Incident Detail

The incident priority (color-coded based on incident priority score) and the current status that has been assigned to the incident are shown in the upper portion of the header for immediate visibility.

To change the incident status, click the Status drop-down menu and choose a new status.

Information: When the status of an incident from Cisco Secure Endpoint is closed in Cisco XDR Incidents, the compromise event in Secure Endpoint that is linked to the incident is set to Resolved. No other action is required in Secure Endpoint.

The incident Title and Short description are displayed prominently in the header to provide information about which product reported the incident and a timestamp for when it was reported. The AI-generated label is displayed at the end of the Short description if the description was generated by Cisco AI.

To view the full Short description, click the more link. To collapse the description, click less.

You can edit the incident title and short description by clicking the (Edit) icon. While editing the short description, If you navigate away from the text editor, the short description is automatically saved as a draft for the current browser tab only. The draft content is not available if the same session of Cisco XDR is opened in another browser tab. To restore the short description, return to the content and continue with your edits or click Undo or Use draft to remove or restore the draft content.

Note: The (Edit) icon is not available for AI generated incident title, short description, or long description.

You can also click the reporting product name to pivot to that product and view the compromised event(s) that generated the incident.

The View detailed description link is displayed just above the Short description in the header. The Detailed description provides a high-level description of the incident, including the source of the incident and the reason for promotion. The summary information varies depending on the reporting product. You can view and edit the Detailed description if the description was not generated by Cisco AI.

1. Click View detailed description in the header to open the Description dialog box.

Note: The AI-generated label is displayed at the bottom of the Description dialog box if the description was generated by Cisco AI.



Note: The Edit button is not available in the Description dialog box if the detailed description was generated by Cisco AI.

2. Click Edit to open the editor.



3. On the Write page, enter your changes in markdown format. You can also use the options available in the formatting toolbar.

   Note: If you navigate away from the text editor while editing, the description is automatically saved as a draft for the current browser tab only. The draft content is not available if the same session of Cisco XDR is opened in another browser tab. To restore the description, return to the text editor and continue with your edits or click Undo or Use draft to remove or restore the draft content.

4. Optionally, click the Preview tab to view the modified description.

5. Click Save to close the editor.

6. Click Close to exit the Description dialog box.

The number of linked incidents is displayed beneath the incident title. Click Linked Incidents to open the Linked Incidents drawer and view the other incidents that are linked to the selected incident.

The Linked Incidents drawer displays the total number and list of incidents that are linked to the selected incident along with the date it was linked. Click the linked incident name to open the incident and view it in a new tab.

To unlink an incident, click the (Ellipsis) icon next to the incident you want to unlink and choose Unlink from the drop-down menu. A message is displayed indicating the Incident was successfully unlinked and removes it from the drawer.

To close the drawer, click the (Close) icon in the upper right corner.

The MITRE TTP widget shows the MITRE ATT&CK® tactics impacting the incident based on the Financial Risk Score, which indicates the probability of financial impact if the MITRE ATT&CK® patterns are not mitigated—the higher the score, the higher the probability of impact.

Hover over the widget to view a popup showing a list of the specific MITRE tactics.

Click View Details in the popup to switch to the Tactics and Techniques details.

Click View all Tactics in the popup to switch back to the list view.

Click the View Investigation button to open the Investigate page and view a more in-depth graphical and tabular view of the events that were found from the automatic enrichment that was performed when the incident was created.

Note: The View Investigation button will only be displayed for higher priority incidents that have malicious or suspicious observables in the sightings.

When the incident detail for a new, unassigned incident is first viewed, the user who viewed the incident is automatically assigned to it and the incident status is changed to Open. You can assign or unassign users from the Assigned field in the header.

When the incident is assigned, an avatar with the user's initials is displayed and you can hover over the avatar to view the user's full name in a tooltip.

1. Click any of the avatars in the Assigned field in the header.

The list of users already assigned to incident are displayed in the list with the check box checked.



2. Begin entering the user's name in the Search Users field and then check the check box next to their name in the list that is displayed.

To remove an assignee, uncheck the check box next to their name.

3. Click outside the Assignee menu to apply your selection.

4. When an incident is assigned to another user, they will receive a notification in the (Notifications) icon in the Cisco XDR header and ribbon. For more information about this feature, see the Notifications help topic.

When an incident is selected, a URL is generated in the browser address bar that you can copy and share the incident with others. In addition, if you click a tab on the Incident Detail page, the tab name is appended to the URL.