Triage Incidents - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-18
Category
Administrator Guide
Abstract

Triage your incidents using the incident view tabs.

To help you triage and investigate your incidents, Cortex XSIAM displays your incidents in a split-pane view allowing you to easily investigate the entire scope and cause of an event, view all relevant assets, suspicious artifacts, and alerts within the incident details.

Navigate to Incident ResponseIncidents. The Incident split-pane view is divided into two main sections:

  • Incident List

  • Details Pane

Note

The Details pane includes two views, Legacy view and Advanced view. Legacy view allows you to view incidents from earlier versions.

The Incident List enables you to filter and sort according to the incident fields, such as status, score, severity, and timestamp. Each incident displays a summary of the incident severity, assignee, status, creation time, description, and assets. From the Incident List you can also review additional information.

The Details pane displays the information of the selected incident in the Incident List. The pane is made up of the following tabs that allow you to further investigate and manage each incident.

  • Overview—Made up of an Incident Header listing the incident details, the MITRE tactics and techniques, and widgets that present a breakdown of alerts by severity and sources, automation details, artifacts, hosts, and users associated with the incident. Select the pin icon next to the tab name to always display a specific tab first when you investigate incidents.

  • Key Assets & Artifacts—Displays the incident asset and artifact information of hosts, users, and key artifacts associated with the incident.

  • Alerts & Insights—Displays a table of the alerts and insights associated with the incident.

  • Timeline—A chronological representation of alerts and actions relating to the incident.

  • Incident War Room—Real-time investigation is facilitated through the Incident War Room, which is powered by ChatOps, and helps analysts perform different tasks related to their incident investigation using CLI commands. For example, running real-time security actions through the CLI, without switching consoles, and running security playbooks, scripts, and commands.

  • Executions—Displays the causality chains associated with the incident.