What are incidents? - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-13
Category
Administrator Guide
Abstract

Learn about how incidents are created, incident terminology, incident thresholds, and incident planning and response

An incident represents a single, self-contained attack.

An incident is a container object to group related alerts, assets, and artifacts, that originate from a single root cause. The root cause might be a self-contained cyberattack that brings multiple actors together to attack (such as attackers, tools, and processes), or it might be a combination of malware and exploits.

Incidents comprise the following objects:

  • Alerts: Notification objects to report suspicious activity or events

  • Assets: Names of affected endpoints and users

  • Artifacts: Attributes of attacking objects such as filenames, file signers, processes, domains, and IP addresses

Each incident is individually configured and requires its own independent investigation. To see a list of all Incidents, navigate to the Incidents page.

Incident thresholds

To keep incidents fresh and relevant, Cortex XSIAM implements the following thresholds. When the incident reaches a threshold, it stops accepting alerts and groups subsequent related alerts in a new incident.

  • 30 days after incident creation

  • 14 days since the last alert in the incident was detected (excludes backward scan alerts).

  • An incident reaches the 1,000 alert limit.

You can track the threshold status in the Alerts Grouping Status field in the Incidents table.

Incident domains

When an alert is triggered, Cortex XSIAM automatically assigns it to a domain, and the same domain is assigned to the associated incident. Incident domains are a logical contextual boundary that allow you to manage and prioritize each operational use case, and help you to differentiate between your security use cases and non-security use cases. For more information, see Incident and alert domains.