Follow these instructions to create a custom indicator
field in the Fields tab.
Indicator Fields are used to add specific
indicator information to incidents. When you create an indicator
field, you can associate the field to a specific indicator type
or to all indicator types.
From the drop-down menu, select
Configure the basic settings.
Determines the acceptable values for the
field. You can add the following field types:
Grid (table): Include an interactive, editable grid.
Create and view HTML content, which can be used in any type of indicator.
By default, HTML fields do not use Cortex XSOAR theme styles, but
can be configured to
use existing user themes.
Long text: Long text is analyzed
and tokenized, and entries are indexed as individual words, enabling
you to perform advanced searches and use wildcards. Long text fields
cannot be sorted and cannot be used in graphical dashboard widgets.
While editing a long text field, pressing enter will create a newline. Case
contain any number. Default is 0.
Role: Role assigned to the
indicator, determines which users (by role) can view the indicator.
text: Short text is treated as a single unit of text, and is not
indexed by word. Advanced search, including wildcards, is not supported.
Short text fields are case sensitive by default, but can be changed
to case insensitive when creating the field. While editing a short
text field, pressing enter will save and close. Maximum length 60,000
characters. Recommended use is one word entries. Examples: username,
email address, etc.
A user in the system.
If selected, the field is case sensitive, which
affects how the search results for this field are returned in Cortex
If selected, this field is mandatory when used
in a form.
A meaningful display name for the field. After
you type a name, you will see below the field that the
automatically populated. The field’s machine name is applicable
for searching and the CLI.
An optional tooltip for the field.
Optional text to display in the field when
it is empty.
Configure the attributes.
Add to indicator types
By default, the
option is selected, which means this field will
be available to use in all incident types.
Clear the check
box to associate this field to a subset of indicator types.
Make data available for search
The values for this field can be returned in