Create an incident starring configuration that categorizes
and stars incidents when alerts contain attributes that you decide
help you focus on the incidents that matter most, you can star an
incident. Cortex XDR identifies starred incidents with a purple
star. You can star incidents in two ways: You can manually star
an incident after reviewing it, or you can create an incident starring
configuration that automatically categorizes and stars incidents
when a related alert contains the specific attributes that you decide
After you define an incident starring configuration,
Cortex XDR adds a star indicator to any incidents that contain alerts
that match the configuration.
can then sort or filter the Incidents table for incidents containing
starred alerts and similarly filter the Alerts table for starred
alerts. In addition, you can also choose whether to display all
incidents or only starred incidents on the Incidents Dashboard.
Star a Specific Incident
To manually star an incident during or after
From the Incident List, locate the incident you want
Select the star icon.
Create a Starring Configuration
To proactively star alerts and incidents containing
alerts, create a starring configuration.
+ Add Starring Configuration
identify your starring configuration.
Enter a descriptive
identifies the reason or purpose of the starring configuration.
Use the alert filters to build the match criteria for
You can also right-click a specific value in the alert
to add it as match criteria. The app refreshes to show you which
alerts in the incident would be included.
the policy and confirm
If you later need to make changes, you can view, modify,
or delete the exclusion policy from the