Incident starring - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

Starring incidents can help you to prioritize and filter your incidents.

To help you focus on the most important incidents, you can star an incident. Starring incidents enables you to narrow down the scope of incidents on the Incidents page and in the Incident management dashboard. Cortex XDR identifies starred incidents with a purple star.

You can star incidents manually, or create an incident starring configuration. An incident starring configuration automatically categorizes and stars incidents that contain alerts with specific attributes. In a starring configuration you define attributes or assets for alerts that you want to star. If an alert matches the attributes in the starring configuration, the alert and incident containing the alert are starred. You can manage all starring configurations under Incident ResponseIncident ConfigurationStarred Alerts.

Incident starring supports Scope-Based Access Control (SBAC). The following parameters are considered when editing a starring configuration:

  • If Scoped Sever Access is enabled and set to restrictive mode, you can edit a configuration if you are scoped to all tags in the configuration.

  • If Scoped Sever Access is enabled and set to permissive mode, you can edit a configuration if you are scoped to at least one tag listed in the configuration.

  • If a policy was added when set to restrictive mode, and then changed to permissive (or vice versa), you will only have view permissions.

You can manually star an incident during or after investigation:

  1. Select Incident ResponseIncidents.

  2. In the list of incidents, locate the incident you want to star.

  3. Select the star icon.

You can proactively star alerts and incidents containing alerts by creating a starring configuration:

  1. Select Incident ResponseIncident ConfigurationStarred Alerts.

  2. Select Add Starring Configuration.

  3. Under Configuration Name, enter a name to identify your starring configuration.

  4. (Optional) Under Comment, enter a descriptive comment.

  5. In the alert table, use the filters to define the alert attributes you want to include in the match criteria.

    You can also right-click a specific value in the alert to add it as match criteria.

  6. Click Create.