Incidents - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Prevent Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

Learn more about the Cortex XDR Incidents table displaying all the incidents reported to and surfaced from your Cortex XDR instance.

An attack can affect several hosts or users and raises different alert types stemming from a single event. All artifacts, assets, and alerts from a threat event are gathered into an Incident.

The logic behind which alert the Cortex XDR app assigns to an incident is based on a set of rules which take into account different attributes. Examples of alert attributes include alert source, type, and time period. The app extracts a set of artifacts related to the threat event, listed in each alert, and compares it with the artifacts appearing in existing alerts in the system. Alerts on the same causality chain are grouped with the same incident if an open incident already exists. Otherwise, the new incoming alert will create a new incident.

You can select to view the Incidents page in a table format or split pane mode. Use incident-split-pane-mode.png to toggle between the views. By default, Cortex XDR displays the split pane mode. Any changes you make to the incident fields, such as description, resolution status, filters, and sort selections persist when you toggle between the modes.

The split pane mode displays a side-by-side view of your incidents list and the corresponding incident details.

The table view displays only the incident fields in a table format. Right-click an incident to view the incident details, and investigate the related assets, artifacts, and alerts.

Incident thresholds

To keep incidents fresh and relevant, Cortex XDR provides thresholds after which an incident stops adding alerts:

  • 30 days after the incident was created

  • 14 days since the last alert in the incident was detected (excludes backward scan alerts)

After the incident reaches either threshold, it stops accepting alerts, and Cortex XDR groups subsequent related alerts in a new incident. You can track the grouping threshold status in the Alerts Grouping Status field in the Incidents table:

  • Enabled—The incident is open to accepting new related alerts.

  • Disabled—The grouping threshold is reached and the incident is closed to further alerts or if the incident reached the 1,000 alert limit. To view the exact reason for a Disabled status, hover over the status field.

Incident table reference information

The following table describes both the default and additional optional fields that you can view in the Incidents table and lists the fields in alphabetical order.