Incidents - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

Learn more about the Cortex XDR Incidents table displaying all the incidents reported to and surfaced from your Cortex XDR instance.

An attack can affect several hosts or users and raises different alert types stemming from a single event. All artifacts, assets, and alerts from a threat event are gathered into an Incident.

The logic behind which alert the Cortex XDR app assigns to an incident is based on a set of rules which take into account different attributes. Examples of alert attributes include alert source, type, and time period. The app extracts a set of artifacts related to the threat event, listed in each alert, and compares it with the artifacts appearing in existing alerts in the system. Alerts on the same causality chain are grouped with the same incident if an open incident already exists. Otherwise, the new incoming alert will create a new incident.

To keep incidents fresh and relevant, Cortex XDR provides thresholds after which an incident stops adding alerts:

  • 30 days after the incident was created

  • 14 days since the last alert in the incident was detected (excludes backward scan alerts)

After the incident reaches either threshold, it stops accepting alerts, and Cortex XDR groups subsequent related alerts in a new incident. You can track the grouping threshold status in the Alerts Grouping Status field in the Incidents table:

  • Enabled—The incident is open to accepting new related alerts.

  • Disabled—The grouping threshold is reached and the incident is closed to further alerts or if the incident reached the 1,000 alert limit. To view the exact reason for a Disabled status, hover over the status field.

You can select to view the Incidents page in a table format or split pane mode. Use incident-split-pane-mode.png to toggle between the views. By default, Cortex XDR displays the split pane mode. Any changes you make to the incident fields, such as description, resolution status, filters, and sort selections persist when you toggle between the modes.

The split pane mode displays a side-by-side view of your incidents list and the corresponding incident details.

The table view displays only the incident fields in a table format. Right-click an incident to view the incident details, and investigate the related assets, artifacts, and alerts.


You can query data related to the Incidents and Alerts tables by using the incidents and alerts datasets.

The following table describes both the default and additional optional fields that you can view in the Incidents table and lists the fields in alphabetical order.




Check box to select one or more incidents on which to perform the following actions.

  • Assign incidents to an analyst in bulk

  • Change the status of multiple incidents

  • Change the severity of multiple incidents

Alert Categories

Type of alert categories triggered by the incident alerts.

Alert Source

Source of the alert, such as XDR Analytics BIOC, XDR BIOC, and Correlation.

Alerts Grouping Status

Displays whether Alert Grouping is currently enabled.

Alerts Breakdown

The total number of alerts and number of alerts by severity.

Assignee Email

Email address associated with the assigned incident owner.

Assigned To

The user to which the incident is assigned. The assignee tracks which analyst is responsible for investigating the threat. Incidents that have not been assigned have a status of Unassigned.

Creation Time

Date and time when the incident was created.

High Severity Alerts

Number of high severity alerts that are part of the incident.


Displays the host names affected by the incident.

Incident Description

The description is generated from the alert name from the first alert added to the incident, the host and user affected, or number of users and hosts affected.

Incident ID

A unique number to identify the incident.

Incident Name

A user-defined incident name.

Incident Sources

List of sources that raised high and medium severity alerts in the incident.

Last Updated

The last time a user took an action or an alert was added to the incident.

Low Severity Alerts

Number of low severity alerts that are part of the incident.

Medium Severity

Number of medium severity alerts that are part of the incident.


Displays the types of MITRE ATT&CK tactics triggered by the alerts that are part of the incident.

MITRE ATT&CK Technique

Displays the type of MITRE ATT&CK technique and sub-technique triggered by the alerts that are part of the incident.

Resolve Comment

The user-added comment when the user changes the incident status to a Resolved status.

Resolved Timestamp

Displays the date and time when the incident was set with a resolved status.


Displays the score defined by the incident scoring rule.

For SmartScore incident scores, hover your cursor over each score to view the main reasons for the score calculation.


The highest alert in the incident or the user-defined severity.


The incident includes alerts that match your incident prioritization policy. Incidents that have alert matches include a star by the incident name in the Incident details view and a value of Yes in this field.


When incidents are generated they have the status set to New. To begin investigating an incident, set the status to Under Investigation. When the incident is resolved, set the status to Resolved and select a resolution reason. For a description of each resolution reason, see Resolution Reasons for Incidents and Alerts.


Displays one or more of the following categories, which is used to filter the results according to the selected tag:

  • Asset Roles

  • Data Sources

  • Detector Tags

  • Endpoint Groups / Endpoint Tags —

    Displays the tag family and the corresponding tags. If SBAC is enabled, the user can view and manage the alerts table according the user's scope settings.


    When viewing alerts as a scoped user when a tenant is set to permissive mode, the user can view the alert but not have access to entities outside their scope.

    When viewing alerts as a scoped user when a tenant is set to restrictive mode, the alert content is not visible. The user can send the alert ID to the administrator to add to the user scope so the user can view the alert.

Total Alerts

The total number of alerts in the incident.


Users affected by the alerts in the incident. If more than one user is affected, click on + <n> more to see the list of all users in the incident.

WildFire Hits

Number of the Malware, Phishing, and Grayware artifacts that are part of the incident.