Understanding the Incidents page - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-10-09
Category
Administrator Guide
Abstract

Use the Incidents page to review incident details and take remedial action.

The Incidents page is the first stop for investigating incidents. On the Incidents page you can see information about all incidents in your environment. You can track and manage your incidents, investigate incident details, and take remedial action.

By default open incidents are displayed, but you can change the filters to browse through resolved incidents too. To make it easy for you to identify the most critical incidents, Cortex XDR provides color coded icons that indicate severity, incident scores, and incident starring.

You can access the page from Incident ResponseIncidents. The page is available in the following modes, and any changes that you make to the incident fields will persist between modes.

  • Detailed view (default)

    Displays incidents in a split pane format that provides key details of each incident and makes it easy to prioritize the most urgent incidents.

  • Table view

    Displays incidents in a table format. For more information about the fields in the table view, see Incidents table view reference information.

From the Incidents page you can also access the Alerts Table to see a full list of alerts in the system.

Overview of the Incidents detailed view

The detailed view is a split paned format consisting of the list pane and the details pane. The list pane consolidates key information for each incident based on filtering options. From the list you can identify the most critical attacks and start prioritizing your incidents. Click an incident in the list pane to see its full details in the details pane.

Note

The details pane includes two views, Advanced view and Legacy view. Use the Legacy view to view incidents from earlier versions. To change the view, select Page View from the more options icon.

The details pane is split into the following sections and tabs:

Section or tab

Description

Incident header

Displays detailed key information and provides administration actions for the incident, such as assigning an analyst and setting the status. Hover and click on a field for more information, and edit where required.

Overview

Displays the main incident information including the MITRE ATT&CK tactics and techniques identified in the incident, the number of alerts triggered, automation information about playbooks, and key artifacts and assets involved in the incident. You can click any of the widgets to start your investigation.

Key Assets & Artifacts

Displays the incident asset and artifact information of the key artifacts, hosts, and users associated with the incident. Hover over an icon for more information, or click the more options icon to see the available views and actions. For more information about investigating key assets and artifacts, see Investigate artifacts and assets.

Alerts & Insights

Displays a table of alerts and insights associated with the incident. Click on an alert or insight to see more information in the Details panel, or use the pivot menu to see the options for further investigation.

Timeline

Displays a chronological representation of alerts and actions relating to the incident. Each timeline entry represents a type of action that was triggered in the alert.

Alerts that include the same artifacts are grouped into one timeline entry and display the common artifact in an interactive link. Click on an entry to view additional details in the Details panel. You can also filter the timeline by action type. Depending on the type of action, you can select the entry to further investigate and take action on the entry.

Executions

Displays the alert causality chains associated with the incident. On this tab you can investigate a causality chain and take actions on a host. For more information about investigating causality chains, see Causality view.

Tip

  • Select the pin icon next to a tab to set it as the default tab to open each time you investigate an incident.