynamic and may be updated to reflect ongoing research and threat relevance.
Cortex Cloud applies the following logic when building cases:
Automatic promotion criteria: Issues with the following conditions automatically generate a new case, or join existing cases:
Assigned to the Security domain with Medium severity or higher
Assigned to the Posture domain and with High severity.
Generated from the public API or created from correlations.
Low severity handling: Most low severity issues do not initiate case creation, unless specific analytic rules deem action necessary. Low severity issues generated from correlation rules are not grouped into cases.
Case grouping thresholds: To keep cases manageable, Cortex Cloud enforces specific grouping thresholds. For more information see Case thresholds.
Grouping artifacts
The grouping algorithm evaluates extracted artifacts to determine whether an issue should join an existing case or initiate a new one. Each artifact type is governed by specific logic that accounts for its unique lifecycle and reliability. For example, grouping by Username may be subject to temporal constraints, while IP address logic varies based on whether the address is public, private, or dynamically allocated (DHCP).
These proprietary grouping logics are continuously tuned and updated. As a result, artifact behavior and correlation may change over time.
If you set up custom detections with correlation rules that trigger issues, you can influence the grouping of the triggered issues by mapping specific fields in your configuration. For more information, see Optimize case grouping in correlations.
Integration with SmartScore
Case grouping and SmartScore work together to improve triage efficiency. While case grouping provides the full context of an attack, SmartScore assigns a numerical value to that context, indicating the urgency and impact of the case. This allows you to prioritize the most critical cases first.
Limitations
Case grouping is natively supported within built-in domains only, for example Security.