Create an incident summary report - Administrator Guide - 8.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR On-prem Documentation

Product
Cortex XSOAR
Version
8.5
Creation date
2024-03-10
Last date published
2024-11-13
Category
Administrator Guide
Solution
On-prem
Abstract

Create and generate a custom Incident Summary report in Cortex XSOAR, from the incident page. Save reports as templates.

In an incident investigation, you can generate an incident summary report in PDF format, which enables you to capture investigation-specific data and share it with team members.

When generating a report, you can do the following:

Action

Description

Select a tab to generate a report from

Apart from the War Room, Work Plan, and Evidence Board tabs, you can select which tab to generate a report from including any custom tabs or tabs from a layout installed from a content pack. For example, the Phishing Campaign layout includes the Campaign Overview and Campaign Management tabs. You can select any of those tabs to generate a report.

When generating a report, you can decide what sections to include from the Case Info tab, by selecting Legacy Summary.

You can save the reports as templates. Templates cannot be edited after they are created.

Create a report from a template

The Investigation Summary report is included out-of-the-box. This report includes the following sections:

  • General information

  • Close notes

  • Custom data

  • Investigation Timeline

  • Indicators

  • War Room notes

  • Evidence timeline and detailed evidence

  • Skipped tasks

  • Team members

  • Linked incidents

Tip

If you want a less detailed report, we recommend downloading the CaseMangement-Generic content pack which includes a Case Report. This report includes case details, investigation details, labels, closing information, indicators, team members, notes, and any War Room Chat.

The administrator can create a tab in your layout to include any information for reports. For more information about customizing layouts, see Incident layout customization.

After you create a template, it appears on the Reports page under Incident Reports.

How to create a summary report

Before you begin, enable popups in your browser.

  1. Open the incident for which you want to create a report.

  2. Select the tab that has the information you want to appear, and click ActionsReport.

  3. Select one of the following:

    • To generate a new report, Select a tab to generate report from.

      Add the required properties. We recommend the landscape orientation, so that all information is displayed in the report.

      If you choose Legacy Summary, select the required sections.

    • To use an existing template, choose From Template tab and select the template.

  4. If you want to use the report settings as a template, click the Save report as template checkbox.

  5. Generate the report

Note

You can also use the !GenerateSummaryReports command in the CLI to generate a report. If you want to automate the process, the administrator can use the Send Investigation Summary Reports Job playbook.