SLA Overview - Administrator Guide - 6.6 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide

SLA fields count down the time remaining. SLAs fields can be incorporated in cases. You can trigger actions in the event the SLA passes.

Cortex XSOAR supports specific fields for managing SLAs and timers.

SLAs are an important aspect of case management. You can incorporate SLA fields in your cases so you can view how much time is left before the SLA becomes past due, as well as configure actions to take in the event that the SLA does pass.

In addition, you can now view the number of cases that are at risk of passing the SLA, or are already late, using pre-configured widgets. The widgets present information based on the default threshold, which can be configured globally.

Present SLAs in Incident Summary Layouts

Once you have configured the SLA fields and timers, your incident summary screens will display information about the status of the SLA, if any of the SLAs are past due, and if so, by how much.


In the image above, for example, we see that the timers for several of the fields are in various states. Detection SLA is past due, while Remediation SLA has nearly 5 days remaining.

Customize CSV Reports for SLA Fields

You can add SLA specific information to your CSV reports. Edit the table columns field in the JSON report to include the SLA data that you want.

For example, assuming that you have an existing timer field named myslatimer, we can use the following options as csv columns:

  • myslatimer: displays a summary of the timer status and sla.

  • myslatimer.runStatus: displays a run status of the current timer.

  • myslatimer.totalElapsed: displays the total elapsed time, in seconds, of the current timer. If the timer has ended, it displays the total duration.