Create an incident - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2024-11-28
Category
Administrator Guide
Solution
Cloud
Abstract

Create a new incident manually, through the API, ingest incidents, or import a JSON file.

You can create incidents in Cortex XSOAR from:

  • The Incidents page

  • An indicator

  • A JSON file (primarily used for playbook testing)

  • The API

    To create a single incident using the API, use /incident. If you create an incident via the API and do not set createInvestigation: true, the incident is created but an investigation will not be opened and a playbook will not automatically run. For more information, see Create or update an incident.

    To view the full API documentation, go to Cortex XSOAR 8 API Reference guide.

  • Integration feeds

    Incidents can be created from an integration instance. For more information about how to fetch incidents, see Fetch incidents from an integration instance.

Note

If you can't create an incident from any of these options, you may not have sufficient user role permissions. Contact your Cortex XSOAR administrator for more details.

To manually create an incident:

  1. Select IncidentsNew Incident.

  2. Add the relevant data as required.

  3. Create new incident.

    The incident is added to the incidents table.

Note

If any fields are missing, these fields can be added when configuring a layout.

You need administrator permission to configure a layout. For more information, see Incident layout customization.

  1. In the Indicators tab, select the indicator.

  2. Click Create incident.

    The incident appears in the incidents table on the Incidents page.

The import JSON feature enables you to import event data from third-party software and use it to create new incidents in Cortex XSOAR. These incidents can be used to build and troubleshoot playbooks for integrations that have not yet been installed or configured.

  1. Go to Settings & InfoSettingsObject SetupIncidentsClassification & Mapping and click the mapper you want to use.

  2. From the Get Data drop-down, choose Upload JSON and then select the JSON file you want to upload.

  3. Map the fields as required. For more information, see Classification and mapping.

  4. Click market-gear.png and select Create Incident from JSON.

  5. Select the incident type and Create Incident.