Create an Incident - Administrator Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-09-04
End_of_Life
EoL
Category
Administrator Guide
Abstract

Create a new incident in Cortex XSOAR, manually, through a feed, or by importing a JSON file.

Cortex XSOAR incidents can be created manually, from a JSON file, from the Cortex XSOAR RESTful API, or from an integration feed.

Note

The import JSON feature enables you to import event data from third-party software and use it to create new incidents in Cortex XSOAR. These incidents can be used to build and troubleshoot playbooks for integrations that have not yet been installed or configured.

  • Create an incident manually.

    Go to the Incidents page, click New Incident and enter relevant data, including custom fields if needed.

  • Create an incident from a JSON file.

    1. Go to SettingsOBJECTS SETUPIncidentsClassification & Mapping and click the mapper you want to use.

    2. From the Get Data drop-down, choose Upload JSON, click on the paper clip icon and upload the JSON file.

    3. Map the fields.

    4. From the market-gear.pngmenu, select Create Incident from JSON. Select the incident type and Create Incident.

    Note

    To export an incident to a JSON file, run the !js script="return ${.}" command in the War Room. You can then import the JSON file, for example, in a development environment for mapping and testing.

  • Create an incident via the API.

    To view the full REST API documentation, select SettingsINTEGRATIONSAPI KeysView Cortex XSOAR API. To create a single incident via the API, use the /incident route. If you create an incident via the API and do not set createInvestigation to true, the incident will be created but an investigation will not be opened and a playbook will not automatically run. To create multiple incidents, use /incident/batch. The minimum information required to create a single incident via the API is the incident name.

  • Fetch Incidents From an Integration Instance.