Incident management - Administrator Guide - 8.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR On-prem Documentation

Product
Cortex XSOAR
Version
8.5
Creation date
2024-03-10
Last date published
2024-12-12
Category
Administrator Guide
Solution
On-prem
Abstract

View and manage incidents in Cortex XSOAR.

On the Incidents page, you can view all of the incidents in Cortex XSOAR and do the following:

Note

If you are unable to perform a specific action or view data, you may not have sufficient user role permissions. Contact your Cortex XSOAR administrator for more details.

Action

Description

Search for incidents

You can search for incidents by doing the following:

  • Search query: The Incidents page displays all open incidents from the last 7 days by default. For more information about search queries and to create a query and save it for future use, see Search for incidents.

  • Search incidents globally using the search box. For more information, see Use the search box.

Filter incidents using the Bar Charts

Bar charts display important incident information, such as the incident type, severity, and owner. You can change the criteria in each bar chart.

Note

Incidents sorted using an SLA/Timer field are sorted by the due date of the SLA field.

Create a new incident

Create an incident manually. For more information, see Create an incident.

Create a widget

Create a widget based on the search criteria and add it to a dashboard or report. For more information, see Create a widget from an incident.

Note

You can change how the top half of the incident page appears, by hiding the chart panel, and query panel, and switching to a detailed view.

Manage incidents from the incidents table

In the incidents table, view general information about each incident, such as the type, the severity, and when it occurred. The status of the incident is classified as follows:

Status

Description

Active

The investigation has started. The War Room is activated and the playbook starts, if assigned. Users can be assigned to this incident.

Pending

The investigation has not started and no War Room has been activated. As soon as you open the incident, it becomes active.

Closed

The investigation has been closed.

Incidents can be assigned a severity at incident creation when running a playbook, or after creation through the CLI or in the incident layout. Incident severity levels are:

  • Critical (4)

  • High (3)

  • Medium (2)

  • Low (1)

  • Informational (0.5)

  • Unknown (0)

You can do the following actions:

Action

Description

Investigate an incident

View, investigate, and take remedial action on the incident by clicking the incident ID hyperlink. For more information, see Investigate an incident.

Assign

Assign incidents to any user who has been added to Cortex XSOAR, including users who are marked as away. You can assign users to many incidents at one time.

Edit

Edit the incident parameters and then rerun a playbook on the incident, which is useful while developing playbooks. You can process an incident multiple times during playbook development, without creating new incidents every time.

Note

When batch editing multiple incidents, uploading files is currently not supported.

Mark as Duplicate

Deduplicate an incident. Closing an incident as a duplicate enables you to investigate one rather than multiple incidents. When selected, you need to add the ID you want to retain. When validated, and the other is closed as a duplicate, the duplicated incident is removed from the table.

If you want to link an incident with or without closing you can use the !linkIncidents command. For more information, see Link incidents.

Run Command

You can select multiple incidents and run a command across all of them.

Export

Export incidents to an Excel or a CSV file. For more information, see Export incidents.

Close

You can select multiple incidents and close all of them. If required, add the close reason and details. The investigation will be closed.

When you close an incident, the close reason is set to whatever value you last entered. For example, when closing an incident, if you initially selected False Positive as the Close Reason, reopened, and closed it again, leaving the Close Reason empty, the empty Close Reason will overwrite the previous Close Reason. To keep the close reason that was entered previously on the incident, add the previous value in the Close Reason argument.

Note

The close reasons are customizable by server configurations. Provided you have administrator permission, you can change the reasons. For more information, see Customize incident close reasons.

You can also close the incident when investigating the incident.

Delete

You can select multiple incidents and delete all of them.

You can also delete the incident when investigating the incident.

Star an incident

To help you focus on the most important incidents, you can mark an incident as a favorite. Starring incidents enables you to narrow down the scope of incidents on the Incidents page.

Tip

Any incidents assigned to yourself, starred incidents, and incidents you are participating in, can easily be accessed in the My Incidents section.

Further information

To see how to manage incidents, watch the following video in Live Community:

Working an Incident