Create an incident starring configuration that categorizes
and stars incidents when alerts contain attributes that you decide
help you focus on the incidents that matter most, you can star an
incident. Cortex XDR identifies starred incidents with a purple
star. You can star incidents in two ways: You can manually star
an incident after reviewing it, or you can create an incident starring
configuration that automatically categorizes and stars incidents
when a related alert contains the specific attributes that you decide
are important. After you define an incident starring configuration,
Cortex XDR adds a star indicator to any incidents that contain alerts
that match the configuration.
can then sort or filter the Incidents table for incidents containing
starred alerts and similarly filter the Alerts table for starred alerts.
In addition, you can also choose whether to display all incidents
or only starred incidents on the Incidents Dashboard.
a Specific Incident
To manually star an incident during or after
To open an incident, right-click the incident row and
Click the star icon.
changes to a purple star. After starring the incident, it will appear
in filters for starred incidents. For example, on the
you can sort or filter by
a Starring Configuration
To proactively star alerts and incidents containing
alerts, create a starring configuration.
+ Add Starring Configuration
identify your starring configuration.
Enter a descriptive
identifies the reason or purpose of the starring configuration.
Use the alert filters to build the match criteria for
You can also right-click a specific value in the alert
to add it as match criteria. The app refreshes to show you which
alerts in the incident would be included.
the policy and confirm
If you later need to make changes, you can view, modify,
or delete the exclusion policy from the