Incident Actions - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
8
Creation date
2024-09-18
Last date published
2024-11-28
Category
Administrator Guide
Solution
Cloud
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation
Abstract

Incident actions - add child incidents, tasks, notes, create a report, edit, delete, and restrict an incident type in Cortex XSOAR.

In an incident, you can undertake a number of actions, such as edit the incident, add a child incident, add tasks, notes, and so on.

When viewing an incident, from the Actions dropdown, you can do the following:

Action

Description

Edit

Edit the incident as required.

Report

Create a report to capture investigation specific data and share it with team members.

Add Child Incident

Add a child incident to the incident.

Child investigations are used to compartmentalize sensitive War Room activity. You can create child investigations to collaborate discreetly with a select group of people on a specific topic of investigation. Child investigations are also used in situations where a secondary investigation is needed and its content may add too much "noise" in the original investigation.

You can also create child investigations from the CLI using the /investigation_child_create command.

To turn the child investigation into a discrete investigation, select the Restricted checkbox.

Caution

Closing a parent investigation also closes all associated child investigations.

Restrict incident

Restrict an investigation to the incident owner and team.

Close Incident

Mark the incident as closed.

Retain Incident/Undo Retain Incident

Mark the incident for retention or disable retention for the incident.

Delete

Delete the incident.

When viewing an incident, from the Side panels dropdown, you can do the following:

Action

Description

Quick View

You can see a summary of the incident, timeline information, labels, and indicators.

Incident Tasks

Add tasks for users to complete as part of an investigation.

Team

Add team members to the incident.

Context Data

View context data. The context is a map (dictionary) that is created for each incident and is used to store structured results from the integration commands and scripts. The context keys are strings and the values can be strings, numbers, objects, and arrays.

You can use context data to:

  • Pass data between playbook tasks.

  • Capture the important structured data from scripts and display the data in the incident summary

You can also edit or add actions in the Case Info/Incident Info page.

The Search in Incidents field enables you to search for values. By default, it searches across all incidents. You can also toggle to search This incident only.

Note

This incident only searches only within the incident's War Room entries. If a value exists in the incident but is not a War Room entry, no results are returned.