Incident Customization

Create and edit incident types in Cortex XSOAR. Attach and detach incident types. Indicator extraction rules. incidents, detach, reattach incident types.
All incidents that are ingested into Cortex XSOAR are assigned an incident type when they are classified. After you classify the incident, you can then map the relevant fields to the incident.
If the incident type does not exist you can create an incident type and classify the incident according to this incident type. You can create, duplicate, import, export, and customize incident types, by going to
Settings
ADVANCED
Incident Types
. Each incident type has a unique set of data that is relevant to that specific incident type. When you duplicate an incident type, the duplicate is associated with the same set of incident fields that belonged to the original incident type. Incident layouts enable you to display the most relevant data for users at all stages of the incident life cycle.
Attach and Detach Incident Types
When installing incident types from a Content Pack, by default, the incident types are attached, which means that they are not editable. If you want to edit the incident type, you have the following options:
  • Duplicate the incident type: You can duplicate an incident type and the duplicate is editable. The original incident type continues to receive Content Pack updates, but the duplicate does not.
  • Detach the incident type: You can edit a detached incident. While an incident type is detached, it does not receive Content Pack updates. If you detach an incident type, make edits, and later want to receive Content Pack updates for that incident type, we recommend you duplicate the incident type before reattaching the original, to protect your changes from Content Pack upgrades.
Regardless of whether the incident type is detached, you can detach the incident layout, which enables you to make changes to the layout without making a copy. If the incident layout is detached and the incident type is attached, the incident type receives updates but the layout does not. To receive content updates for the layout, the incident layout needs to be attached.
(
Multi-tenant
) When content is pushed from the Main account to tenants, the incident type is attached when received by the tenants. The tenants can detach both the incident type and the incident layout, without making copies.
If upgrading from a version earlier than v6.1, by default, all out of the box incident types (from a Content Pack) are detached. To receive content updates for detached incident types, reattach the incident type.
Indicator Extraction Rules
The Indicator Extraction feature extracts indicators from incident fields and enriches them using commands and scripts defined for the indicator type. You can view and create indicator extraction rules according to incident fields.
When upgrading from v6.0 and below, by default, all incident types (Content Pack) are detached and Indicator Extraction is enabled for all incident fields. To receive content updates, reattach the incident type.
Customize Incident Layouts
You can Customize Incident Layouts to ensure that you see the information that is relevant to the incident type.
You can do the following:
  • Duplicate and edit an incident layout, detach the incident type, and then edit the incident type to add the new layout.
  • Detach the layout and edit it.
  • Create a new layout, detach the incident type, and then edit the incident type to add the new layout.

Recommended For You