Create a Custom Incident Field - Administrator Guide - 6.6 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.6
Creation date
2022-09-29
Last date published
2024-03-21
End_of_Life
EoL
Category
Administrator Guide
Abstract

Create custom incident fields in Cortex XSOAR.

You can define custom incident fields based on the information you want to display in your Incident Type layouts, as well as the information ingested from third-party integrations.

Note

If you try to create a new incident field with a name that already exists in the system such as Account, you may receive a message similar to this: [Could not create incidentfield with ID '' and name 'Account'. Field already exists as a builtin field (100709)]. If so, you should select a different name as the incident field is already reserved for system use.

Note

You should not create a custom field named reason as it is a saved keyword in the server.

  1. Select SettingsOBJECTS SETUPIncidentsIncident Fields.

    Depending on the field type, you can determine if the field contents are case-sensitive, as well as if the field is mandatory.

  2. Click +New Field.

  3. Complete the following parameters:

    Field

    Description

    Field type

    Determines the acceptable values for the field. For example:

    • Grid (table): Include an interactive, editable grid.

    • HTML: Create and view HTML content, which can be used in any type of indicator. By default, HTML fields do not use Cortex XSOAR theme styles, but can be configured to use existing user themes.Configure the HTML Field

    • Long text: Long text is analyzed and tokenized, and entries are indexed as individual words, enabling you to perform advanced searches and use wildcards. Long text fields cannot be sorted and cannot be used in graphical dashboard widgets. While editing a long text field, pressing enter will create a new line. Case is insensitive.

    • Markdown: Add markdown-formatted text as a Template which will be displayed to users in the field after the indicator is created. Markdown lets you add basic formatting to text to provide a better end-user experience.How to Use Markdown

    • Multi select / Array: Includes two options a) Multi select from a pre-filled list b) An empty array field for the user to add one or more values as a comma-separated list.

    • Number: Can contain any number. Default is 0.

    • Role: Role assigned to the incident, determines which users (by role) can view the incident.

    • Short text: Short text is treated as a single unit of text, and is not indexed by word. Advanced search, including wildcards, is not supported. Short text fields are case sensitive by default, but can be changed to case insensitive when creating the field. While editing a short text field, pressing enter will save and close. Maximum length 60,000 characters. Recommended use is one word entries. Examples: username, email address, etc.

    • User: A user in the system.

    Case sensitive

    If selected, the field is case sensitive, which affects how the search results for this field are returned in Cortex XSOAR.

    Mandatory

    The mandatory field is only enforced when using a form (such as creating an incident) or when directly calling the Incident creation API. If incidents are ingested from an integration, the field is not enforced.

    Field Name

    A descriptive name indicating the information that the field contains.

    Tooltip

    (Optional) Additional information you want to make available to users of this field.

  4. If relevant to the field type, add the Basic Settings.

    If adding a grid, see Create a Grid Field for an Incident Type.

  5. In the Attributes tab, add the attribute parameters.

  6. Click Save.

  7. To add the field to a system incident type:

    1. Go to SettingsOBJECTS SETUPIncidentsTypes.

    2. Select the checkbox for the incident type you want to edit.

    3. Click Duplicate. A copy of the incident type appears with the string _copy appended to the name of the incident type. If more than one copy of the incident type is created, a number is appended to the _copy string. The number is increased with each additional duplication.

    4. Click the name of the newly created incident type.

      You are presented with the current layout, which is populated with demo data so you can see how the fields fit.

  8. To add the field to a custom incident type:

    1. Go to SettingsOBJECTS SETUPIncidentsTypes.

    2. Select the incident type whose layout you want to edit and click the Edit Layout.

      You are presented with the current layout, which is populated with demo data so you can see how the fields fit.

      Make sure you select an incident type where the Layout field is empty.

  9. In the Library dialog box, in the Cortex XSOAR Sections tab, drag and drop New Section on to the required tab.

    library-section.png
  10. In the Incident field tab, drag and drop the field that you have created into the New Section.