Learn more about the Cortex XSIAM Incidents table displaying all the incidents reported to and surfaced from your Cortex XSIAM instance.
An attack can affect several hosts or users and raises different alert types stemming from a single event. All artifacts, assets, and alerts from a threat event are gathered into an Incident.
The logic behind which alert the Cortex XSIAM app assigns to an incident is based on a set of rules which take into account different attributes. Examples of alert attributes include alert source, type, and time period. The app extracts a set of artifacts related to the threat event, listed in each alert, and compares it with the artifacts appearing in existing alerts in the system. Alerts on the same causality chain are grouped with the same incident if an open incident already exists. Otherwise, the new incoming alert will create a new incident.
You can select to view the Incidents page in a table format or split pane mode. Use to toggle between the views. By default, Cortex XSIAM displays the split pane mode. Any changes you make to the incident fields, such as description, resolution status, filters, and sort selections persist when you toggle between the modes.
The split pane mode displays a side-by-side view of your incidents list and the corresponding incident details.
The table view displays only the incident fields in a table format. Right-click an incident to view the incident details, and investigate the related assets, artifacts, and alerts.
Note
You can query data related to the Incidents and Alerts tables by using the incidents
and alerts
datasets.
Note
For MSSP and multi-tenant administrators, if the Unified Incident view is enabled, this view consolidates all incidents across your distributed environment, allowing you to view and perform actions on child tenants. If the Unified Incident view is disabled, this view displays a single tenant at a time with a drop down list for moving between tenants in read-only mode.
You can enable this setting from
→ → → → .Incident thresholds
To keep incidents fresh and relevant, Cortex XSIAM provides thresholds after which an incident stops adding alerts:
30 days after the incident was created
14 days since the last alert in the incident was detected (excludes backward scan alerts)
After the incident reaches either threshold, it stops accepting alerts, and Cortex XSIAM groups subsequent related alerts in a new incident. You can track the grouping threshold status in the Alerts Grouping Status field in the Incidents table:
Enabled—The incident is open to accepting new related alerts.
Disabled—The grouping threshold is reached and the incident is closed to further alerts or if the incident reached the 1,000 alert limit. To view the exact reason for a Disabled status, hover over the status field.
Incident table reference information
The following table describes both the default and additional optional fields that you can view in the Incidents table and lists the fields in alphabetical order.