Incidents - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Creation date
Last date published
User Guide

Cortex Xpanse provides an Incidents table that you can use to view all the incidents reported to and surfaced from your Cortex Xpanse instance.

An incident is a collection of alerts related to a single service, or to a single asset if no service is detected. Incidents contain all the contextual data and assets from the related alerts. The Incidents page displays all your incidents to help you prioritize, track, investigate, and take remedial action.

To access the Incidents page, navigate to Incident ResponseIncidents .

By default, the Incidents page is displayed in split-pane view, which is the recommended view for investigating and resolving incidents. Incidents split-pane view displays a side-by-side view of your incidents, with the Incident List in the left pane and corresponding incident Details Pane on the right. You can also view Incidents in table format.

To toggle between split-pane view and table view of the Incidents page, click the table view icon table-view-icon.png in the upper right corner.

Incident List

Each incident in the incident list displays a summary of the incident severity, assignee, status, risk score, creation time, description, the number and severity of related alerts, and other information.

Right-click an incident in the incident list to perform the following actions:

  • Update the incident assignee

  • Change incident status

  • Change incident severity

  • Star the incident

  • Get a link to the incident

  • Manage the risk score for the incident

  • View the incident in a new tab

To perform these actions on a batch of two or more incidents, select the checkboxes for the incidents to be updated, right click, and select the desired action.

You can filter, sort, and search alerts in both split-pane view and table view. Refer to the following resources for additional information:

Incident Details

Select an incident in the incident list to display the incident details in the right pane. The incident details pane is organized into an incident summary at the top of the pane and six tabs. The following list provides an overview of the information displayed and the updates you can make on the incident summary and on each of the tabs.

  • Incident Summary (at the top of the details pane)

    Displays a summary of the incident, including assignee, status, risk score, and tags.

    Update the incident assignee and status. Click on the Risk Score to view the scoring information and set the risk score manually. Add a comment or note to the incident.

  • Overview tab

    Displays the Severity, Alert Description, and Playbook Status of each alert related to the incident.

    Update the severity of the alerts, change Alert Status, and Provide Input to the playbook for each alert.

  • Alerts tab

    Displays detailed information about each alert, including the attack surface rule that triggered the alert, remediation guidance, and playbook details.

    Update the severity and status of each alert and provide playbook input.

  • Assets tab

    Displays Asset Attribution Evidence and additional details about the assets and services related to the incident.

    Click the Know More about link next to the asset to pivot to the asset details in the Inventory.

  • Service/Website tab

    Displays service or website classification details.

  • Risk tab

    Displays details about the inferred CVEs and risk factors associated with alerts in the incident.

    Click on the relevant links to learn more about the CVEs and risk factors.

  • Timeline tab

    Displays a chronological list of the actions that impacted the alert, including playbook actions and manual updates.

    Click on an action in the timeline to display additional details.