Incident Management in the Main tenant - Multi-Tenant Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Multi-Tenant Guide

Cortex XSOAR
Creation date
Last date published
Multi-Tenant Guide

Open an incident in Cortex XSOAR and take action in Child tenants

In the main tenant, you can create and make changes to content such as dashboards, incidents, indicators, etc., and propagate content to child tenants. You can view data from all your child tenants or pivot to each tenant to take certain actions.

On the Incidents page, you can do the following:

  • Investigate an incident

    When clicking on an incident you pivot to the child tenant where you take action on the incident. You can view a detailed summary, take action on the incident, add evidence, related incidents, etc. For more information about these actions, see Incident Investigation.


    You can also pivot to a child tenant by clicking Main Tenant (top left of the window) and selecting the relevant child tenant.

  • Edit an incident

    Edit system fields such as name, owner, severity, and custom fields. When you save the changes they are propagated to the child tenant.

  • Run a command

    Sometimes you may need to run a command across all tenants. For more information, see Run a Command on Multiple Tenants.

  • Export an incident

    You can export to a CSV or an Excel file. By default, the CSV file is generated in UTF8 format.

  • Close or delete an incident

By default, the Incidents page displays open incidents (from all child tenants) in the last seven days. You can update this by creating a new search query and creating a widget from an incident based on that search query by adding it to a dashboard or report.

Incident types, severity, owner, etc. are displayed in bar charts. You can change these by selecting a different chart from the dropdown list at the top of each chart. You can also hide the chart panel.

Manage main tenant users in an investigation

Users can be added to the incident investigation in the child tenant via the main tenant or from the child tenant directly. When viewing a list of users, they are separated according to users and child tenant users.


If you access the child tenant directly and not via the main tenant, you will see a list of users, which is separated according to users and main tenant users.

You can add main and child tenant users to the investigation and in other places, which gives a holistic bilateral communication experience between the main and child tenants. You can do the following:

  • Add team members to the investigation

    Click Side panels and select Team.

  • Change the incident owner

  • Update tasks

    You can change the To-do tasks assignee or change the owner when completing a task.

  • Change the owner in Quick View

    Go to Side panelsQuick ViewOwner.

  • Update a task in the Work Plan

  • Add a user in the CLI

    When you type the user's name you can see whether they are from the main or child tenant. The user receives a system email to investigate.

  • Add users in the War Room

    When mentioning a user in the War Room, the user receives a system email regardless of whether they are a child or main tenant user.

In the Actions tab, you can copy the incident URL in the main/child tenant, so users can directly link to the main/child tenant. For example, when accessing the incident from the main tenant, you may want an end-user's input into the incident you are investigating. Copy the URL and send it to the user via email or Slack. The user opens the link and can start investigating.


Depending on where the link is copied from, users access the link either in the child tenant directly or from the child tenant via the main tenant.