An alert is a potential security risk identified by Cortex Xpanse on your assets and services. Xpanse creates alerts based on attack surface rules. An incident is a collection of alerts related to a single service, or to a single asset if no service is detected.
The logic Cortex Xpanse uses to assign a new alert to an incident is based on a set of rules that consider attributes such as alert source, type, and time period. Xpanse extracts a set of artifacts from each new alert and compares it with the artifacts appearing in existing alerts in the system. Alerts on the same causality chain are grouped with the same incident if an open incident already exists. Otherwise, the new incoming alert will create a new incident.