Incident and alert domains - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-07
Category
Administrator Guide
Abstract

Cortex XSIAM assigns each incident and alert to a domain. Domains help you to organize and manage your work efforts, and differentiate between use cases.

Incident domains help you to organize and manage your work efforts by associating incidents and alerts to a domain, and creating a tailored experience for each domain. Incident domains are a logical contextual boundary that allow you to manage and prioritize each operational use case, and help you to differentiate between your security use cases and non-security use cases.

When an alert is triggered, Cortex XSIAM automatically assigns it to a domain, and the same domain is assigned to the associated incident. If you create your own incident or correlation rule, you can select the domain to which you want to assign the incident or alerts.

On the Incidents and Alerts pages, you can see the domain to which your incidents and alerts are assigned. Each incident and alert is assigned to a single domain, and you cannot change the assigned domain.

Cortex XSIAM provides the following built-in domains:

Domain

Description

Security

For incidents and alerts that are associated with incident response activities for detecting, preventing, and blocking threats. For example, alerts that can harm the security of your organization's assets.

Health

For incidents and alerts that are associated with health monitoring activities to ensure optimal platform performance and gain insights into health drifts. For example, disruptions in data ingestion, collector connectivity errors, correlation rule errors, and event forwarding errors.

IT

For incidents and alerts that are associated with operational activities for ensuring availability and reliability in system performance. For example, server outages, network connectivity issues, application performance problems, or IT tasks.

Hunting

For incidents and alerts that are associated with identifying and mitigating potential security threats before they cause any damage. For example, monitoring network traffic, analyzing logs, and conducting vulnerability assessments.

You can see all domains under ConfigurationsObject SetupIncidentsDomains. From this tab you can edit the properties of the built in domains, and create your own domains for non-security use cases. For more information, see Create an incident domain.

Note

Consider the following information:

  • You can't merge incidents with different domains, and you can't move alerts between incidents with a different domains.

  • SmartScore is currently supported for the Security domain only.

  • For SBAC, there is a new tag family for Incident Domains, and new tags for each domain that enable you to control access to your domains.

  • Domains might affect custom content that is connected to incidents and alerts. Review you custom content to ensure it is associated with the intended domains, this includes:

    • Playbook triggers

    • Starring rules

    • Notifications

    • Alert exclusions

    • Scoring rules

    • XQL that accesses the incident or alert datasets in scheduled queries, and widgets