Create case timers and SLAs - You can set up case timers and SLAs to track KPIs and ensure that operational performance is inline with your objectives. By adding timer and SLA fields to the Cases table, you can track the progress of your case SLAs. - Administrator Guide - Cortex XSIAM - Cortex

Create case timers and SLAs - You can set up case timers and SLAs to track KPIs and ensure that operational performance is inline with your objectives. By adding timer and SLA fields to the Cases table, you can track the progress of your case SLAs. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM 3.x Documentation

Product

Cortex XSIAM

Creation date

2025-07-15

Last date published

2026-06-11

Prerequisite

Before you can create a case SLA, you must first create a timer field. A timer field can be associated with a single case SLA.

Create a case timer

Take the following steps to create a case timer field:

Go to Settings → Configurations → Object Setup → Case and open the Fields tab.
Click New Field.
Under Field Type, select Timer.
Type a field name.
Under Tooltip, enter a description to pop-up when you hover over the field.
Under Case Filter, click Set Filter and define the subset of cases for which the timer will be activated. For example, you can define timers for specific domains or case source types.
Note
If you edit this filter after creation, the timer and associated SLA will be removed from any case that no longer qualifies, even if the timer is already running.
Under Conditions, add filters that define when the timer will start and end. To add a pause condition to the timer, click Pause and define the pause criteria.
Under When case is reopened, select the action that you want Cortex XSIAM to take.
Click Save.

Example 116.

The following timer measures the amount of time a security case is waiting in New status before an analyst starts investigating.

Field	Value
Field Type	Timer
Field Name	Security case response
Tooltip	Measure time from case opening to analyst response.
Cases Filter	Case Domain = Security
Start when	Status = New
End when	Status = Under Investigation
When case is reopened	Reset timer

Create a case SLA

Take the following steps to create a case SLA. You can set up multiple goals for an SLA.

Go to Settings → Configurations → Object Setup → Cases and open the Fields tab.
Click New Field.
Under Field Type, select SLA.
Type a name to identify the SLA.
Under Tooltip, enter a description to pop-up when you hover over the field.
Under Timer, select the timer field with which to associate the SLA.
Under Goals, click Add SLA Goal.
The default goal applies to all cases that meet the filter criteria specified in the timer field. You can set up addition goals that apply to subsets of the defined cases.
In the SLA goal, type a goal name and set filter criteria.
In the Days, Hours, or Minutes fields, define the time conditions for to the SLA goal.
Arrange the SLA goals by dragging them in order of goal priority.
Click Save.

Example 117.

The following SLA field sets goals for analyst response times for security cases with Critical and High severity. This SLA is based on the timer field created in the previous example. Because the timer field is set up with the filter Case Domain = Security, this SLA will apply to security cases only.

The first SLA goal applies to security cases with a severity level of Critical. The SLA specifies that an analyst must respond to critical severity cases within one hour.

The second SLA goal applies to security cases with a severity level of High. The SLA specifies that an analyst must respond to high severity cases within two hours.

Field	Value
Field Type	SLA
Field Name	Security case response SLA
Tooltip	Measure time from case opening to analyst response.
Timer	Security case response
Goals	Name: Critical severity cases Minutes: 60 Filter: severity = Critical
	Name: High severity cases Minutes: 120 Filter: severity = High

Display timer and SLA fields in the Cases page

After creating new timer and SLA fields, you can add them to the Cases table layout and view them in the Cases detailed view:

In the Cases table view, add the timer and SLA fields to the Layout tab in the Table Setting Menu.
In the Cases detailed view, use the Sort By field to filter the cases list by the SLA field. Details of the SLA are shown in the list.
In addition, you can create a custom case layout with a new tab displaying SLA fields. For more information, see Case layouts.

Example of SLA and timer fields

Example 118.

This example is based on the fields created in the previous procedures:

The Security case response timer field displays the number of minutes since case creation. When the case status moves from New to Under Investigation, the timer stops.
The Security case response SLA field starts counting backwards to show the remaining time to meet the SLA. If the field is shown in red with a minus time, the SLA is breached.
- For case 001, the critical severity case has been in New status for 5 minutes. An analyst must respond within the remaining 55 minutes.
- For case 002, the high severity case has been in New status for 20 minutes. An analyst must respond within the remaining 1 hour and 40 minutes.
- For case 003, an analyst did not respond within 60 minutes and therefore the SLA was breached. The Security case response SLA field displays a minus value and a red icon.

Case ID	Severity	Security case response	Security case response SLA
001	Critical	5m	55m 25s
002	High	20m	1h 40m 30s
003	Critical	65m	- 5m 23s

Additional considerations

Consider the following information when working with timer and SLA fields: