Customize Incident Layouts
Customize incident layouts in Cortex XSOAR to view relevant
information. incidents incident buttons
It is important to build or customize the
layout to ensure that you see the information that is relevant to
the incident type. For example, in a phishing incident you want
to see email headers, which would not be relevant for an access
incident.
While some information might be relevant for multiple
incident types, its location in one incident type might require
more prominence than in another incident type.
You can see
which incident type uses the incident layout in the
Incident
Types
page. The incident layout name appears in the Layout
column.Content
Pack Incident Layouts
Out-of-the-box content pack incident
layouts display a locked icon, which means to edit the layout, you
need to do one of the following:
- Duplicate an incident layout. To add the layout to the incident type, you need to detach the incident type and then add the layout.
- Detach the layout. When detached, the layout does not receive content pack updates until you reattach it. You do not need to edit incident type, as the layout name remains the same. If you detach a layout, make edits, and later want to receive content pack updates for that layout, we recommend you duplicate the incident layout before reattaching the original, to protect your changes from content pack updates.
Incident
Layout Builder
You can customize the following display
information for existing incidents, and the fields in incident forms,
by modifying the sections and fields for each view:
- Incident SummaryWithin the incident summary, you can see different tabs that appear for the incident type, some of which can be customized.You can customize almost every aspect of the layout, including which tabs appear, the order they appear, who has permissions and what type of information appears.You can add dynamic fields to a layout, such as a graph of the number of bad indicators, their source, and severity. Also, you can use queries to filter the information in the dynamic section to suit your exact needs.For the Mobile app, you can select which tabs to appear.
- New/Edit FormWhen creating or editing an incident you can add/delete sections, and fields as required.
- Close FormAdd/delete sections and fields when closing an incident.
- Incident Quick ViewAdd/delete sections and fields in the Incident Quick view section in the incident.
There
are several Cortex XSOAR system layout sections and fields that
you cannot remove, but you can rearrange them in the layout and
modify their queries and filters.
- Go to .
- (Content pack incident type layout) Detach the incident layout.
- Select the check box for the incident layout you want to detach.
- ClickDetach.When the layout is detached, you can also edit the layout in theIncident Typetab.
- Edit the incident type layout.
- Select the incident type whose layout you want to edit and click the layout.You are presented with the current layout, which is populated with sample data so you can see how the fields fit.
- In theIncident Summarytab, customize the tabs.
- Drag and drop the tab to reorder the tabs. For example, you can move the War Room tab so it appears after the Work Plan tab.
- Configure the tabs by clicking the settings cog wheel icon in the tab and then select one of the following options.
- Rename
- Duplicate
- Delete
- Hide
- Viewing PermissionsWhen clicking Viewing permissions, select which roles can view the tabs.You can also decide whether you want each tab to appear in the Mobile App, by selecting theShow this tab on Cortex XSOAR mobile App if role allowscheckbox. Only mobile supported tabs have this checkbox (for example,Work Planand theEvidencetabs do not have the checkbox and will not appear in the mobile app). By default, all mobile supported tabs have the checkbox selected.
Not all of the options are available for each tab.
- Add sections to the layout.
- From the Library section, in the Cortex XSOAR Sections drag and drop the required sections as follows:SectionDescriptionNew SectionAfter creating a new section, click thetab and drag and drop the fields as required.<Incident Type>FieldsCortex XSOAR out of the box sectionsOut of the box sections such as Attachments, Evidence, and so on.General Purpose Dynamic SectionEnables you to assign a script to this section. For example, assign a script that calculates the total number of entries that exist for an incident, and it dynamically updates when new entries are added to the incident.
- Define section properties.You can determine how a section in the layout appears in the layout. For example, does the section include the section header or not. You can also configure the fields to appear in rows or as cards. For example, if you know that some of the field values will be very long, you are better off using rows. If you know that the field values are short, you might want to use cards so you can fit more fields in a section.
- Select the section, click
and
then click Edit section settings. - Edit the section as required and clickOK.
- To remove or duplicate a section, select the section, click
and
select the relevant option
- If adding theBad or Suspicious Indicatorssection, you can change the information that appears, by click
, selecting Edit section settingsand then editing theQuery.For example, to see all indicators of type IP and with a reputation of Bad that were found by a specific source since March 1st 2020, enterType:IP and reputation:Bad and firstseenbysource:>="2020-03-01T00:00:00 +0200"
- Drag and drop fields, as required.
- Add fields and custom buttons.To add custom buttons, you need to create an automation and then add the buttons to the layout using the automation. These buttons can simplify and assist an analyst in carrying out various tasks. For example, add buttons for an analyst to self-assign an incident, link or unlink an incident, close an incident as a duplicate, generate a summary report, etc.The script that runs when an action button is clicked accepts only mandatory arguments through the pop up window and does not provide an option for any non-mandatory arguments to be filled in when the button is clicked. It is recommended to use a wrapper script to collect and validate arguments in scenarios where there can be a combination of mandatory and non-mandatory arguments for a button.In the following example, we will add a button to self assign an incident for an analyst. The automation is included in theCase Management - GenericContent Pack.
- Drag the+New Buttonand drop into the relevant section.
- Click to configure.
- Enter a descriptive name for the button, select a color, and select the script that you want to run when the button is clicked.
- ClickSave.In theIncident Summarytab, when clicking onAssign To Me, the incident will be self-assigned.
- Add required sections and fields in theNew/Edit Form,Close Form, andIncident Quick Viewtabs.
- If you have created a new or a duplicate of the layout, add the layout to the incident.
- Go to .
- (Content Pack Incident Types) Detach the incident type.
- Select the incident type and clickEdit.
- In theLayoutfield, from the drop down list, add the customized layout.
- ClickSave.
- Clickreattach.
- (Optional) For a customized layout, you can contribute it to the Marketplace.
- In theLayoutspage, select the new layout and then clickContribute.
- In the dialog box select eitherSave and submit your contributionorSave and download your contributionfor later use, which you can view in the Contributions tab in the Marketplace.If you selectSave and submit your contributionyour layout is validated and then you prompted to submit to review. You can also view your contribution in the Marketplace.
