Changed in 51.0.5.0 Reviewing the list of incidents

Click Incidents in the menu bar to display incidents. You can choose between the default table view or a kanban view of incidents. To view details for any particular incident, click the incident name or ID.

Reviewing the list of incidents

The Incidents page displays those incidents that you have permission to view. The page provides an overview of the incidents; however, you determine which information is shown.
  • By default, the preset is All Open Incidents. A preset is a set of filters and selected columns that are saved as a single configuration. A user can select a preset to view that specific list of incidents. For more information, see Applying filters and presets.
  • You can select which columns to display. Click the Customize columns icon in the header and check the columns to view. You can also drag the columns to reorganize the information. If you are a member of multiple workspaces, you can select Workspace as a column then sort the incidents by workspace.
  • You can limit the information to a timeframe based on a column. Click Set timeframe, select a column in the Choose an option field, and select your time range. For more options, click Advanced options, where you can specify your exact dates and times.
  • You can toggle Auto refresh to dynamically update the list when changes occur to incidents that meet the list preset criteria. When incidents that meet the preset criteria are created, updated, or deleted, the list updates dynamically to reflect the changes.
    Some points about the Auto refresh feature:
    • If your SOAR organization has a lot of customizations, performance might be slower than if there are fewer customizations.
    • Some proxies can prevent Auto refresh from working and your administrator might need to configure the SOAR host server to enable the use of the Auto refresh feature. Contact your SOAR administrator if Auto refresh does not work as expected.
    • Incident list filters based on the Last Modified field do not work correctly when Auto refresh is enabled. If you use the Last Modified field to filter after a time and date and enable Auto refresh, if an incident is created or updated after the time and date specified, the incident is not automatically updated in the list.
      Note: The Last Modified field is updated indirectly by other incident and task date-time fields and cannot be used to filter the list and so is outside the scope of the Auto refresh feature. Other date-time fields, which are updated directly, can be used to filter the list.
You can change the layout from a table view to a kanban card view by clicking the Switch view icon next to the settings icon. Click the settings icon to change the columns shown on the card. You can also expand or collapse any lane and scroll down or across to see more incidents. Expand or collapse the Extra information section on an incident to view more details. From the actions menu, you can view which actions you can run on an incident. Use the Filters menu to filter the information in the page. Changes that you make to columns or filters apply to both the table and kanban card view.
Note: You cannot change to a kanban view if you enabled the Auto refresh option.

The following screen capture shows an example of an Incidents page in kanban view with the All Open Incidents preset.

Reviewing individual incidents

The Incident page in SOAR Platform shows both summary and detail information about the incident. Your administrator defines and customizes the tabs that appear on the Incident page. Some tabs might be conditional and appear only when one or more given conditions occur.

The Playbook progress link, when active, indicates when a related playbook has run or is running.

Using the date fields, you can put together a timeline for the incident.
Date field Description

Date Discovered

Date when the issue was first discovered, either by an analyst or by SOAR Platform.

Date Created

Date that the incident was created. The creation date might be similar to the discovery date.

Date Determined

Date when the incident was confirmed to be an issue, such as in a privacy use case.

Date Occurred

Date that the incident happened. The occurred date might be earlier than the discovery date.

Date Modified

Date when the incident was last updated, either by an analyst or automation.

The following image shows an example of the Tasks tab on the Incident page.

Applying filters and presets

To reduce the number of incidents that appear on the Incidents page, use a filter to display only those incidents that match specific criteria. You can save a set of filters and the column layout as a preset that can be reused.

The default preset is All Open Incidents. The following graphic shows the filters and column settings for the All Open Incidents preset. You cannot modify this preset.

Figure 1. Default filter and column settings for the incident list view
Complete these steps to create a new preset by modifying an existing preset:
  1. On the SOAR Platform home page, click Incidents.
  2. Select a preset that you want to use as the starting point.

    You can use the All Open Incidents preset as the starting point for new presets, but you cannot save the modifications to it.

  3. Click Filters to see the current filter settings for the selected preset.
  4. To edit the selected filters, follow these steps:
    1. Click the edit icon () to open the Edit filters page.
    2. Click the checkbox next to the filters that you want to include.
      The filters appear in the Selected filters list.
      Tip: You can remove a filter by selecting it in the Selected filters list, and then click x to remove it.
    3. After all filters are selected, click Apply.
  5. To set the filter conditions, follow these steps.
    1. In the Filters list, click the caret symbol next to the filter name.
    2. If the condition that you want to use is available in the list, click the checkbox to use it.
    3. To add a condition for a filter, click the plus sign next to the filter name.
    4. To edit an existing filter condition, click the edit icon.
  6. To change the column display for the preset, follow these steps:
    1. Click the Customize columns icon in the header of the incident list.
    2. Click the checkbox next to the columns that you want to include.

      Alternatively, you can remove a column by selecting it in the Selected columns list, and then click x to remove it.

      If you are a member of multiple workspaces, you can select Workspace as a column. Then, on the Incidents page, you can sort the incidents by workspace.

    3. To change the order of the columns, click the drag icon () next to the column name to reorder the list.
    4. To change the sort order of a column, click the column name in the table header.
    5. When you are finished customizing the columns, click Apply.
  7. To save the preset, follow these steps:
    1. Click the overflow icon () next to the preset name and select Save as.
      Presets that were modified but not saved appear in the list with an asterisk after the name.
    2. Type a name and description for the preset.
    3. To share the preset with other users, select Allow access for all users; otherwise, the preset is available to you only.
      Tip: You can share a preset with another user by sending them the URL link. For the URL link to be shareable, the preset must be set to allow access for all users.
    4. Click Create.

      The filter conditions are saved as a preset that you can use when you are viewing incidents.

To edit the preset name, description, and sharing permissions, click the ellipses () in the preset list, and click Manage all. You cannot edit or remove the default preset.

To temporarily change the filter values of a preset without editing it, click the filter pill for the field that you want to change. This option is available for Boolean, select, and multi select fields only.