Manage Incident Starring - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Prevent Administrator Guide

Cortex XDR
Creation date
Last date published
Administrator Guide

Create an incident starring configuration that categorizes and stars incidents when alerts contain attributes that you decide are important.

To help you focus on the incidents that matter most, you can star an incident. Cortex XDR identifies starred incidents with a purple star. You can star incidents in two ways: You can manually star an incident after reviewing it, or you can create an incident starring configuration that automatically categorizes and stars incidents when a related alert contains the specific attributes that you decide are important.

After you define an incident starring configuration, Cortex XDR adds a star indicator to any incidents that contain alerts that match the configuration.

You can then sort or filter the Incidents table for incidents containing starred alerts and similarly filter the Alerts table for starred alerts. In addition, you can also choose whether to display all incidents or only starred incidents on the Incidents Dashboard.

Incident Starring supports SBAC. The following parameters are considered when editing a starring policy:Set up Your Environment

  • If Scoped Sever Access is enabled and set to restrictive mode, you can edit a policy if you are scoped to all tags in the policy.

  • If Scoped Sever Access is enabled and set to permissive mode, you can edit a policy if you are scoped to at least one tag listed in the policy.

  • If a policy was added when set to restrictive mode, and then changed to permissive (or vice versa), you will only have view permissions.

Star a Specific Incident

To manually star an incident during or after investigation:

  1. Select Incident ResponseIncidents.

  2. From the Incident List, locate the incident you want to star.

  3. Select the star icon.

Create a Starring Configuration

To proactively star alerts and incidents containing alerts, create a starring configuration.

  1. Select Incident ResponseIncident ConfigurationStarred Alerts.

  2. + Add Starring Configuration.

  3. Enter a Configuration Name to identify your starring configuration.

  4. Enter a descriptive Comment that identifies the reason or purpose of the starring configuration.

  5. Use the alert filters to build the match criteria for the policy.

    You can also right-click a specific value in the alert to add it as match criteria. The app refreshes to show you which alerts in the incident would be included.

  6. Create the policy and confirm the action.

    If you later need to make changes, you can view, modify, or delete the exclusion policy from the InvestigationIncident ManagementStarred Alerts page.