Unclassified incident management: incidents remain in active status

CMarletta Livi — Wed, 02 Jul 2025 09:44:56 GMT

Hi all,

in XSOAR 6.8 I created a custom incident type to automatically handle the closure of unclassified incidents. In 'Incidents Classification Editor' I set this type to 'Direct unclassified events to:'. The type is correctly associated with the unclassified incidents and also the playbook but the playbook is not automatically executed and the incident remains in Active state. Why? How can I solve it? The problem involves an overload of active workers and consequently the blocking of the management of all incidents.

Re: Unclassified incident management: incidents remain in active status

michaelsysec242 — Wed, 02 Jul 2025 11:50:50 GMT

Hello @CMarletta Livi ,

Firstly it is recommended to work with a more recent version of XSOAR, 6.8 is pretty legacy. In regards to your question;

On the Incident Type settings you can mark the "Run Playbook Automatically" checkbox and for all new incidents created the playbook will run automatically.

See the picture below for the checkbox. Ensure you have a playbook attached to this type and that the incidents are being opened as expected. If this setting is not checked the incidents are opened in a "pending" status (white/grey clickable incident ID on the Incidents Page). I didn't fully understand what you meant by "The problem involves an overload of active workers and consequently the blocking of the management of all incidents.". Perhaps you are creating too many incidents too quickly. There is an operational limit regarding this.

Let me know if this helps.

Many thanks,

MichaelSysec

topic Re: Unclassified incident management: incidents remain in active status in Cortex XSOAR Discussions

Unclassified incident management: incidents remain in active status

Re: Unclassified incident management: incidents remain in active status