* [Blog](https://www2.paloaltonetworks.com/blog)
* [Security Operations](https://www2.paloaltonetworks.com/blog/security-operations/)
* [Playbook of the Week](https://www2.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/)
* Playbook of the Week: Inc...

# Playbook of the Week: Incident Case Management with Cortex XSOAR

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-incident-case-management-with-cortex-xsoar%2F)  
[](https://twitter.com/share?text=Playbook+of+the+Week%3A+Incident+Case+Management+with+Cortex+XSOAR&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-incident-case-management-with-cortex-xsoar%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fplaybook-of-the-week-incident-case-management-with-cortex-xsoar%2F&title=Playbook+of+the+Week%3A+Incident+Case+Management+with+Cortex+XSOAR&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-incident-case-management-with-cortex-xsoar/&ts=markdown)  
\[\](mailto:?subject=Playbook of the Week: Incident Case Management with Cortex XSOAR)  
Link copied  
By [Yvonne Le](https://www.paloaltonetworks.com/blog/author/yvonne-le/?ts=markdown "Posts by Yvonne Le")  
Jul 08, 2022  
3 minutes  
[Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)  
[Use-Cases](https://www.paloaltonetworks.com/blog/security-operations/category/use-cases/?ts=markdown)  
[Cortex XSOAR](https://www.paloaltonetworks.com/blog/tag/cortex-xsoar/?ts=markdown)  
[Incident Case Management](https://www.paloaltonetworks.com/blog/tag/incident-case-management/?ts=markdown)  
[playbook of the week](https://www.paloaltonetworks.com/blog/tag/playbook-of-the-week/?ts=markdown)  
[Security Orchestration Automation and Response](https://www.paloaltonetworks.com/blog/tag/security-orchestration-automation-and-response/?ts=markdown)  
[SOAR](https://www.paloaltonetworks.com/blog/tag/soar-2/?ts=markdown)  
[XSOAR playbook](https://www.paloaltonetworks.com/blog/tag/xsoar-playbook/?ts=markdown)

When it comes to incident case management, SOC teams are often challenged to find a balance between using a standardized incident response for high-volume attacks versus customized response for sophisticated one-off attacks. Additionally, the overwhelming amount of alerts and fires that security teams must attend to on a daily basis can distract from efforts to make continuous improvement to security resilience.

This is where Cortex XSOAR comes in. Using the [XSOAR Case Management Content Pack](https://xsoar.pan.dev/marketplace/details/CaseManagementGeneric), our full [incident case management capabilities](https://www.paloaltonetworks.com/cortex/incident-case-management) combined with our security orchestration and automation functionalities provide quicker triage, response, coordination and collaboration to combat rising attack numbers.

With incident case management you get:

* **Virtual War Rooms** where analysts are able to perform investigations and collaborate in real time using incident-specific data and layouts.
* **Customized Dashboards and Reports** that give full visibility and flexibility. Analysts are able to use both out-of-the-box and user-created widgets that meet their operational needs. It also allows users to tailor response to attack types, whether it's granular metrics and response workflows, or incident flows and fields.
* **Playbook Automation and Auto-Documentation** that eliminates the need for manual reporting and post-investigation rollups.
* **Real-time ChatOps** for maximum technical chat support and collaboration.
* **Built-in Machine Learning** insights that also prime users for continuous learning with suggestions for incident ownership, task assignment, related incidents, and commonly run commands.
* **Integrated Threat Intel Management** (TIM) that automates the ingestion, aggregation, and tuning of threat feed data for added context during investigations, using both external intel data and internal alerts to identify future critical threats.

![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/07/fxXxeQ0AGpIkv3O4moGVxRF4Q_1DQ-uyRg_HtfLhl1jp3l8s19v8o9FK0fhpKjOYFdviehSPhBCEXO6xwblZOacp3kw6B_9Vu1VPuk8DI5rCkKUdoZ922_SoIwu.png)

The Case Management content pack provides high-level visibility through the incident overview dashboard which gives a summary of all incidents in the system, by type, severity, owner, etc., as well as detailed reports such as a Case Report, Incident Summary and Investigation Summary. It also includes a more analyst-focused dashboard for SOC teams to manage and work on incidents assigned specifically to them or collaborate on other incidents or War Room chats they may be participating or mentioned in.

*To learn more about the associated integrations, playbooks, scripts, commands, and automations, please refer to the* [*Palo Alto Networks Developer Doc*](https://xsoar.pan.dev/marketplace/details/CaseManagementGeneric)*.*

**Conclusion**

This content pack is seen as one of the core default functionalities of Cortex XSOAR. It is the foundation upon which SOC teams can customize their incident ingestion and case management with various integrations that suit their needs. This means no additional mapping and classification is required, as data from the incoming incident will be displayed in the labels section of the dashboard, allowing teams to quickly bring in alerts from various systems, and then further tune the data, layouts, and playbooks for future improvements. So, whether you're creating incidents manually in XSOAR or fetching from a SIEM, this pack provides helpful content for accelerating incident response by unifying alerts, incidents and indicators from any source on a single platform for lightning-quick search, query and investigation.

**To learn more about how you can automate security operations with Cortex XSOAR, check out our virtual self-guided [XSOAR Product Tour](https://www.paloaltonetworks.com/resources/infographics/xsoar-product-tour)**

**We also host virtual and in-person events, so check [here](https://www.paloaltonetworks.com/resources/cortex-events) for upcoming ones.**

**Please Suggest Other Ideas or Vote!**

If you like these ideas or would like to suggest other ideas, please collaborate with us through the Cortex XSOAR Aha page: [https://xsoar.ideas.aha.io/ideas](https://xsoar.ideas.aha.io/ideas).

[](https://xsoar.ideas.aha.io/ideas)  
[![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/07/IYXe46srDsBNlxc8S-4mDkaXyL64Oy8rInPcX-mHH46K5vpOmTtcvmy2TYEI1K0Jh-1yjhQoYKJKCU_eb8ozDcXhMv4S2OfD6obccCuqNh-9kVKLp_JjwR8X4Pd.png)](https://xsoar.ideas.aha.io/ideas)

*** ** * ** ***

## Related Blogs

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### An Automated Response to Malicious Pod Activity](https://www2.paloaltonetworks.com/blog/security-operations/an-automated-response-to-malicious-pod-activity/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Rapid Response for Fighting Ursa Phishing Campaign](https://www2.paloaltonetworks.com/blog/security-operations/rapid-response-for-fighting-ursa-phishing-campaign/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Playbook of the Week: Automating Response to Living-Off-the-Land (LOTL) Attacks](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-response-to-living-off-the-land-lotl-attacks/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Prisma Cloud Compute - Compliance Alert v2](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-prisma-cloud-compute-compliance-alert-v2/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown)

[#### Playbook of the Week: Streamlining Suspicious Data Upload Alert Investigations](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-streamlining-suspicious-data-upload-alert-investigations/)

### [Playbook of the Week](https://www.paloaltonetworks.com/blog/security-operations/category/playbook-of-the-week/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown)

[#### Playbook of the Week: Automating Management of XDR Identity Analytics Alerts](https://www2.paloaltonetworks.com/blog/security-operations/playbook-of-the-week-automating-management-of-xdr-identity-analytics-alerts/)

### Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language