Create an incident domain - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-05-22
Category
Administrator Guide
Abstract

You can create custom incident domains to help you to differentiate between your work efforts, and effectively manage and prioritize your workload.

Warning

Before you add a custom domain, please review the built-in options. For more information, see Incident and alert domains.

We recommend using the built-in domains where possible. Custom domains might not be supported by all content. In addition, custom domains affect Cortex XSIAM’s ability to learn, correctly identify, and score future incidents.

In addition, alert grouping and Smartscore are only supported for the Security domain.

Custom domains help you to differentiate between your work efforts. You can create tailored workflows for each domain, so that you can effectively manage and prioritize your workload.

Note

  • Adding custom domains requires a View/Edit RBAC permission for Incident Properties (under Object Setup).

  • Once created, a custom incident domain cannot be deleted or renamed.

How to add an incident domain
  1. Go to ConfigurationsObject SetupIncidentsDomains .

    The existing domains are listed.

  2. Click + New Domain.

  3. Assign a name and color to the domain, and an optional description.

  4. In the Status field, select one or more statuses that are relevant to the domain. These statuses will be available for selection in the incidents and alerts associated with this domain.

  5. In the Resolution Type field, select one or more resolution reasons that are relevant to the domain. These reasons will be available for selection in the incidents and alerts associated with this domain.

  6. Click Save.

  7. (Optional) Update SBAC permissions to enable access to the domain.

    Go to ConfigurationsAccess ManagementUser Groups or Users and update the Scope to include the tag for the new domain.