The layout should display the most relevant data for analysts. For example, analysts may need to see Cortex XDR information (such as ID, description, and severity), file information, indicators, and details about the incident. You may therefore need to add information that is not included in the out of the box layout, for example by creating sections, adding buttons, or adding custom fields. Before making any changes though, first familiarize yourself with the Malware Investigation and Response layout.
To view the layout, go to
→ → → → .Incident Summary Tab
The Incident Summary tab includes the following sub tabs. For more information about each tab, see Incident Management.
Incident info: Contains a summary of all the relevant information an analyst may require about the incident:
Case Details, includes incident type, severity, and playbook used
Endpoint Details, includes details of the device associated with the incident such as IP and operating system
Source details - includes the incident process path, process name, and file hash
Account Information - team members
Timeline information - when the incident occurred, was created, or was updated
Work plan information - outstanding tasks
Investigation Summary - includes feedback on detected suspicious behaviors such as defense evasion, execution, or persistence mechanisms
Response Actions, including isolating the endpoint, killing the process, and tagging for deny or allow lists
Investigation: Contains an overview of the behaviors flagged by Cortex XSOAR, such as modified registry keys, files deleted after execution, data encrypted, as well as indicator details such as attack patterns (with the Mitre integration).
Forensics: Provides forensic data, including running processes and open network connections at alert detection time.
Evidence Board: Includes reports such as Wildfire reports generated from the sandbox detonations. You can also search for individual techniques and tactics that were flagged such as execution.
Related Incidents: Displays any incidents that are related or similar to the current incident.
New/Edit Form Tab
The New/Edit Form tab contains information about creating or editing a Malware Investigation and Response incident.
Close Form Tab
The Close Form tab contains information about closing a Malware Investigation and Response incident.
Incident Quick View Tab
The Incident Quick View tab contains summary information about the Malware Investigation and Response incident.
For more information about customizing incident types, see Incident Customization.