End-of-Life (EoL)

Incident Investigation

custom Describes how to investigate an incident in Cortex SOAR.
An incident investigation can be opened in the following ways:
  • Automatically
    : If associated with a playbook, incidents open automatically for investigation and run the associated playbook.
  • Manually
    : Open an incident manually by selecting the incident in the Incidents table.
    After an incident is created, it is assigned a
    Pending
    status in the incident table. When you start to investigate an incident the status changes automatically to
    Active
    , which starts the remediation process.
  • CLI
    : If you want to open a incident in the CLI, type
    /investigate id=
    <incidentID#>
    .
Incidents page
When opening an incident, you see the following tabs, which assist you in the investigating the incident:
Tab
Description
Incident/Case Info
A summary of the incident, such as case details, work plan, evidence, and so on. Most of the fields are for information only, although you can add the following:
  • Evidence
    : A summary of data marked as evidence. You can add evidence in this tab or in the Evidence Board.
  • Notes
    : Displays any notes that have been entered. For example, understand specific actions taken by the analyst and the underlying reasons, see chats between analysts to highlight how they arrived at a certain decision, etc. You can also see the thought process behind identifying key evidence and learn about similar incidents in the future.
    You can also add notes in the War Room.
  • Tasks
    : View tasks to complete as part of an investigation. You can add tasks in this tab or Create a To-Do Task.
You can send a permalink to a specific Investigation Summary by copying its URL.
You can edit the fields by Incident Customization.
Investigation
An overview of the information collected about the investigation, such as indicators, email information, URL screen shots and so on
A comprehensive collection of all investigation actions, artifacts, and collaboration. It is a chronological journal of the incident investigation. Each incident has a unique War Room.
A visual representation of the running playbook that is assigned to the incident.
View any entity which has been designated as evidence. The Evidence board stores key artifacts for current and future analysis. You can reconstruct attack chains and piece together key pieces of verification for root cause discovery.
A visual representation of incidents that share similar characteristics, such as malicious indicators, or part of a phishing campaign.
Visually maps an incident, its elements, correlated investigation entities, and the progression path of the incident, combining analyst intelligence with machine learning.
The
Related Incidents
page is orientated towards exploration and searching for similar data. The
Canvas
maps incidents and indicators by enabling you to decide what you want to include in a layout of your choice.
You can Link Incidents, edit the incident, add a child incident, add tasks, notes, and so on. For more information, see incident actions.

Recommended For You