Open an incident in Cortex XSOAR and take action on Child tenants
On the Main Tenant, you can create and make changes to content such as dashboards, incidents, and indicators, and propagate content to child tenants. You can view data from all your child tenants or pivot to each tenant to take certain actions.
On the Incidents page, you view and take action on incidents across all tenants. You can do the following:
Action | Description |
---|---|
Investigate an incident | When clicking on an incident you pivot to the child tenant where you take action on the incident. You can view a detailed summary, take action on the incident, add evidence, related incidents, etc. For more information about these actions, see |
Edit an incident | Edit system fields such as name, owner, severity, and custom fields. When you save the changes they are propagated to the child tenant. |
Run a command | Sometimes you may need to run a command across all tenants. For more information, see |
Export an incident | You can export to a CSV file. By default, the CSV file is generated in UTF8 format. |
Close/delete | Close or delete an incident. |
For more information about incident management generally in Cortex XSOAR, see Incident Management.
Note
You can't create incidents on the Main Tenant.
Although you can't investigate incidents directly, you can pivot to the incident on the child tenant by clicking the incident. You can also go to the child tenant's incident page by clicking Main Tenant (top left of the window) and selecting the relevant child tenant.
By default, the Incidents page displays open incidents (from all child tenants) in the last seven days. You can filter this by changing the date and selecting the relevant tenant.
Manage Main Tenant users in an investigation
Users can be added to the incident investigation in the child tenant from the Main Tenant or from the child tenant directly. When viewing a list of users, they are separated according to users and child tenant users.
Note
You will see a list of users, separated according to USERS and MAIN TENANT USERS. If you access the child tenant directly and not via the Main Tenant, you are considered a child tenant user (under USERS).
You can add main and child tenant users to the investigation and in other places, which gives a holistic bilateral communication experience between the main and child tenants. You can do the following:
Add team members to the investigation
Click Side panels and select Team.
Change the incident owner
Update tasks
You can change the To-do tasks assignee or change the owner when completing a task.
Change the owner in Quick View
Go to
→ → .Update a task in the Work Plan
Add a user in the CLI
When you type the user's name you can see whether they are from the main or child tenant. The user receives a system email to investigate.
Add users in the War Room
When mentioning a user in the War Room, the user receives a system email regardless of whether they are a child or main tenant user.
In the Actions tab, you can copy the incident URL in the main/child tenant, so users can directly link to the main/child tenant. For example, when accessing the incident from the main tenant, you may want an end-user's input into the incident you are investigating. Copy the URL and send it to the user via email or Slack. The user opens the link and can start investigating.
For the full range of investigation options, see Investigate an incident.
Note
Depending on where the link is copied from, users access the link either in the child tenant directly or from the child tenant via the main tenant.