Depending on how you design the incident life cycle, many actions are performed automatically before the analyst even sees an incident. For example, incidents may be closed as duplicates or false-positives, data is enriched, and more.
For most incidents, the analyst will:
Pick up an open incident.
View enough data to be able to make decisions including what steps have already been taken (Incident Summary, Work Plan).
Easily collect additional data by running commands on third-party tools.
Collaborate with SOC team members in the War Room; ask questions, post comments, and more.
Make an informed decision on how to handle the incident. A typical flow is to design the incident page to include a set of buttons that the analyst can select from (Escalate, Close, etc.)
Activate one of several possible responses either within Cortex XSOAR or externally (e.g., open a ticket for IT).
Close the incident and specify a close reason.