Creating child incidents

Child incidents allow you to monitor the investigation progress and respond to incidents across different tenants. You can also create a child incident of another child incident. A parent incident can have up to 200 child incidents.

You must have one of the following XDR roles: Main administrator, Tenant administrator, Junior analyst, Tier 1 analyst, Tier 2 analyst, SOC manager, Interaction with NCIRCC, Approver, Interaction with child incidents.

To create a child incident:

  1. In the main menu, go to Monitoring & reportingIncidents.
  2. In the incident table, click the ID of the required incident.

    The Incident details window opens.

  3. In the Child incidents section, click the Create button.

    The Create child incident window opens.

  4. If necessary, in the Name field, change the name of the child incident.

    By default, the child incident name includes the [Child] tag and the parent incident name.

  5. In the Tenant drop-down list, select the tenant to assign the child incident to.
  6. In the Analyst drop-down list, start typing the analyst's name, and then select the analyst from the list.

    You can also select the Not assigned option.

  7. If necessary, in the Priority drop-down list, change the incident priority.

    By default, the child incident inherits the priority from the parent incident.

  8. If necessary, in the Description field, specify a description of the child incident.
  9. If you want to copy all the information from the parent incident, select the Copy information from the parent incident check box.

    If this check box is selected, all information, including observables, assets, and linked alerts, will be copied from the parent incident. The copied alerts will be assigned to the tenant of the child incident.

    If this check box is cleared, the child incident will not contain information about assets, observables, and linked alerts from the parent incident.

  10. Click the Create button.

The child incident is created and linked to the parent incident. You can find the child incident in the Child incidents section of the Incident details window.

If a child incident is assigned to a tenant that does not have the incident type that the parent incident belongs to, the child incident is assigned the default incident type and the default incident workflow. If necessary, you can change the incident type.

Page top