Create an Incident - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide

Create a new incident in , manually, through a feed, or by importing a JSON file.

Cortex XSOAR incidents can be created manually, from a JSON file, or from an integration feed.


The import JSON feature enables you to import event data from third-party software and use it to create new incidents in Cortex XSOAR. These incidents can be used to build and troubleshoot playbooks for integrations that have not yet been installed or configured.

  • Create an incident manually.

    Go to the Incidents page, click New Incident and enter relevant data, including custom fields if needed.

  • Create an incident from a JSON file.

    1. Go to Settings & InfoSettingsObject SetupIncidentsClassification & Mapping and click the mapper you want to use.

    2. From the Get Data drop-down, choose Upload JSON then click the paper clip icon and browse to and select the JSON file you want to upload.

    3. Map the fields.

    4. From the market-gear.png menu, select + Create Incident from JSON. Select the incident type and Create Incident.

  • Fetch Incidents From an Integration Instance.