Create an Incident - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

You can manually create a new incident, assign it to a specific domain, and define custom fields for the incident.

You can create an incident in Cortex XSIAM directly from the user interface to manage all aspects of operations within a single location.


To create an incident manually, you must have the Create incident permission selected under SettingsAccess ManagementRolesComponentsIncident Response. To add a playbook to the manually created incident, you must have the Add Trigger Playbook permission selected.

In Incident ResponseIncidents, click New Incident and enter all relevant data. If required, you can also include custom fields. Consider the following information:

  • Assign the incident to an incident domain, or use the default domain (Security). Cortex XSIAM provides built-in domains, for more information see Incident and alert domains.


    You can assign an incident to a single domain only, and after incident creation you cannot change the assigned domain.

  • The severity of a manually generated incident cannot be low.

  • You can select multiple MITRE ATT&CK tactics and techniques.

  • Cortex XSIAM validates the Host IP, Local IP, and Remote IP fields.

  • You can select custom fields from Alerts fields.

    If you select Set fields as default for new Security Domain correlations, the custom alert fields that are configured for this incident are saved for all users. When a user next creates an incident for the same domain, these fields are automatically configured instead of the default field set.

    To reset the custom fields to the system default, click Restore Default Field Set.

  • By default, the Playbook is run Automatically by trigger as defined in the Incident Configuration.

  • Each incident creation generates one alert. The name, the severity, and the description of the generated alert mirrors the name, the severity, and the description of the incident.

  • You can't attach files to manually created incidents.