End-of-Life (EoL)
Incident Customization
Create and edit incident types in Cortex XSOAR. Attach
and detach incident types. Indicator extraction rules. incidents,
detach, reattach incident types.
All incidents that are ingested into Cortex XSOAR have
an incident type, when they are classified.
After you classify the incident you can then map the
relevant fields to the incident.
If the incident type does not exist you can create an incident
type and classify the incident according to this incident
type. For example where an integration comes out of the box with
access and authentication incident types, but if other incidents
are ingested you need to create an incident type that does not include
access and authentication.
Each incident type has a unique set of data that is relevant
to that specific incident type. It is important to display the most
relevant data for users at all stages of the incident life cycle.
You can create, import, export, and customize incident types,
by going to .
Settings
ADVANCED
Incident Types
Attach and Detach Incident Types
When installing incident types from a Content Pack, by default,
the incident types are attached, which means that they are not editable.
To edit the incident type, you need to detach it. While the incident
type is detached you can change the layout, default playbook, SLA,
etc. You can also select whether to extract indicators and select
which fields you want to extract, as extracting all indicators can
significantly slow down your system.
While the incident type is detached, it is not updated by the
Content Pack. This may be useful when you want to update the incident
type’s playbook without breaking customization. If you want to update
the incident type through Content Pack updates, you need to reattach
the incident type but any changes are overridden by the Content
Pack on upgrade.
Regardless of whether the incident type is detached, you
can detach the incident layout, which enables you to make changes
to the layout without making a copy. If the incident layout is detached
and the incident type is attached, the incident type receives updates
but the layout does not. To receive content updates for the layout,
the incident layout needs to be attached.
(
Multi-tenant
) When content is pushed from the Main
account to tenants, the incident type is attached while received
by the tenants. The tenants can detach both the incident type and
the incident layout, without making copies.If upgrading to version 6.1, by default, all out of the
box incident types (from a Content Pack) are detached. To receive
content updates for detached incident types, reattach the incident
type.
Indicator Extraction Rules
The Indicator Extraction feature
extracts indicators from incident fields and enriches them using
commands and scripts defined for the indicator type. You can view
and create indicator extraction
rules according to incident fields.
When upgrading from version 6.0 and below, by default,
all incident types (Content Pack) are detached and Indicator Extraction is enabled
for all incident fields. To receive content updates, reattach the
incident type.
Customize Incident Layouts
You can Customize Incident Layouts to ensure
that you see the information that is relevant to the incident type.
You can do the following:
- Duplicate and edit an incident layout, detach the incident type, and then edit the incident type to add the new layout.
- Detach the layout and edit it.
- Create a new layout, detach the incident type, and then edit the incident type to add the new layout.
Recommended For You
Recommended Videos
Recommended videos not found.
