1. Home
    2. Security Operations
    3. Cortex XSOAR
    4. Cortex XSOAR Administrator’s Guide
    5. Incidents
    6. Incident Management
    7. Incident Fields
    8. Create a Custom Incident Field
    End-of-Life (EoL)

    Create a Custom Incident Field

    Follow these instructions to create custom incident fields.
    You can define custom incident fields based on the information you want to display in your incident layout, including information ingested from third party integrations.
    If you try to create a new incident field with a name that already exists in the system such as
    Account
    , you may receive a message similar to this:
    [Could not create incidentfield with ID '' and name 'Account'. Field already exists as a builtin field (100709)]
    . If so, you should select a different name as the incident field is already reserved for system use.
    1. Select
      Settings
      ADVANCED
      Fields
      + New Field
      .
      Depending on the field type, you can determine if the field contents are case-sensitive, as well as if the field is mandatory.
    2. In the
      Field Type
       field, from the dropdown list select the Incident Field Types.
    3. Complete the following parameters:
      Field
      Description
      Field Name
      A descriptive name indicating the information that the field contains.
      Tooltip
      (
      Optional
      ) Additional information you want to make available to users of this field.
    4. If relevant to the field type, add the Basic Settings.
    5. In the
      Attributes
       tab, add the attribute parameters.
    6. Click
      Save
      .
    7. To add the field to a system incident type:
      1. Go to
        Settings
        Advanced
        Layouts
        .
      2. Select the check box for the incident type you want to edit.
      3. Click
        Duplicate
        . A copy of the incident type appears with the string _copy appended to the name of the incident type. If more than one copy of the incident type is created, a number is appended to the _copy string. The number is increased with each additional duplication.
      4. Click the name of the newly created incident type.
        You are presented with the current layout, which is populated with demo data so you can see how the fields fit.
    8. To add the field to a custom incident type:
      1. Go to
        Settings
        Advanced
        Incident Types
        .
      2. Select the incident type whose layout you want to edit and click the
        Edit Layout
        .
        You are presented with the current layout, which is populated with demo data so you can see how the fields fit.
        Make sure you select an incident type where the
        Layout
         field is empty.
    9. In the
      Library
       dialog box, in the
      Cortex XSOAR Sections
       tab, drag and drop
      + New Section
       on to the required tab.
    10. In the
      Incident
       field tab, drag and drop the field that you have created into the
      New Section
      .

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo