After events are fetched and the playbook executes, the events appear as incidents in the Incidents page. All of the information that is displayed in the respective tabs is determined by the layout you designed for the QRadar Generic incident type.
The layout appearance, including which tabs, their order, names, and more is customizable.
The analyst can click on the ID of any incident to view additional incident data that you configured for the incident type.
Incident Info View
The Incident Info tab provides information about the incident itself. For example, when was the incident opened and updated, what’s the severity of the incident and from where did it originate. It gives you easy access to all of the indicators extracted from the incident, what is the current state of the incident, and more.
 |
For example, in the screenshot above, we see, in the Work Plan section of the page, that the incident is currently on hold waiting for the manual investigation to complete.
QRadar Offense View
The QRadar Offense tab bring the information that is available in QRadar and provides it to you in one screen within Cortex XSOAR. So, for example, you can see how many of the events associated with the offense were pulled (by default, it’s 20) and the magnitude that was assigned in QRadar.
 |
The view includes all of the network data that is available from QRadar, as well as a link to the incident in QRadar itself.
QRadar Events View
The QRadar Events tab presents a table with the events that were pulled when the offense was ingested. By default, to improve performance, only the last 20 events are pulled, but you can override this in the Maximum number of events per incident field in the integration settings.
QRadar Assets
The QRadar Assets tab presents information about any critical assets that were involved in the offense, whether they were targeted or tangentially related.