Automatic Enrichment of Incidents

To help save time and accelerate incident response, Cisco XDR automatically enriches (investigates) correlated events related to the incident when it is created to find additional sightings, judgments, and indicators related to the initial sighting(s) of the incident.

During the auto-enrichment process, the targets and observables from the initial sighting(s) are investigated. If this investigation yields sightings, a second investigation is then performed on any new targets or malicious, suspicious, or unknown observables from the sightings found during the first investigation. When the investigation is complete, an investigation snapshot is taken and saved to private intel and linked to the incident.

Note: If you want to enable auto-promotion of compromise events from Cisco Secure Endpoint as incidents in Cisco XDR for automatic enrichment, you must initiate the Cisco XDR integration from Secure Endpoint. For more information, see the Cisco Secure Endpoint documentation.