1. Home
    2. Security Operations
    3. Cortex XSOAR
    4. Cortex XSOAR Administrator’s Guide
    5. Incidents
    6. Incident Customization
    7. Customize Incident Layouts
    End-of-Life (EoL)

    Customize Incident Layouts

    incidents incident buttons
    It is important to build or customize the layout to ensure that you are seeing the information that is relevant to the incident type. For example, for a phishing incident you will want to see email headers, which would not be relevant for an access incident.
    While some information might be relevant for multiple incident types, its location in one incident type might require more prominence than in another incident type.
    Both system and custom incidents appear in the
    Incident Types
     page. The incident layout name appears in the
    Layout
     column.
    To customize the layout of a system incident, you need to duplicate and edit an incident layout, detach the incident type, and then edit the incident type to add the new layout.
    You can customize the following display information for existing incidents, and the fields in incident forms, by modifying the sections and fields for each view:
    • Incident Summary
      : Within the incident summary, you can see different tabs that appear for the incident type, some of which can be customized.
      You can customize almost every aspect of the layout, including which tabs appear, the order they appear, who has permissions and which information appears.
      You can add dynamic fields to a layout, such as a graph of the number of bad indicators, their source, and severity. Also, you can use queries to filter the information in the dynamic section to suit your exact needs.
      For the Mobile app, you can select which tabs to appear.
    • New/Edit Form
      : When creating or editing an incident you can add/delete sections, and fields as required.
    • Close Form
      : Add/delete sections and fields when closing an incident.
    • Incident Quick View
      : Add/delete sections and fields in the Incident Quick view section in the incident.
    There are several Cortex XSOAR system layout sections and fields that you cannot remove, but you can rearrange them in the layout and modify their queries and filters.
    1. (
      System Incident Type
      ) Create a copy of the incident layout.
      1. Go to
        Settings
        Advanced
        Layouts
        .
      2. Select the check box for the incident layout you want to edit.
      3. Click
        Duplicate
        .
        A copy of the incident layout appears with the string _copy appended to the name of the incident layout. If more than one copy of the incident layout is created, a number is appended to the _copy string. The number is increased with each additional duplication.
      4. Click the name of the newly created incident layout.
        You are presented with the current layout, which is populated with demo data so you can see how the fields fit.
    2. (
      Custom Incident Type
      ) Edit the incident type layout.
      1. Go to
        Settings
        Advanced
        Incident Types
        .
      2. Select the incident type whose layout you want to edit and click the
        Edit Layout
        .
        You are presented with the current layout, which is populated with demo data so you can see how the fields fit.
        Ensure you select an incident type where the
        Layout
         field is empty.
    3. In the
      Incident Summary
       tab, customize the tabs.
      1. Click and drag the tab to reorder the appearance of the tabs. For example, you can move the War Room tab so it appears after the Work Plan tab.
      2. Configure which tabs appear and for whom, as well as duplicate or remove tabs from the layout, by hovering over the tab that you want to configure.
      3. Click the gear icon.
      4. Click one of the following options:
        • Rename
        • Duplicate
        • Delete
        • Hide
        • Viewing Permissions: From the drop down list, add the roles who can view the tabs. Default is to allow all roles.
        Not all of the options are available for each tab.
    4. Add sections to the layout.
      1. From the Library section, in the Cortex XSOAR Sections drag and drop the required sections as follows:
        Section
        Description
        New Section
        After creating a new section, click the
        <Incident Type>
         Fields
         tab and drag and drop the fields as required.
        Cortex XSOAR out of the box sections
        Out of the box sections such as Attachments, Evidence, and so on.
        General Purpose Dynamic Section
        Enables you to assign a script to this section. For example, assign a script that calculates the total number of entries that exist for an incident, and it dynamically updates when new entries are added to the incident.
    5. Define section properties.
      You can determine how a section in the layout appears in the layout. For example, does the section include the section header or not. You can also configure the fields to appear in rows or as cards. For example, if you know that some of the field values will be very long, you are better off using rows. If you know that the field values are short, you might want to use cards so you can fit more fields in a section.
      1. Select the section, click and then click
        Edit section settings
        .
      2. Edit the section as required and click
        OK
        .
      3. Click the save button or
        Save Version
        .
    6. Remove or duplicate a section, by selecting the section, clicking and selecting the relevant option.
    7. Change the information that appears in dynamic sections (for example Bad or Suspicious Indicators).
      1. Select the section, click and select
        Edit section settings
        .
      2. Under Query, enter the parameters by which you want to filter the information that appears.
        For example, to see all indicators of type IP and with a reputation of Bad that were found by a specific source since March 1st 2020, enter
        Type:IP and reputation:Bad and firstseenbyfeed:>="2020-03-01T00:00:00 +0200"
      3. Click
        OK
        .
    8. Add fields and custom buttons.
      To add custom buttons, you need to create an automation and then add the buttons to the layout using the automation. These buttons can simplify and assist an analyst in carrying out various tasks. For example, add buttons for an analyst to self-assign an incident, link or unlink an incident, close an incident as a duplicate, generate a summary report, etc.
      In the following example, we will add a button to self assign an incident for an analyst. The automation is included in the
      Case Management - Generic
       Content Pack.
      1. Drag the
        +New Button
         and drop into the relevant section.
      2. Click to configure
        .
      3. Enter a descriptive name for the button, select a color, and select the script that you want to run when the button is clicked.
      4. Click
        Save
        .
        In the
        Incident Summary
         tab, when clicking on
        Assign To Me
        , the incident will be self-assigned.
    9. Add required sections and fields in the
      New/Edit Form
      ,
      Close Form
      , and
      Incident Quick View
       tabs.
    10. (
      System Incident Type
      ) Add the layout to the incident.
      1. Go to
        Incident Types
        .
      2. Select the incident type and click
        Edit
        .
      3. In the
        Layout
         field, from the drop down list, add the customized layout.
    11. (
      Optional
      ) For a customized system layout, you can contribute it to the Marketplace.
      1. In the
        Layouts
         page, click the new incident type you want to contribute to Marketplace.
      2. Complete the information in the Contribute form and click
        Contribute
        .

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo