Incident Investigation - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide

Open an incident in Cortex XSOAR and view incident details.

In the Incidents page, you can view all of the incidents in Cortex XSOAR:

  • View general information about each incident, such as the type, the severity, when it occurred, etc. The status of the incident is classified as follows:

    Active: The investigation has started. The War Room is activated and the playbook starts, if assigned. Users can be assigned to this incident.

    Pending: The investigation has not started and no War Room has been activated. As soon as you open the incident, it becomes active.

    Closed: The investigation has been closed.

  • By default, the Incidents page displays all open incidents from the last seven days. You can update this by creating a new search query. You can also Create a Widget From an Incident based on the search query and add it to a dashboard or report.

  • Incident type, severity, owner, etc. are displayed in bar charts. You can change these by selecting a different chart from the dropdown list at the top of each individual chart. You can also hide the chart panel.


Incidents sorted using an SLA/Timer field are sorted by the due date of the SLA field.

You can limit access to investigations and restrict investigations according to your requirements, as described in Incident Access Control Configuration.

Incident Navigation

You can navigate directly to a specific incident via the incident ID or incident name, using Ctrl+ K for Windows or Command-K for macOS.

When viewing an individual incident opened from My Incidents or the main Incidents page, you can navigate to the next/previous incident in the list from within the individual incident, without having to return to the original list. The navigation buttons are above the incident. The total number of incidents from the list is shown, as well as where you are in the list.

Only users with permissions to edit incidents can view the navigation buttons.

The navigation buttons are only available if the incident is opened from My Incidents or the Incidents page. If you navigate directly to an incident, without going through the Incidents page or My Incidents list, no navigation buttons appear.


In a multi-tenant environment, the incident navigation buttons are available when directly viewing a child tenant or if the child tenant is selected in the main account.

Incident Management

When you select an incident, you can do the following:

  • Investigate an Incident: View a detailed summary, investigate, add evidence, related incidents, etc.

  • Assign: You can assign incidents to any user who has been added to Cortex XSOAR, including users who are marked as away.

  • Edit: You can edit the incident parameters and then rerun a playbook on the incident, which is useful while developing playbooks. You can process an incident multiple times during playbook development, without creating new incidents every time.


    When batch editing multiple incidents, uploading files is currently not supported.

  • Mark as Duplicate.

  • Run Command.

  • Export to a CSV file. By default, the CSV file is generated in UTF8 format. To export an incident as a JSON file, run the !js script="return ${.}" command in the War Room,

  • Close the incident.

  • Delete the incident.

In addition, you can select multiple incidents and run a command across all of them. You can also delete or export batches of incidents or mark multiple incidents as duplicate.

You can filter the incidents that are ingested into Cortex XSOAR by manually de-duplicating incidents, setting up pre-process rules to perform certain actions, etc. After you close an incident you may want to automate an additional action such as closing a Remedy ticket. For more information, see Post Processing for Incidents.

Incidents can be assigned a severity, either at incident creation through the CLI, or by running a playbook. Incident severity levels are: Unknown (0), Informational (0.5), Low (1), Medium (2), High (3), Critical (4).

Investigate an Incident

An incident investigation can be opened in the following ways:

  • Automatically: If associated with a playbook, incidents open automatically for investigation and run the associated playbook.

  • Manually: Open an incident manually by selecting the incident in the Incidents table.


    After an incident is created, it is assigned a Pending status in the incident table. When you start to investigate an incident the status changes automatically to Active, which starts the remediation process.

  • CLI: If you want to open an incident in the CLI, type /investigate id=<incidentID#>.


In an investigation, images from external links will not appear, as they are restricted due to security issues. To use an image, either upload the image using base64 or upload it using markdown in the War Room.

You can link incidents, edit incidents, add a child incident, add tasks, notes, and so on. For more information, see incident actions.

When you open an incident, you see the following tabs, which assist you in the investigation.



Incident/Case Info

A summary of the incident, such as case details, work plan, evidence, etc. Most of the fields are for information only, although you can add the following:

  • Evidence: A summary of data marked as evidence. You can add evidence in this tab or in the Evidence Board.

  • Notes: Displays any notes that have been entered. For example, you can read notes to understand specific actions taken by the analyst and the underlying reasons, see chats between analysts to highlight how they arrived at a certain decision, etc. You can also see the thought process behind identifying key evidence and learn to identify similar incidents.

    You can also add notes in the War Room.

    Notes are searchable when using the Incidents search bar. You can use this to more easily locate incidents and leverage historical incident data.

  • Tasks: View tasks to complete as part of an investigation. You can add tasks in this tab or Create a To-Do Task.

You can send a permalink to a specific Investigation Summary by copying its URL.


You can edit the fields by customizing the incident layout.


A custom tab you can create that provides an overview of the information collected about the investigation, such as indicators, email information, URL screenshots, etc.

War Room

A comprehensive collection of all investigation actions, artifacts, and collaboration. It is a chronological journal of the incident investigation. Each incident has a unique War Room.

Work Plan

A visual representation of the running playbook that is assigned to the incident.

Evidence Board

View any entity that has been designated as evidence. The Evidence board stores key artifacts for current and future analysis. You can reconstruct attack chains and piece together key pieces of verification for root cause discovery.