Automate incident updates and closures

  • Versão de lançamento: Australia
  • Atualizado 12 de mar. de 2026
  • 1 min. de leitura

    • Automate incident updates and closures based on the incident status. The Cortex XSIAM integration enables incidents to create security incidents and also to update the incidents after they are created or closed.

    Antes de Iniciar

    Role required: sn_si.admin, sn_si.ingestion_profile_admin

    Procedimento

    1. If you are not continuing from the previous section of the Scheduling process, access the profile you are defining.
      1. Navigate to All > Palo Alto Networks XSIAM > XSIAM Profile.
      2. Select the profile you are continuing to define.
      3. Select Additional Options in the progress bar.
    2. On the form, fill in the fields.
      Tabela 1. Automating Incident Updates form
      Category Field Description
      Security Incident Creation Updates Update incident status upon SIR Incident Creation Option to use the automated incident update functionality. The Cortex XSIAM incident status is updated with the comments after the SIR incident is created in the ServiceNow AI Platform.
      Initial incident status update Initial incident status that is updated in the Cortex XSIAM environment, either New or In Progress.
      Initial comments posted back to incident Initial comments that are posted to the incident in the Cortex XSIAM environment.
      Security Incident Closure Updates Close out XSIAM incidents upon SIR Incident Closure Option to use the automated incident status update functionality. Incidents will be closed in XSIAM with the comments given after the SIR incident is closed in the ServiceNow AI Platform.
      Closure Incident Status Update Status update in the Cortex XSIAM incident when the security incident is closed in SIR.
      Closure Comments Posted back to XSIAM Comments posted to the incident in the Cortex XSIAM incident when the security incident is closed in SIR.
      Priority Mapping Update Priority Option to sync ServiceNow Incident priority to XSIAM Incident severity.

      When enabled, changes to incident priority in ServiceNow will update the corresponding XSIAM incident severity based on your mapping configuration.

      For example, ServiceNow Priority "1 - Critical" maps to XSIAM Severity "Critical".
      Pull Closed Incidents Pull Closed Incidents Option to fetch closed incidents during ongoing ingestion and one-time retrieval. Closed SIR incidents will not be updated with new data from XSIAM.
      Sync Work Notes to XSIAM Sync SIR work notes to XSIAM Option to sync Security Incident work notes to XSIAM incident comments.

      Work notes added to Security Incidents in ServiceNow® will appear as comments in the corresponding XSIAM incident.

      Automate incident updates and closures

    3. Select Finish.
    4. Activate the profile.
      1. Select the Name section of the progress bar.
      2. Select the Active check box.
      3. Select Continue.