Add alerts fields for mapping, correlation rules, alert custom layouts and for display in the alerts table.
Cortex XSIAM includes out-of-the-box alert fields, alert fields from installed content packs, and user defined custom alert fields. Alert fields can be used for mapping, correlation rules, custom alert layouts, and for display in the Alerts table.
All system and custom alert fields are available in the Alerts table. New custom fields are hidden by default. To show custom alert fields in the Alerts table view, click the three dot vertical ellipses and select the column(s) from the list.
For Grid fields, HTML fields, and Markdown fields, the Alerts table shows Data Available instead of the values, if the field contains data. To view the data, open the alert and click Investigate to see the full alert layout. For multi-select fields, the first value is shown in the Alerts table and the number of additional values is stated, but the additional values are not shown. For example, if a multi-select field holds the values x, y, and z, the Alerts table shows x + 2 More.
Cortex XSIAM stores both the original value of the field and the current value of the field, if different. Any changes made between the original value and the current value are not stored. For example, if the original value of the field was x, the value was then changed to m, and then changed to y, only the x and y values are stored. To view the original value and the current value of changed fields, hover over the updated alert fields icon 
on the right side of the row in the Alerts table. To revert all of the fields in an alert to their original values, click Restore all fields to their original values, in the updated alert fields box. Restoring all fields to their original values also restores the original values in the alert context data. Once you restore fields to their original values, this action can not be undone.
Custom alert fields can be exported and imported. To export a single custom alert field, right-click on the field in the fields table, and select Export. To export all custom alert fields in a single JSON file, click the Export All button above the fields table. System alert fields cannot be exported or imported.
After a custom alert field is created, it can be edited, deleted, or exported by right-clicking on the row. The field name and field type cannot be changed after the field is created. System fields cannot be edited, deleted, or exported.
Warning
Deleting an alert field or uninstalling a content pack containing an alert field may affect detection and other capabilities based on the deleted field. For example, correlation, layouts, incident scoring, starring rules, and playbook triggers.