topic How to access incidents a user is participant of in Cortex XSOAR Discussions

How to access incidents a user is participant of

EnesOzdemir — Wed, 20 Sep 2023 07:11:17 GMT

Roles field is a good way to restrict access to incidents. but in my case I just want to assign a group of people to manage an incident and not restrict the incidents to other people. In order to do that I am adding users to the incident as a team member. Team member is used mainly because it can add team members by tagging '@'

Once these users are logged in to XSOAR, they want to see incidents they are participant of, how can they find these incidents in the main account?

Re: How to access incidents a user is participant of

MBeauchamp2 — Wed, 20 Sep 2023 14:45:08 GMT

The Team Members are stored in the investigation, can be accessed via investigation.users in the search screen.

For example, all open incidents, where they are a participant and not the owner:

-status:closed -category:job investigation.users:{me} and -owner:{me}

This is from the My Incidents Dashboard in the Case Management Generic Pack.

Re: How to access incidents a user is participant of

EnesOzdemir — Thu, 21 Sep 2023 14:54:58 GMT

@MBeauchamp2 Thank you, this answers my question and raises another question 🙂 what is the difference between an investigation and incident. incident apparently doesn't hold investigation field so it's something different like context I guess. I asked this question on the slack channel but I was told it could be the old naming convention. I am a little confused now.

I ran into a similar issue today, I created an incident and tried to execute some commands through the api on the new incident but I kept getting investigation not found error, so I had to make an api call to 'incident/investigate' to start the investigation. Incident exists but I am not allowed to run any commands because investigation hasn't started.

Re: How to access incidents a user is participant of

MBeauchamp2 — Thu, 21 Sep 2023 15:14:10 GMT

An investigation is created when the Incident is investigated, which happens automatically if a playbook is run automatically against it. It's not context, it's more metadata about it, and things like the users etc.

As you noted, you can't run commands against an Incident that doesn't have an investigation.