End-of-Life (EoL)

Incidents Management

Describes how incidents are managed in Cortex XSOAR.
Incidents are events that have been observed at a point in time for analysis. Cortex XSOAR ingests incidents from an integration instance, from the REST API, or from an incident that you create manually.
To view the REST API documentation, select
API Keys
View Cortex XSOAR API
In the
page, you can view the following:
  • All incidents in Cortex XSOAR.
    By default, the
    page displays all open incidents from the last seven days. You can update this by creating a new search query.
    You can Create a Widget From an Incident, based on the search query and add it to a dashboard or report.
  • Incident categories in a bar chart format. You can change these categories by selecting a different chart from the drop down list from each individual chart. You can also hide the chart panel.
  • All Incidents that are ingested into Cortex XSOAR in a table format, which is used to assign incidents, and perform batch actions on multiple incidents. You can see general information about the incident such as the type, the severity, when it occurred, and so on. The status of the incident is classified as follows:
    : The investigation has started. The War Room is activated and the Playbook starts, if assigned. Users can be assigned to this incident.
    : The investigation has not started and no War Room has been activated. As soon as you open the incident, it becomes active.
    : The investigation has been closed.
You can limit access to investigations and restrict investigations according to your requirements, as described in Incident Access Control Configuration.
When selecting the incident, you can do the following:
  • Investigate an incident: You can view a detailed summary, investigate, add evidence, see related incidents and so on.
  • Assign
    : You can assign incidents to any user that has been added to Cortex XSOAR.
  • Edit
    : You can edit the incident parameters and then rerun the incident again, which is useful while developing playbooks. You can process an incident multiple times for a playbook while being developed, without creating new incidents every time.
  • Mark as Duplicate
  • Run Command
  • Export
    to a CSV file
  • Close
    the incident
  • Delete
    the incident
You can create a new incident by clicking
New Incident
. You can also create a new incident in the REST API
You can filter the incidents that are ingested into Cortex XSOAR by Manually De-Duplicate Incidents, setting up pre-process rules to perform certain actions, or automatically de-duplicate incidents. After you close an incident you may want to automate an additional action such as closing a Remedy ticket. For more information, see Post Processing for Incidents.

Recommended For You