Manage SLA and Timer Fields in an Incident - Administrator Guide - 6.6 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.6
Creation date
2022-09-29
Last date published
2024-07-30
End_of_Life
EoL
Category
Administrator Guide
Abstract

Manage timers and SLA for a specific incident, such as decreasing required response time for a high priority incident.

You can manage the timers and SLA for a specific incident. This enables you to manage SLAs on a global level within the SLA fields, and on a more granular level within specific incidents when the need arises. For example, if the severity of the incident dictates that you decrease the response time for the given incident.

  1. SLA Fields

    You can use commands to set the SLA for a specific SLA field in a specific incident using the setIncident command and adding the SLA field for which to set the time.

    If you do not enter a value for the slaField parameter, the time you enter is applied to the incident's Due Date.

    Example

    The following example shows you how to change the Time to Detection field to 30 minutes for the current incident:

    !setIncident sla=30 slaField=timetodetection

    Note

    When defining the values for the slaField and timer commands, all values must be in lowercase and cannot have any spaces.

  2. Timer Fields

    You can use commands to change the state of a timer for an incident using the following:

    • startTimer - Starts the timer. This command should also be used to restart a paused timer.

      Note

      Timers are not started automatically when an incident is created.

    • pauseTimer - Pauses the timer.

    • stopTimer - Stops the timer. Once a timer is stopped, you can only reset a timer using the resetTimer command.

      Note

      Timers are automatically stopped when an incident is closed.

    • resetTimer - Resets a timer. This command should be used to enable a timer that was stopped.

    Example

    The following example shows you how to pause a timer for a specific field in the current incident:

    !pauseTimer timerField=timetodetection

    You can specify the incidentID to change the timer for a different incident.