Incident Customization
Create and edit incident types in Cortex XSOAR. Attach
and detach incident types. Indicator extraction rules. incidents,
detach, reattach incident types.
All incidents that are ingested into Cortex XSOAR are
assigned an incident type when they are classified.
After you classify the incident, you can then map the
relevant fields to the incident.
If the incident type does not exist you can create an incident
type and classify the incident according to this incident
type. You can create, duplicate, import, export, and customize incident
types, by going to . Each incident type has
a unique set of data that is relevant to that specific incident
type. When you duplicate an incident type, the duplicate is associated
with the same set of incident fields that belonged to the original
incident type. Incident layouts enable
you to display the most relevant data for users at all stages of
the incident life cycle.
Settings
OBJECTS SETUP
Incidents
Types
Attach and Detach Incident Types
When installing incident types from a Content Pack, by default,
the incident types are attached, which means that they are not editable.
If you want to edit the incident type, you have the following options:
- Duplicate the incident type: You can duplicate an incident type and the duplicate is editable. The original incident type continues to receive Content Pack updates, but the duplicate does not.
- Detach the incident type: You can edit a detached incident. While an incident type is detached, it does not receive Content Pack updates. If you detach an incident type, make edits, and later want to receive Content Pack updates for that incident type, we recommend you duplicate the incident type before reattaching the original, to protect your changes from Content Pack upgrades.
Regardless of whether the incident type is detached, you
can detach the incident layout, which enables you to make changes
to the layout without making a copy. If the incident layout is detached
and the incident type is attached, the incident type receives updates
but the layout does not. To receive content updates for the layout,
the incident layout needs to be attached.
(
Multi-tenant
) When content is pushed from the Main
account to tenants, the incident type is attached when received
by the tenants. The tenants can detach both the incident type and
the incident layout, without making copies.If upgrading from a version earlier than v6.1, by default,
all out of the box incident types (from a Content Pack) are detached.
To receive content updates for detached incident types, reattach
the incident type.
Indicator Extraction Rules
The Indicator Extraction feature
extracts indicators from incident fields and enriches them using
commands and scripts defined for the indicator type. You can view
and create indicator extraction
rules according to incident fields.
When upgrading from v6.0 and below, by default, all incident types
(Content Pack) are detached and Indicator Extraction is enabled for
all incident fields. To receive content updates, reattach the incident type.
Customize Incident Layouts
You can Customize Incident Layouts to ensure
that you see the information that is relevant to the incident type.
You can do the following:
- Duplicate and edit an incident layout, detach the incident type, and then edit the incident type to add the new layout.
- Detach the layout and edit it.
- Create a new layout, detach the incident type, and then edit the incident type to add the new layout.
Recommended For You
Recommended Videos
Recommended videos not found.
