Incident actions - add child incidents, tasks, notes, create a report, edit, delete, and restrict an incident type in Cortex XSOAR.
In an incident, you can undertake a number of actions, such as edit the incident, add a child incident, add tasks, notes, and so on.
When viewing an incident, from the Actions dropdown, you can do the following:
Edit the incident as required.
Create a report to capture investigation specific data and share it with team members.
Add Child Incident
Add a child incident to the incident.
Child investigations are used to compartmentalize sensitive War Room activity. You can create child investigations to collaborate discreetly with a select group of people on a specific topic of investigation. Child investigations are also used in situations where a secondary investigation is needed and its content may add too much "noise" in the original investigation.
You can also create child investigations from the CLI using the
To turn the child investigation into a discrete investigation, select the Restricted checkbox.
Closing a parent investigation also closes all associated child investigations.
Restrict an investigation to the incident owner and team.
Mark the incident as closed.
Mark the incident for retention or disable retention for the incident.
Delete the incident.
When viewing an incident, from the Side panels dropdown, you can do the following:
You can see a summary of the incident, timeline information, labels, and indicators.
Add tasks for users to complete as part of an investigation.
Add team members to the incident.
View context data. The context is a map (dictionary) that is created for each incident and is used to store structured results from the integration commands and scripts. The context keys are strings and the values can be strings, numbers, objects, and arrays.
You can use context data to:
You can also edit or add actions in the Case Info/Incident Info page.