Cortex Xpanse provides an Incidents table that you can use to view all the incidents reported to and surfaced from your Cortex Xpanse instance.
An incident is a collection of alerts related to a single service, or to a single asset if no service is detected. Incidents contain all the contextual data and assets from the related alerts. The Incidents page displays all your incidents to help you prioritize, track, investigate, and take remedial action.
To access the Incidents page, navigate to → .
By default, the Incidents page is displayed in split-pane view, which is the recommended view for investigating and resolving incidents. Incidents split-pane view displays a side-by-side view of your incidents, with the Incident List in the left pane and corresponding incident Details Pane on the right. You can also view Incidents in table format.
To toggle between split-pane view and table view of the Incidents page, click the table view icon in the upper right corner.
Incident List
Each incident in the incident list displays a summary of the incident severity, assignee, status, risk score, creation time, description, the number and severity of related alerts, and other information.
Right-click an incident in the incident list to perform the following actions:
Update the incident assignee
Change incident status
Change incident severity
Star the incident
Get a link to the incident
Manage the risk score for the incident
View the incident in a new tab
To perform these actions on a batch of two or more incidents, select the checkboxes for the incidents to be updated, right click, and select the desired action.
You can filter, sort, and search alerts in both split-pane view and table view. Refer to the following resources for additional information:
See Filter Page Results for information about filtering tables.
See Search Page Results for details about how to search within tables.
See Incidents Fields for descriptions of the fields in the Incidents list.
Incident Details
Select an incident in the incident list to display the incident details in the right pane. The incident details pane is organized into an incident summary at the top of the pane and six tabs. The following list provides an overview of the information displayed and the updates you can make on the incident summary and on each of the tabs.
Incident Summary (at the top of the details pane)
Displays a summary of the incident, including assignee, status, risk score, and tags.
Update the incident assignee and status. Click on the Risk Score to view the scoring information and set the risk score manually. Add a comment or note to the incident.
Overview tab
Displays the Severity, Alert Description, and Playbook Status of each alert related to the incident.
Update the severity of the alerts, change Alert Status, and Provide Input to the playbook for each alert.
Alerts tab
Displays detailed information about each alert, including the attack surface rule that triggered the alert, remediation guidance, and playbook details.
Update the severity and status of each alert and provide playbook input.
Assets tab
Displays Asset Attribution Evidence and additional details about the assets and services related to the incident.
Click the Know More about link next to the asset to pivot to the asset details in the Inventory.
Service/Website tab
Displays service or website classification details.
Risk tab
Displays details about the inferred CVEs and risk factors associated with alerts in the incident.
Click on the relevant links to learn more about the CVEs and risk factors.
Timeline tab
Displays a chronological list of the actions that impacted the alert, including playbook actions and manual updates.
Click on an action in the timeline to display additional details.