Configure an SLA in an incident type - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide

Add SLA time/date to an incident type.

On the Incidents page, in the incident table, you can view the SLA (due date) by default. You can also search using the dueDate parameter, such as dueDate:>="now" to search for incidents that are either due now or overdue. If it has not been set, you need to configure the incident type.

  1. Go to SettingsSettings & InfoObject SetupIncidents.

  2. Select the incident type to add the SLA.

    Some out-of-the-box incident types have a default SLA date. To update out-of-the-box incident types, you need to either duplicate or detach them.

  3. In the SLA field, add the weeks, days, and hours required.

    Estimate how long the incident should take from being ingested into Cortex XSOAR until it is closed. For example, if you expect your incident type to be closed within 36 hours, select 1 day and 12 hours.

  4. (Optional) Set a reminder before the SLA expires.

    The owner of the incident will receive an email that the SLA expiration date is approaching.

  5. Save the incident type.

  6. (Optional) To test the SLA, go to the integration instance where you ingest incidents.


    Any previous incident types that were ingested will not have the SLA set. You need to ingest the incidents again.

    1. Open the instance settings and select Fetches incidents (if not already set).

    2. Save the instance.

      After the instance fetches incidents, you may want to turn off the fetched incidents setting.

    3. Go to the incidents page and search for the incident type.

      You should see the SLA date.