Incidents Fields - User Guide - 2 - Cortex XPANSE - Cortex - Security Operations

Cortex Xpanse Expander User Guide

Creation date
Last date published
User Guide

You can sort, filter, and configure the fields to display in the Incidents table.

The Incidents table displays incidents in a table format. Use incident-split-pane-mode.png to toggle between the default split-pane view and table view. Any changes you make to the incident fields, such as description, resolution status, filters, and sort selections persist when you toggle between the modes.

Right-click an incident to view the incident details, and investigate the related assets, artifacts, and alerts.

The following table describes both the default and additional optional fields that you can view in the Incidents table and lists the fields in alphabetical order.




Check box to select one or more incidents on which to perform the following actions.

Alert Categories

Type of alert categories triggered by the incident alerts.

Alert Source

Source of the alert, such as XDR Analytics BIOC, XDR BIOC, and Correlation.

Alerts Grouping Status

Displays whether Alert Grouping is currently enabled.

  • Enabled—The incident is open to accepting new related alerts.

  • Disabled—Grouping threshold is reached and the incident is closed to further alerts or if the incident reached the 1,000 alert limit. To view the exact reason for a Disabled status, hover over the status field.

Alerts Breakdown

The total number of alerts and number of alerts by severity.

ASM Rules

The attack surface rules that triggered the alerts for this incident.

Assignee Email

Email address associated with the assigned incident owner.

Assigned To

The user to which the incident is assigned. The assignee tracks which analyst is responsible for investigating the threat. Incidents that have not been assigned have a status of Unassigned.

Creation Time

Date and time when the incident was created.

Crititical Severity Alerts

Number of critical severity alerts that are part of the incident.

High Severity Alerts

Number of high severity alerts that are part of the incident.


Displays the host names affected by the incident.

Incident Description

The description is generated from the alert name from the first alert added to the incident, the host and user affected, or number of users and hosts affected.

Incident ID

A unique number to identify the incident.

Incident Name

A user-defined incident name.

Incident Sources

List of sources that raised high and medium severity alerts in the incident.

Incident's Playbook statuses

A list of the current alert playbook statuses for all alerts in the incident.

Last Updated

The last time a user took an action or an alert was added to the incident.

Low Severity Alerts

Number of low severity alerts that are part of the incident.

Medium Severity Alerts

Number of medium severity alerts that are part of the incident.

Port Number

Number of the port the service is running on.

Resolve Comment

The user-added comment when the user changes the incident status to a Resolved status.

Resolved Timestamp

Displays the date and time when the incident was set with a resolved status.


The incident includes alerts that match your incident prioritization policy. Incidents that have alert matches include a star by the incident name in the Incident details view and a value of Yes in this field.


New indicates the incident was just created or reopened.

Under Investigation is set by the user when beginning investigate the incident.

Resolved indicates that all alerts in the incident have been resolved.


Displays the tags associated with the related alerts.

Total Alerts

The total number of alerts in the incident.


Users affected by the alerts in the incident. If more than one user is affected, click on + <n> more to see the list of all users in the incident.

Xpanse First Observed

Date and time when the first alert for this incident was triggered.