Triage Incidents - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Pro Administrator Guide

Product
Cortex XDR
License
Pro
Creation date
2023-10-31
Last date published
2024-03-18
Category
Administrator Guide
Abstract

Triage your incidents using the incident view tabs.

To help you triage and investigate your incidents, Cortex XDR displays your incidents in a split-pane view allowing you to easily investigate the entire scope and cause of an event, view all relevant assets, suspicious artifacts, and alerts within the incident details.

Navigate to Incident ResponseIncidents. The Incident split-pane view is divided into two main sections:

  • Incident List

  • Details Pane

Note

The Details pane includes two views, Legacy view and Advanced view. Legacy view allows you to view incidents from earlier versions.

The Incident List enables you to filter and sort according to the incident fields, such as status, score, severity, and timestamp. Each incident displays a summary of the incident severity, assignee, status, creation time, description, and assets. From the Incident List you can also review additional information.

The Details pane displays the information of the selected incident in the Incident List. The pane is made up of the following tabs that allow you to further investigate and manage each incident.

  • Overview—Made up of an Incident Header listing the incident details, the MITRE tactics and techniques, a summarized timeline, and widgets to visualize the number of alerts, the type of sources, hosts, and users associated with the incident. Select the pin icon next to the tab name to always display a specific tab first when you investigate incidents.

  • Key Assets & Artifacts—Displays the incident asset and artifact information of hosts, users, and key artifacts associated with the incident.

  • Alerts & Insights—Displays a table of the alerts and insights associated with the incident.

  • Timeline—A chronological representation of alerts and actions relating to the incident.

  • Executions—Displays the causality chains associated with the incident.