Open an incident in Cortex XSOAR and take action in Child tenants
In the main tenant, you can create and make changes to content such as dashboards, incidents, indicators, etc., and propagate content to child tenants. You can view data from all your child tenants or pivot to each tenant to take certain actions.
On the Incidents page, you can do the following:
Investigate an incident
When clicking on an incident you pivot to the child tenant where you take action on the incident. You can view a detailed summary, take action on the incident, add evidence, related incidents, etc. For more information about these actions, see Incident Investigation.
Note
You can also pivot to a child tenant by clicking Main Tenant (top left of the window) and selecting the relevant child tenant.
Edit an incident
Edit system fields such as name, owner, severity, and custom fields. When you save the changes they are propagated to the child tenant.
Run a command
Sometimes you may need to run a command across all tenants. For more information, see Run a Command on Multiple Tenants.
Export an incident
You can export to a CSV or an Excel file. By default, the CSV file is generated in UTF8 format.
Close or delete an incident
By default, the Incidents page displays open incidents (from all child tenants) in the last seven days. You can update this by creating a new search query and creating a widget from an incident based on that search query by adding it to a dashboard or report.
Incident types, severity, owner, etc. are displayed in bar charts. You can change these by selecting a different chart from the dropdown list at the top of each chart. You can also hide the chart panel.
Manage main tenant users in an investigation
Users can be added to the incident investigation in the child tenant via the main tenant or from the child tenant directly. When viewing a list of users, they are separated according to users and child tenant users.
Note
If you access the child tenant directly and not via the main tenant, you will see a list of users, which is separated according to users and main tenant users.
You can add main and child tenant users to the investigation and in other places, which gives a holistic bilateral communication experience between the main and child tenants. You can do the following:
Add team members to the investigation
Click Side panels and select Team.
Change the incident owner
Update tasks
You can change the To-do tasks assignee or change the owner when completing a task.
Change the owner in Quick View
Go to → → .
Update a task in the Work Plan
Add a user in the CLI
When you type the user's name you can see whether they are from the main or child tenant. The user receives a system email to investigate.
Add users in the War Room
When mentioning a user in the War Room, the user receives a system email regardless of whether they are a child or main tenant user.
In the Actions tab, you can copy the incident URL in the main/child tenant, so users can directly link to the main/child tenant. For example, when accessing the incident from the main tenant, you may want an end-user's input into the incident you are investigating. Copy the URL and send it to the user via email or Slack. The user opens the link and can start investigating.
Note
Depending on where the link is copied from, users access the link either in the child tenant directly or from the child tenant via the main tenant.