You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: defender-xdr/alerts-incidents-correlation.md
+1-7Lines changed: 1 addition & 7 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -85,7 +85,7 @@ Even when the correlation logic indicates that two incidents should be merged, D
85
85
86
86
- One of the incidents has a status of "Closed". Incidents that are resolved don't get reopened.
87
87
- The source and target incidents are assigned to two different people.
88
-
- The source and target incidents have two different classifications (for example, true positive and false positive).
88
+
- The source and target incidents have two different classifications (for example, true positive and false positive) or two different determinations (the subcategories of classifications).
89
89
- Merging the two incidents would raise the number of entities in the target incident above the allowed maximum.
90
90
- The two incidents contain devices in different [device groups](/defender-endpoint/machine-groups) as defined by the organization. <br>(This condition is not in effect by default; it must be enabled.)
91
91
@@ -95,12 +95,6 @@ If two incidents should be merged, but aren't merged for any of the reasons list
95
95
96
96
For example, if the incidents weren't merged because they were assigned to two different people, you can remove the assignment of one of the incidents and then merge the incidents manually.
97
97
98
-
<!-- This paragraph (what I originally wrote) better describes the Cases feature, doesn't it?
99
-
100
-
Over the course of investigating an incident, you might discover that other incidents are related to the same attack story or security event, and that these incidents should be investigated together as a unit. In such a case, you can now merge these incidents together into a single incident. This scenario includes cases where the incidents ought to be merged, but weren't because of the circumstances described previously in [When incidents aren't merged](#when-incidents-arent-merged).
101
-
102
-
-->
103
-
104
98
Merging incidents together is preferable to unlinking alerts from one incident and linking them to another, because all the incident information (for example, the activity log) is preserved.
105
99
106
100
For now, only two incidents at a time can be merged manually.
Copy file name to clipboardExpand all lines: defender-xdr/merge-incidents-manually.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -30,7 +30,7 @@ Sometimes, however, the automatic merging doesn't happen, due to certain conditi
30
30
31
31
- Users must have permissions to view the incidents queue.
32
32
- Users must have read and write permissions on all the incidents they wish to merge. Incidents from different sources have different RBAC roles defined.
33
-
- Incidents that are candidates for merging must have the same values for **Assigned to**, **Classification**, and **Determination**.
33
+
- Incidents that are candidates for merging must have either the same values as each other, or null values, for the **Assigned to**, **Classification**, and **Determination** fields.
34
34
35
35
## Merge incidents from the incident queue page
36
36
@@ -50,7 +50,7 @@ Sometimes, however, the automatic merging doesn't happen, due to certain conditi
50
50
51
51
1. In the confirmation dialog that appears, select **Merge**. When the merge is complete, a "Success" notification appears, with a link to follow to go to the merged (target) incident.
52
52
53
-
If the merge fails, a dialog box appears with a message that the incidents failed to merge. Verify that both incidents have the same values for **Assigned to**, **Classification**, and **Determination**.
53
+
If the merge fails, a dialog box appears with a message that the incidents failed to merge. Verify that both incidents have the same values, or that at least one of the incidents has a null value, for **Assigned to**, **Classification**, and **Determination**.
54
54
55
55
## Merge incidents from within the incident page
56
56
@@ -70,7 +70,7 @@ Sometimes, however, the automatic merging doesn't happen, due to certain conditi
70
70
71
71
1. In the confirmation dialog that appears, select **Merge**. When the merge is complete, a "Success" notification appears, the open incident is closed, and you are redirected to the merged (target) incident.
72
72
73
-
If the merge fails, a dialog box appears with a message that the incidents failed to merge. For the merge to succeed, both incidents must have the same valuesfor **Assigned to**, **Classification**, and **Determination**.
73
+
If the merge fails, a dialog box appears with a message that the incidents failed to merge. For the merge to succeed, both incidents must have the same values—or at least one incident must have a null value—for **Assigned to**, **Classification**, and **Determination**.
0 commit comments