Incident actions - add child incidents, tasks, notes, create a report, edit, delete, and restrict an incident type in Cortex XSOAR.
In an incident, you can undertake a number of actions, such as edit the incident, add a child incident, add tasks, notes, and so on.
When viewing an incident, from the Actions dropdown, you can do the following:
Action | Description |
---|---|
Edit | Edit the incident as required. |
Create a report to capture investigation specific data and share it with team members. | |
Add Child Incident | Add a child incident to the incident. Child investigations are used to compartmentalize sensitive War Room activity. You can create child investigations to collaborate discreetly with a select group of people on a specific topic of investigation. Child investigations are also used in situations where a secondary investigation is needed and its content may add too much "noise" in the original investigation. You can also create child investigations from the CLI using the To turn the child investigation into a discrete investigation, select the Restricted checkbox. CautionClosing a parent investigation also closes all associated child investigations. |
Restrict an investigation to the incident owner and team. | |
Close Incident | Mark the incident as closed. |
Mark the incident for retention or disable retention for the incident. | |
Delete | Delete the incident. |
When viewing an incident, from the Side panels dropdown, you can do the following:
Action | Description |
---|---|
Quick View | You can see a summary of the incident, timeline information, labels, and indicators. |
Add tasks for users to complete as part of an investigation. | |
Team | Add team members to the incident. |
View context data. The context is a map (dictionary) that is created for each incident and is used to store structured results from the integration commands and scripts. The context keys are strings and the values can be strings, numbers, objects, and arrays. You can use context data to:
|
You can also edit or add actions in the Case Info/Incident Info page.
The Search in Incidents field enables you to search for values. By default, it searches across all incidents. You can also toggle to search This incident only.
Note
This incident only searches only within the incident's War Room entries. If a value exists in the incident but is not a War Room entry, no results are returned.