Adding Custom Incident Statuses and Resolution Reasons - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

Add custom incident status and resolutions to your workflow.


Before you add a custom status, please review the built-in options. For more information, see Resolution Reasons for Incidents and Alerts.

We recommend using the built-in statuses and resolution reasons where possible. Custom statuses and resolution reasons might not be supported by all content, and status syncing can take time.

In addition, custom statuses affect Cortex XSIAM’s ability to learn, correctly identify, and score future incidents.

You can create custom incident statuses and custom resolution reasons that are tailored to your workflow. Custom incident statuses and resolution reasons apply to incident and alert statuses, and can also be used in playbooks.

Adding custom incident statuses and resolution reasons requires a View/Edit RBAC permission for Incident Properties (under Object Setup).

How to create custom incident statuses
  1. Go to Configurations+Object Setup+Incidents+Properties.

    The existing statuses and resolution types are listed.

  2. In the Add another status field, type a new status and click Save.

  3. Click Edit to rearrange the order of the statuses. This order is presented when you set a status or select a resolution type.