Auto Incident Creation in XDR

Overview

In XDR Next, most detections are currently generated as alerts only. Incidents are not created automatically (except the EPP Connector alerts), so SOC analysts must manually convert alerts into incidents. This creates operational overhead and affects how analysts:

• Track investigation ownership
• Manage lifecycle (assignment, escalation, closure)
• Use incident‑level automation and reporting

To address this, XDR Next introduces the auto-incident creation module from the earlier XDR architecture. With this module enabled, alerts can automatically generate incidents, and related alerts can be grouped into the same incident.

What auto incident creation does

When enabled, the auto-incident creation module:

• Automatically creates an incident for eligible alerts

  • Each qualifying alert triggers an incident if no related open incident exists.

• Groups related alerts into a single incident (where applicable)

  • Related alerts are correlated using the legacy XDR logic (for example, same host, user, or campaign, depending on your implementation).

• Restores incident-centric workflows

  • Ownership, prioritization, and lifecycle are managed at the incident level instead of per alert.

Before and after

How auto incident creation works

The following steps describe the high-level behavior of the module. Exact criteria may depend on your environment and policies.

1. Alert is generated

   • A detection rule or engine generates an alert in XDR Next.

2. Alert is evaluated for incident creation

   • The system checks if the alert meets the criteria used by the earlier XDR incident creation logic. Examples:

     • Alert severity (for example, Medium and above)
     • Alert type or category (for example, endpoint, email, cloud)
     • Source entity (host, user, tenant)

3. System finds an existing related incident (if any)

   • The module checks for an open incident that matches correlation conditions such as:

     • Same asset, user, or tenant
     • Same or related detection rule
     • Within a defined time window

4. System creates or updates an incident

   • If no related incident is found:

     • A new incident is created automatically from the alert.

   • If a related incident exists:

     • The alert is attached to the existing incident.

5. Incident appears in the SOC console

   • The incident is available to SOC analysts, who can:

     • Assign an owner
     • Change status (for example, Open, In progress, Resolved)
     • Add notes and evidence
     • Trigger playbooks or automation rules

Benefits of Auto incidents

Auto incident creation provides the following benefits:

• Reduced manual work

  • Analysts no longer need to convert each alert to an incident.

• Consistent incident lifecycle management

  • Teams can manage assignment, escalation, and closure at the incident level.

• Better correlation and context

  • Related alerts are grouped into a single incident, giving analysts end‑to‑end context.

• Improved readiness for future correlation

  • SOC workflows remain stable while the new correlation model is being developed and rolled out.

Using incidents in daily operations

After auto incident creation is enabled, SOC analysts can use incidents as the primary unit of work.

Typical actions include:

• View incidents

  • Navigate to the Incidents area in XDR Next to see all automatically created incidents.

• Assign incidents

  • Assign incidents to specific analysts or queues.

• Investigate

  • Open an incident to:

    • Review associated alerts and entities.
    • Add investigation notes and evidence.
    • Launch response playbooks (if configured).

• Escalate or reassign

  • Change ownership or priority as required by your SOPs.

• Resolve and close

  • When investigation is complete, update the status and close the incident.

Tip
Use incident filters (severity, status, owner, time range) to quickly find the most critical or active investigations.