Manage Incident Starring

Create an incident starring configuration that categorizes and stars incidents when alerts contain attributes that you decide are important.
To help you focus on the incidents that matter most, you can star an incident. Cortex XDR identifies starred incidents with a purple star. You can star incidents in two ways: You can manually star an incident after reviewing it, or you can create an incident starring configuration that automatically categorizes and stars incidents when a related alert contains the specific attributes that you decide are important. After you define an incident starring configuration, Cortex XDR adds a star indicator to any incidents that contain alerts that match the configuration.
incident-detail.png
You can then sort or filter the Incidents table for incidents containing starred alerts and similarly filter the Alerts table for starred alerts. In addition, you can also choose whether to display all incidents or only starred incidents on the Incidents Dashboard.

Star a Specific Incident

To manually star an incident during or after investigation:
  1. Select
    Investigation
    Incidents
    .
  2. To open an incident, right-click the incident row and select
    View Incident
    .
  3. Click the star icon.
    starred-incident.png
    The star changes to a purple star. After starring the incident, it will appear in filters for starred incidents. For example, on the
    Incidents
    page, you can sort or filter by
    Starred
    status.
    starred-incident-table-filter.png

Create a Starring Configuration

To proactively star alerts and incidents containing alerts, create a starring configuration.
  1. Select
    Investigation
    Incident Management
    Starred Alerts
    .
  2. + Add Starring Configuration
  3. Enter a
    Configuration Name
    to identify your starring configuration.
  4. Enter a descriptive
    Comment
    that identifies the reason or purpose of the starring configuration.
  5. Use the alert filters to build the match criteria for the policy.
    You can also right-click a specific value in the alert to add it as match criteria. The app refreshes to show you which alerts in the incident would be included.
    incident-starring-policy.png
  6. Create
    the policy and confirm the action.
    If you later need to make changes, you can view, modify, or delete the exclusion policy from the
    Investigation
    Incident Management
    Starred Alerts
    page.

Recommended For You