Unified Incident View - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-07-16
Last date published
2024-12-12
Category
Administrator Guide
Abstract

On the Unified Incident View, MSSP and multi-tenant administrators can see a consolidated view of all incidents across their distributed environment, and take actions on child tenants.

Danger

  • Requires an MSSP License.

  • Requires the following RBAC permissions:

    • Incident ResponseInvestigation

    • Incident ResponseAutomation

  • This view is available for the parent tenant only.

  • To take actions on a child tenant from a parent tenant, you must have the appropriate permissions for both tenants. If you do not have the correct permissions, you can view incidents in read-only mode.

For MSSP and multi-tenant administrators, the Unified Incident View provides a central location to view and perform actions on child tenants across your distributed environment. You can see a consolidated view of all incidents, easily visualize and triage the incidents in your environment, and collaborate with child users.

You can access the Unified Incident View from Incident ResponseIncidents.

In the Tenant Name column you can see the name of the parent and child tenants. Use this field to filter the table and see incidents from a specific child tenant. When you investigate an incident on a child tenant Cortex XSIAM pivots into the child screen so that you can perform actions directly in the child incident, and run commands in the War Room.

In addition, you can take bulk actions across multiple tenants, such as changing the status and severity, and running playbooks. When running a playbook on an alert, you can select from the playbooks that are available in the child tenant. The Tenant Name column is also displayed on the Alerts page, and enables pivoting to the child tenant.

Note

Custom incident layouts of child tenants are not visible in the parent tenant.