Incident Actions - Administrator Guide - 6.6 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.6
Creation date
2022-09-29
Last date published
2024-03-21
End_of_Life
EoL
Category
Administrator Guide
Abstract

Incident actions - add child incidents, tasks, notes, create a report, edit, delete, and restrict an incident type in Cortex XSOAR.

In an incident, you can undertake a number of actions, such as edit the incident, add a child incident, add tasks, notes, and so on.

When viewing an incident, from the Actions dropdown, you can do the following:

Action

Description

Edit

Edit the incident as required.

Report

Create a report to capture investigation specific data and share it with team members.

Add child incident

Add a child incident to the incident.

Child investigations are used to compartmentalize sensitive War Room activity. You can create child investigations to collaborate discreetly with a select group of people on a specific topic of investigation. Child investigations are also used in situations where a secondary investigation is needed and its content may add too much "noise" in the original investigation.

You can also create child investigations from the CLI using the /investigation_child_create command.

To turn the child investigation to a discrete investigation, select the Restricted checkbox.

Warning

Closing a parent investigation also closes all associated child investigations.

Restrict incident

Restrict an investigation to the incident owner and team.

Close incident

Mark the incident as closed.

Delete

Delete the incident.

When clicking i_icon.png you can undertake the following actions:

Action

Description

Quick View

You can see a summary of the incident, timeline information, labels, and indicators.

Incident Tasks

Add tasks for users to complete as part of an investigation.

Team

Add team members to the incident.

Context Data

View context data. The context is a map (dictionary) that is created for each incident and is used to store structured results from the integration commands and automation scripts. The context keys are strings and the values can be strings, numbers, objects, and arrays.

You can use context data to:

  • Pass data between playbook tasks.

  • Capture the important structured data from automations and display the data in the incident summary

You can also edit or add actions in the Case Info/Incident Info field.