After events are fetched into Cortex XSOAR, the notable events appear as incidents in the Incidents page. All the information that is displayed in the respective tabs is determined by the layout you designed for the Splunk Notable Generic incident type.
The layout appearance, including which tabs, their order, and tab names is customizable.
The analyst can click on the ID of any incident to view additional incident data that you configured for the incident type.
Incident Info View
The Incident Info tab provides information about the incident itself. For example, when the incident was opened and updated, the severity of the incident, and where it originated from. It also gives you easy access to all of the indicators extracted from the incident and the current state of the incident.
For example, in the Work Plan section, you can see that the incident is currently on hold waiting for the analyst to manually investigate the incident.
 |
Notable Summary
The Notable Summary tab fetches the data from Splunk and provides it to you in one tab in Cortex XSOAR. For example, you can see how many of the events associated with the event were fetched (default is 50), and the Splunk severity, status, and urgency.
 |
The view includes all of the network data that is available from Splunk.
Drilldown
The Drilldown tab shows detailed drilldown data that was enriched from the Splunk server, such as Error code, event code, and event ID.
 |
Assets
The Assets tab presents information about any critical assets that were involved in the event, whether they were targeted or tangentially related.
 |
Identities
The Identities tab shows enriched identity information that was involved in the event, such as the source email address and identity tag.
 |