What are incidents? - Learn about how incidents are created, incident terminology, incident thresholds, and incident planning and response - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation
Product
Cortex XDR
License
Prevent
Pro
Creation date
2024-03-06
Last date published
2025-05-20
Category
Administrator Guide
Abstract

Learn about how incidents are created, incident terminology, incident thresholds, and incident planning and response

An incident represents a single, self-contained attack.

An incident is a container object to group related alerts, assets, and artifacts, that originate from a single root cause. The root cause might be a self-contained cyberattack that brings multiple actors together to attack (such as attackers, tools, and processes), or it might be a combination of malware and exploits.

Incidents comprise the following objects:

  • Alerts: Notification objects to report suspicious activity or events

  • Assets: Names of affected endpoints and users

  • Artifacts: Attributes of attacking objects such as filenames, file signers, processes, domains, and IP addresses

Each incident is individually configured and requires its own independent investigation. To see a list of all Incidents, navigate to the Incidents page.

Incident thresholds

To keep incidents fresh and relevant, Cortex XDR implements the following thresholds. When the incident reaches a threshold, it stops accepting alerts and groups subsequent related alerts in a new incident.

  • 30 days after incident creation

  • 14 days since the last alert in the incident was detected (excludes backward scan alerts).

  • An incident reaches the 1,000 alert limit.

You can track the threshold status in the Alerts Grouping Status field in the Incidents table.

Additional incident information

An incident can contain one or more related alerts. Alerts are linked to incidents by matching their content. If a new alert is triggered in the system that doesn't match any of the existing incidents, a new incident is created. When an alert is linked to an incident, all associated assets and artifacts are also linked to the incident. Each incident is individually configured and requires its own independent investigation.

If an incident is resolved with the status Resolved - Auto Resolved, Cortex XDR can reopen the incident for up-to six hours if a new alert is triggered that matches the incident. The six-hour period is defined by the timestamp of the last alert that was grouped into the incident. After the six-hour period, any new alerts are linked to a new incident for a new investigation.