Solved: Re: Incident Promotions from Secure Endpoint to XDR

TimBTim · ‎09-05-2024

For anyone else using XDR.

Since the change occurred where all alerts from SE are sent XDR we have had little to zero incidents in XDR with SE observable's. While this may be a benefit and working as designed to only promote what would be considered actionable, it also has me wondering.

Curious if anyone else is using XDR and experiencing the same?

TimBTim · ‎09-05-2024

Thanks. Really appreciate the reply and sanity check.

View solution in original post

Ken Stieers · ‎09-05-2024

Yes. Seeing the same thing here too.

TimBTim · ‎09-05-2024

Thanks. Really appreciate the reply and sanity check.

Matthew Franks · ‎09-05-2024

I have an internal request created to improve the documentation around this data flow but don't currently have a timeline on when a change will be made to the documentation. I can share that part of the reason the change was made was so Secure Endpoint events will get processed with additional contextual information rather than just being Secure Endpoint events duplicated and displayed in XDR. I know that isn't much information, but hopefully that helps and I'll keep pushing to get the documentation updated with more details.

Thanks,

-Matt

TimBTim · ‎09-05-2024

Thanks. I appreciate the reply on this. Yes, I would agree that documentation would help.

I am sure it is to make incidents more valuable in terms of actionable investigation, but have a little better understanding and some context would be helpful.