Skip to main content


Unified Incidents


Unified Incidents brings XDR and EDR incidents and detections in one place. Wherever possible, this feature correlates host-based EDR incidents with broader attacks detected by XDR.


Existing incidents prior to the update will not get correlated unless another version of the parent incident is automatically generated.

Find this new feature by going to the Incidents page, where the new grid replaces the Extended Incidents, Endpoint Incidents, and Detected Threats tabs.


To gain access to this feature, make sure you have a product that provides access to the Incidents page.

Enroll for the Unified Incidents add-on by going to My company > Early access tab.

The new Incidents page

The Incidents page has been redesigned.


It now contains updates to the following areas:

Filtering options

The filters functionality has not changed. For information on how to filter incidents, refer to The Incidents page.

However, new filtering options are now available:

  • You can now search for Correlated incidents.

  • You now have distinct incident filters for date: Created on and Last updated on.

Incidents grid

The Incidents grid maintains the same functionality previously found in the Extended Incidents, Endpoint Incidents, and Detected Threats tabs.

However, updates have been implemented pertaining to:

Correlated incidents

When incidents become correlated, only the parent remains as a separate entry in the grid. Its correlated incidents are only listed in the Correlated incidents column. They do not have their own entries in the grid.

Only XDR incidents can have correlated incidents. This facilitates triage, since you can now focus on these more complex incidents, while still having the option to drill down through the associated incidents for further analysis.

When an incident assigned to you becomes correlated, you are notified in GravityZone Control Center. If you want to receive automated email notifications as well, go to the Notifications section and check the Correlated incident option.

New columns

New columns are now available in the Incidents grid:

  • Action taken has been extended to all incidents. The values for this field are:

    • Blocked: indicates a high probability that the attack was stopped in its entirety, and that it no longer poses a security risk.

    • Reported: indicates that the attack was not stopped and no blocking actions were taken.

  • Resources and Entities are now separate columns. They replace the former Organization Impact column. For the full list, refer to Entities and resources.

    • The Entities column provides a list of devices or accounts involved in the alert. You can view these as nodes in the Graph tab of the incident.

    • The Resources column refers to the artifacts involved in an alert. For example, files, hashes and URLs.

    • Clicking any of the entities and resources displayed in the grid, opens a dedicated side panel with further details.

  • Created on and Last updated on replace the former Date column.


The columns displayed in the grid may differ based on enabled licenses and add-ons.

New or redesigned side panels

The Incident info panel has been redesigned and there are now new side panels available for Entities and Resources.

  1. The Incident details panel

    Clicking one of the incidents in the grid now displays a redesigned side panel.


    A new section has been added, Incident analysis. It contains information related to the investigation of the incident, namely the Status, Assignee, and Priority.

    The Detections section is only available for EDR incidents. It provides a full list of detections, along with the incident trigger.

    Attack info now contains the following information:

    • Action taken

    • Alerts - the number of alerts is now clickable, for easier access.

    • Resources

    • Entities

    • Correlated incidents - applicable for XDR incidents

    • Kill chain phases

    • Endpoint OS (applicable only for EDR incidents)

  2. The Entities and Resources panels

    Clicking any entity or resource displayed in the Incidents grid opens a side panel that contains the full list of items, along with links to the incidents they belong to.


    Clicking any incident number in the list redirects you to the Graph tab of that incident.


Views allows you to save your current filter settings for later use.

Apply the desired filters and click Save as to save your current view and name it. Your newly created view will appear under the Saved category.

The following options are available for you to use with saved views:

  • Save: use this option to save changes you make to a saved view.

  • Save as: allows you to save a modified view under a different name.

  • Discard changes: reverts the saved view to its original state.

  • Add to favorites: adds the view to the Favorites category.

There are 3 categories of views:

  • Saved: displays your saved views.

  • Favorites: displays the saved views you marked as favorite.

  • Defaults: displays the All incidents and Assigned to you views.

For any view in the Saved or Favorites category, you can click ellipses.PNG for options to Rename or Delete the view.

Changes to incidents

The Organizational impact section in the Overview tab of XDR incidents now groups items into Entities and Resources.


Changes to Monitoring dashboards

For some portlets, the way the data is displayed and calculated has changed.


The Incident - Suspicious activity status and Incident - Suspicious activity portlets now reflect both EDR and XDR incidents. The dashboards count the parent incidents. Correlated incidents are not represented in the charts.

Severity scores are grouped by:

  • High - includes incidents with severity scores ranging from 75 to 100.

  • Medium - includes incidents with severity scores ranging from 40 to 74.

  • Low - includes incidents with severity scores ranging from 10 to 39.

Clicking any category from the charts redirects you to the Incidents grid, where the necessary filters are already applied for you.

Executive Summary

The Incident status portlet now groups incidents based on whether the attacks were blocked by prevention technologies or not. As such, the new values for this portlet are:

  • Blocked attacks: shows the number of incidents where prevention technologies stopped the attack.

  • Requires investigation: shows the number of incidents where mitigation steps and further analysis are required.

Clicking any category from the charts redirects you to the Incidents grid, where the necessary filters are already applied for you.

Submitting feedback

You can submit feedback by sending an email to