Investigate and take remediation steps in Cortex XSOAR.
You can open an incident investigation:
Automatically: If associated with a playbook, incidents open automatically for investigation and run the associated playbook.
Manually: Open an incident manually by selecting the incident in the Incidents table.
Note
If the incident ID hyperlink is unavailable, the incident was closed before the investigation started, usually through a preprocess rule or it was already closed when fetched. If you want to see the incident details, click the Switch to detailed view icon at the top of the incidents page.
After an incident is created, it is assigned a Pending status. When you start to investigate an incident the status changes automatically to Active, which starts the remediation process.
In the CLI: If you want to open an incident in the CLI, type
/investigate id=
.<incidentID#>
You can limit access to investigations and restrict investigations according to your requirements, as described in Limit access to investigations using access control.
Note
If you cannot perform a specific action or view data, you may not have sufficient user role permissions. Contact your Cortex XSOAR for more details.