Create an incident - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

You can manually create a new incident, assign it to a specific domain, and define custom fields for the incident.

Notice

To create an incident manually, you must have the Create incident permission selected under SettingsAccess ManagementRolesComponentsIncident Response. In addition, to add a playbook to the manually created incident, you must have the Add Trigger Playbook permission selected.

You can create an incident in Cortex XSIAM directly from the user interface to manage all aspects of operations within a single location.

  1. On the Incidents page, click New Incident.

  2. Under Incident Details, specify a name, severity, and (Optional) description.

    The severity of a manually generated incident cannot be low.

  3. (Optional) Specify an incident domain. The default domain is (Security).

    Note

    You can assign an incident to a single domain only, and after incident creation you cannot change the assigned domain. For more information, see Incident and alert domains.

  4. (Optional) Select MITRE ATT&CK tactics and techniques to assign to the incident.

  5. (Optional) Select custom alert fields.

    Cortex XSIAM validates the Host IP, Local IP, and Remote IP fields.

    If you select Set fields as default for new <domain> domain incidents, the custom alert fields that are configured for this incident are saved for all users. When a user next creates an incident for the same domain, these fields are automatically configured instead of the default field set.

    To reset the custom fields to the system default, click Restore Default Field Set.

  6. (Optional) Under Playbook, specify playbook run settings. By default, a playbook is run Automatically by trigger.

  7. Click Create new Incident.

    Each incident creation generates one alert. The name, the severity, and the description of the generated alert mirrors the name, the severity, and the description of the incident.

    Note

    You can't attach files to manually created incidents.