Incident Case Management

Accelerate incident response by unifying alerts, incidents and indicators from any source on a single platform for lightning-quick search, query and investigation.

WHY IT MATTERS

Ticketing needs a makeover

Traditional ticketing solutions were not designed for rapid security incident response and war room information sharing and investigations.

  • Siloed tools

    Security teams must coordinate across detection, threat intelligence, enforcement and collaboration tools during incident response.

  • Lack of visibility

    Multiple teams involved in incident response often don’t have the full picture or latest intel.

  • Lack of unified metrics

    Security teams lack the time, flexibility and centralized data to visualize relevant metrics and track SOC health.

Why it Matters

The CORTEX XSOAR Solution

Cortex XSOAR centralizes incident case management

Unlike traditional ticketing tools, our case management was designed for security incident responders. Incident views are specific to the incident type, so you get only the data relevant to your investigation. Each incident has its own war room where analysts can collaborate in real time.
  • Manage alerts with security-focused case management
  • Boost SecOps efficiency with real-time collaboration
  • Speed investigation with centralized access to incidents, indicators and threat intel
  • Virtual war room
    Virtual war room
  • Real-time ChatOps
    Real-time ChatOps
  • Built-in ML assistance
    Built-in ML assistance
  • Ticket mirroring
    Ticket Mirroring

Our approach to security-focused case management

A war room for every incident

Each incident is associated with a war room where analysts can do investigations and collaborate in real time. Significant incident artifacts can also be easily tagged as evidence, and all actions performed by playbooks or analysts are auto-documented.

  • Incident-specific layouts

    Get incident views and flows specific to incident type, so all relevant data is at your fingertips. Create custom tabs and layouts for any incident type with full role-based access control.

  • Centralized ticket repository

    Manage all your security incidents from one location. Full ticket mirroring with tools like ServiceNow, Jira and Slack allow you to automate ticketing tasks and manage your tickets from one location.


Take the tedium out of reporting

Gain unparalleled visibility into SecOps metrics with fully customizable dashboards and reports. Use both out-of-the-box and user-created widgets to visualize any cross section of incident, indicator and analyst data.

  • Widget-driven dashboards and reports

    Flexible, widget-driven dashboards and reports can be fully customized to your operational needs.

  • Eliminate manual reporting

    Auto-documentation and playbooks take the tedium out of manual post-investigation rollups. Reports can be auto-generated and scheduled for delivery to stakeholders.


Integrated threat intelligence

Take control of your threat data. Aggregate disparate sources, customize and score feeds, match indicators against incidents in your environment and leverage playbook automation to drive instant action.

  • Automate your threat intel

    Automate a wide range of threat intel management tasks such as exclusion list administration, indicator prioritization and automated threat hunting.

  • Rich context for your incidents

    Gain confidence in identifying enterprise-relevant attacks. Run automated workflows against external intel data and internal alerts to surface critical threats.


Use Case Example: Cloud Security Case Management

Automate the management of your cloud alerts, including distribution to all stakeholders in your organization.
Cloud Security Case Management

Shift Management for Incident Responders

You can define multiple shifts within Cortex XSOAR. Each shift is assigned a user role so that you can assign one or more analysts across shifts throughout the day or week. Incidents can be routed to analysts based on shifts, workload and machine learning recommendations. This ensures full staff coverage for incoming incidents.
Shift Management for Incident Responders