Incident Management

Open, investigate, and manage incidents in Cortex XSOAR.
Incidents are events that have been observed at a point in time and saved for analysis. Incidents can be ingested from third party integrations, created manually through the user interface, or generated through the REST API.
To view the REST API documentation, select
Settings
INTEGRATIONS
API Keys
View Cortex XSOAR API
.
In the
Incidents
page, you can view all of the incidents in Cortex XSOAR:
  • You can view general information about each incident, such as the type, the severity, when it occurred, etc. The status of the incident is classified as follows:
    Active
    : The investigation has started. The War Room is activated and the Playbook starts, if assigned. Users can be assigned to this incident.
    Pending
    : The investigation has not started and no War Room has been activated. As soon as you open the incident, it becomes active.
    Closed
    : The investigation has been closed.
  • By default, the
    Incidents
    page displays all open incidents from the last seven days. You can update this by creating a new search query. You can also Create a Widget From an Incident, based on the search query and add it to a dashboard or report.
  • Incident type, severity, owner, etc. are displayed in bar charts. You can change these by selecting a different chart from the drop down list at the top of each individual chart. You can also hide the chart panel.
You can limit access to investigations and restrict investigations according to your requirements, as described in Incident Access Control Configuration.
When you select an incident, you can do the following:
  • Investigate an incident: You can view a detailed summary, investigate, add evidence, see related incidents, etc.
  • Assign
    : You can assign incidents to any user that has been added to Cortex XSOAR.
  • Edit
    : You can edit the incident parameters and then rerun the incident again, which is useful while developing playbooks. You can process an incident multiple times during playbook development, without creating new incidents every time.
  • Mark as Duplicate
    .
  • Run Command
    .
  • Export
    to a CSV file. By default, the CSV file is generated in UFT8 format. You can change this to the UTF8-BOM format.
  • Close
    the incident.
  • Delete
    the incident.
In addition, you can select multiple incidents and run a command across all of them. You can also delete or export batches of incidents or mark multiple incidents as duplicate.
You can create a new incident by clicking
New Incident
. You can also create a new incident in the REST API.
You can filter the incidents that are ingested into Cortex XSOAR by Manually De-Duplicate Incidents, setting up pre-process rules to perform certain actions, or automatically de-duplicate incidents. After you close an incident you may want to automate an additional action such as closing a Remedy ticket. For more information, see Post Processing for Incidents.
Incidents can be assigned a severity - either at incident creation, manually, through the CLI, or by running a playbook. Incident severity levels are: Unknown (0), Informational (0.5), Low (1), Medium (2), High (3), Critical (4).

Recommended For You