cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
411
Views
0
Helpful
4
Replies

Incident Promotions from Secure Endpoint to XDR

TimBTim
Level 1
Level 1

For anyone else using XDR.

Since the change occurred where all alerts from SE are sent XDR we have had little to zero incidents in XDR with SE observable's. While this may be a benefit and working as designed to only promote what would be considered actionable, it also has me wondering.

Curious if anyone else is using XDR and experiencing the same?

1 Accepted Solution

Accepted Solutions

Thanks. Really appreciate the reply and sanity check.

View solution in original post

4 Replies 4

Yes. Seeing the same thing here too.


Thanks. Really appreciate the reply and sanity check.

Matthew Franks
Cisco Employee
Cisco Employee

I have an internal request created to improve the documentation around this data flow but don't currently have a timeline on when a change will be made to the documentation. I can share that part of the reason the change was made was so Secure Endpoint events will get processed with additional contextual information rather than just being Secure Endpoint events duplicated and displayed in XDR. I know that isn't much information, but hopefully that helps and I'll keep pushing to get the documentation updated with more details.

Thanks,

-Matt

Thanks. I appreciate the reply on this. Yes, I would agree that documentation would help.

I am sure it is to make incidents more valuable in terms of actionable investigation, but have a little better understanding and some context would be helpful.