What are incidents? - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-01
Category
Administrator Guide
Abstract

Learn about how incidents are created, incident terminology, incident thresholds, and incident planning and response

An incident represents a single, self-contained attack.

An incident is a container object to group related alerts, assets, and artifacts, that originate from a single root cause. The root cause might be a self-contained cyberattack that brings multiple actors together to attack (such as attackers, tools, and processes), or it might be a combination of malware and exploits.

Incidents comprise the following objects:

  • Alerts: Notification objects to report suspicious activity or events

  • Assets: Names of affected endpoints and users

  • Artifacts: Attributes of attacking objects such as filenames, file signers, processes, domains, and IP addresses

Each incident is individually configured and requires its own independent investigation. To see a list of all Incidents, navigate to the Incidents page.

Incident thresholds

To keep incidents fresh and relevant, Cortex XDR implements the following thresholds. When the incident reaches a threshold, it stops accepting alerts and groups subsequent related alerts in a new incident.

  • 30 days after incident creation

  • 14 days since the last alert in the incident was detected (excludes backward scan alerts).

  • An incident reaches the 1,000 alert limit.

You can track the threshold status in the Alerts Grouping Status field in the Incidents table.