Learn about how incidents are created, incident terminology, incident thresholds, and incident planning and response
An incident represents a single, self-contained attack.
An incident is a container object to group related alerts, assets, and artifacts, that originate from a single root cause. The root cause might be a self-contained cyberattack that brings multiple actors together to attack (such as attackers, tools, and processes), or it might be a combination of malware and exploits.
Incidents comprise the following objects:
Alerts: Notification objects to report suspicious activity or events
Assets: Names of affected endpoints and users
Artifacts: Attributes of attacking objects such as filenames, file signers, processes, domains, and IP addresses
Each incident is individually configured and requires its own independent investigation. To see a list of all Incidents, navigate to the Incidents page.
Incident thresholds
To keep incidents fresh and relevant, Cortex XSIAM implements the following thresholds. When the incident reaches a threshold, it stops accepting alerts and groups subsequent related alerts in a new incident.
30 days after incident creation
14 days since the last alert in the incident was detected (excludes backward scan alerts).
An incident reaches the 1,000 alert limit.
You can track the threshold status in the Alerts Grouping Status
field in the Incidents table.
Incident domains
When an alert is triggered, Cortex XSIAM automatically assigns it to a domain, and the same domain is assigned to the associated incident. Incident domains are a logical contextual boundary that allow you to manage and prioritize each operational use case, and help you to differentiate between your security use cases and non-security use cases. For more information, see Incident and alert domains.