Incident Investigation - Administrator Guide - 6.6 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide

Open an incident in Cortex SOAR and view incident details.

An incident investigation can be opened in the following ways:

  • Automatically: If associated with a playbook, incidents open automatically for investigation and run the associated playbook.

  • Manually: Open an incident manually by selecting the incident in the Incidents table.


    After an incident is created, it is assigned a Pending status in the incident table. When you start to investigate an incident the status changes automatically to Active, which starts the remediation process.

  • CLI: If you want to open an incident in the CLI, type /investigate id=<incidentID#>.

Incidents Page

When you open an incident, you see the following tabs, which assist you in the investigation:



Incident/Case Info

A summary of the incident, such as case details, work plan, evidence, and so on. Most of the fields are for information only, although you can add the following:

  • Evidence: A summary of data marked as evidence. You can add evidence in this tab or in the Evidence Board.

  • Notes: Displays any notes that have been entered. For example, understand specific actions taken by the analyst and the underlying reasons, see chats between analysts to highlight how they arrived at a certain decision, etc. You can also see the thought process behind identifying key evidence and learn about similar incidents in the future.

    You can also add notes in the War Room.

  • Tasks: View tasks to complete as part of an investigation. You can add tasks in this tab or Create a To-Do Task.

You can send a permalink to a specific Investigation Summary by copying its URL.


You can edit the fields by Incident Customization.


An overview of the information collected about the investigation, such as indicators, email information, URL screen shots and so on

War Room

A comprehensive collection of all investigation actions, artifacts, and collaboration. It is a chronological journal of the incident investigation. Each incident has a unique War Room.

Work Plan

A visual representation of the running playbook that is assigned to the incident.

Evidence Handling

View any entity which has been designated as evidence. The Evidence board stores key artifacts for current and future analysis. You can reconstruct attack chains and piece together key pieces of verification for root cause discovery.

Related Incidents

A visual representation of incidents that share similar characteristics, such as malicious indicators, or part of a phishing campaign.


Visually maps an incident, its elements, correlated investigation entities, and the progression path of the incident, combining analyst intelligence with machine learning.

The Related Incidents page is orientated towards exploration and searching for similar data. The Canvas maps incidents and indicators by enabling you to decide what you want to include in a layout of your choice.

You can Link Incidents, edit the incident, add a child incident, add tasks, notes, and so on. For more information, see incident actions.

Inline Value Fields

By default, when editing the following inline values in an incident, the changes are not saved until you confirm your changes (clicking the checkmark icon in the value field).

  • Dropdown values, such as Owner, Severity, etc.

  • Text values, such as Asset ID. (You can only edit when you click the pencil in the value field).

These icons are designed to let you have an additional level of security before you make changes to the fields in incidents, indicators, and threat intel reports.

To change the default behavior set the inline.edit.on.blur server configuration to true, which enables you to make changes to inline fields without clicking the checkmark. The changes are automatically saved when clicking anywhere on the page or when navigating to another page. For text values you can also click anywhere in the value field to edit.