Starting in v7.2, the Incident list has been redesigned:

• Before v7.2: The top-level row was a logical grouping of related events, and its attributes were derived from its child events.

• Since v7.2: The top-level row is now an Incident entity with its own attributes (e.g., Status, Classification), while still linking to child events.
  
  

Impact of this change.

When filters are applied (e.g., Unhandled, Malicious):

• The Incident may match the filter and still appear in the list.

• If its child events do not match the filter, the Event Details section shows 'No results found'.

This can appear inconsistent, but it is expected behavior under the new design.

Example:

Without filters: Expanding an incident shows child events normally.

With Unhandled filter: The incident appears because the Incident itself is Unhandled. However, its child event is handled, so Event Details show 'No results found'.

Recommendations

• This is by design in FortiEDR v7.2.

• If Event Details show 'No results', check the actual status/classification of the child events.

• Apply filters that match the child events (e.g., Inconclusive) to see their details.