View and manage incidents in Cortex XSOAR.
On the Incidents page, you can view all of the incidents in Cortex XSOAR and do the following:
Note
If you are unable to perform a specific action or view data, you may not have sufficient user role permissions. Contact your Cortex XSOAR administrator for more details.
Action | Description |
---|---|
Search for incidents | You can search for incidents by doing the following:
|
Filter incidents using the Bar Charts | Bar charts display important incident information, such as the incident type, severity, and owner. You can change the criteria in each bar chart. NoteIncidents sorted using an SLA/Timer field are sorted by the due date of the SLA field. |
Create a new incident | Create an incident manually. For more information, see Create an incident. |
Create a widget | Create a widget based on the search criteria and add it to a dashboard or report. For more information, see Create a widget from an incident. |
Note
You can change how the top half of the incident page appears, by hiding the chart panel, and query panel, and switching to a detailed view.
Manage incidents from the incidents table
In the incidents table, view general information about each incident, such as the type, the severity, and when it occurred. The status of the incident is classified as follows:
Status | Description |
---|---|
Active | The investigation has started. The War Room is activated and the playbook starts, if assigned. Users can be assigned to this incident. |
Pending | The investigation has not started and no War Room has been activated. As soon as you open the incident, it becomes active. |
Closed | The investigation has been closed. |
Incidents can be assigned a severity at incident creation when running a playbook, or after creation through the CLI or in the incident layout. Incident severity levels are:
Critical (4)
High (3)
Medium (2)
Low (1)
Informational (0.5)
Unknown (0)
You can do the following actions:
Action | Description |
---|---|
Investigate an incident | View, investigate, and take remedial action on the incident by clicking the incident ID hyperlink. For more information, see Investigate an incident. |
Assign | Assign incidents to any user who has been added to Cortex XSOAR, including users who are marked as away. You can assign users to many incidents at one time. |
Edit | Edit the incident parameters and then rerun a playbook on the incident, which is useful while developing playbooks. You can process an incident multiple times during playbook development, without creating new incidents every time. NoteWhen batch editing multiple incidents, uploading files is currently not supported. |
Mark as Duplicate | Deduplicate an incident. Closing an incident as a duplicate enables you to investigate one rather than multiple incidents. When selected, you need to add the ID you want to retain. When validated, and the other is closed as a duplicate, the duplicated incident is removed from the table. If you want to link an incident with or without closing you can use the |
Run Command | You can select multiple incidents and run a command across all of them. |
Export | Export incidents to an Excel or a CSV file. For more information, see Export incidents. |
Close | You can select multiple incidents and close all of them. If required, add the close reason and details. The investigation will be closed. When you close an incident, the close reason is set to whatever value you last entered. For example, when closing an incident, if you initially selected False Positive as the Close Reason, reopened, and closed it again, leaving the Close Reason empty, the empty Close Reason will overwrite the previous Close Reason. To keep the close reason that was entered previously on the incident, add the previous value in the Close Reason argument. NoteThe close reasons are customizable by server configurations. Provided you have administrator permission, you can change the reasons. For more information, see Customize incident close reasons. You can also close the incident when investigating the incident. |
Delete | You can select multiple incidents and delete all of them. You can also delete the incident when investigating the incident. |
Star an incident | To help you focus on the most important incidents, you can mark an incident as a favorite. Starring incidents enables you to narrow down the scope of incidents on the Incidents page. |
Tip
Any incidents assigned to yourself, starred incidents, and incidents you are participating in, can easily be accessed in the My Incidents section.
Further information
To see how to manage incidents, watch the following video in Live Community: