Incident Management - Administrator Guide - EoL - 6.6 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide
End of Life > EoL

Open, investigate, and manage incidents in Cortex XSOAR.

Incidents are events that have been observed at a point in time and saved for analysis. Incidents can be ingested from third-party integrations, created manually through the user interface, or generated through the REST API.


To view the REST API documentation, select SettingsINTEGRATIONSAPI KeysView Cortex XSOAR API.

In the Incidents page, you can view all of the incidents in Cortex XSOAR:

  • You can view general information about each incident, such as the type, the severity, when it occurred, etc. The status of the incident is classified as follows:

    Active: The investigation has started. The War Room is activated and the Playbook starts, if assigned. Users can be assigned to this incident.

    Pending: The investigation has not started and no War Room has been activated. As soon as you open the incident, it becomes active.

    Closed: The investigation has been closed.

  • By default, the Incidents page displays all open incidents from the last seven days. You can update this by creating a new search query. You can also Create a Widget From an Incident, based on the search query and add it to a dashboard or report.

  • Incident type, severity, owner, etc. are displayed in bar charts. You can change these by selecting a different chart from the dropdown list at the top of each individual chart. You can also hide the chart panel.

You can limit access to investigations and restrict investigations according to your requirements, as described in Incident Access Control Configuration.

When you select an incident, you can do the following:

  • Investigate an incident: You can view a detailed summary, investigate, add evidence, see related incidents, etc.

  • Assign: You can assign incidents to any user that has been added to Cortex XSOAR, including those users who are marked as away.

  • Edit: You can edit the incident parameters and then rerun a playbook on the incident, which is useful while developing playbooks. You can process an incident multiple times during playbook development, without creating new incidents every time.

  • Mark as Duplicate.

  • Run Command.

  • Export to a CSV file. By default, the CSV file is generated in UTF8 format. You can change this to the UTF8-BOM format. To export an incident as a JSON file, run the !js script="return ${.}" command in the War Room,

  • Close the incident.

  • Delete the incident.

In addition, you can select multiple incidents and run a command across all of them. You can also delete or export batches of incidents or mark multiple incidents as duplicate.

You can create a new incident by clicking New Incident. You can also create a new incident in the REST API.

You can filter the incidents that are ingested into Cortex XSOAR by Manually De-Duplicate Incidents, setting up pre-process rules to perform certain actions, or automatically de-duplicate incidents. After you close an incident you may want to automate an additional action such as closing a Remedy ticket. For more information, see Post Processing for Incidents.

Incidents can be assigned a severity - either at incident creation, manually, through the CLI, or by running a playbook. Incident severity levels are: Unknown (0), Informational (0.5), Low (1), Medium (2), High (3), Critical (4).