Transferred incidents

When the correlation engine detects that detections from an existing EDR incident are part of a broader, correlated attack, it transfers those detections to a new correlated incident. The original incident is then marked as transferred.

Transferred incidents allow the correlation engine to consolidate related activity into a single incident for a more complete view of the attack, while preserving a reference to the original incident from which the detections originated.

What happens when an incident is transferred

All detections from the original incident are moved to the new correlated incident.
The original incident is marked as transferred in the incident list.
A message is shown in the incident details, with a link to the new correlated incident.
Response actions, including Smart Remediation, are not available for transferred incidents. Use the new correlated incident to investigate and respond.

Identifying transferred incidents

You can identify transferred incidents by the transferred icon next to the incident ID in the incident list.

The Investigate incident action is disabled for transferred incidents.

To show transferred incidents in the incident list

In the Cyber Protect console, go to Protection > Incidents.
Click View next to the XDR On toggle, and then enable Show transferred incidents.

Transferred incidents are greyed out in the list.
Click the transferred icon to view the incident details.

The details panel includes a link to the new correlated incident that contains the transferred detections.

To investigate the activity that was transferred, open the new correlated incident by using the link provided in the transferred incident's details.