View system layouts or create custom layouts for your alert type.
Cortex XSIAM includes default alert layouts. Additional alert layouts can be added by installing content packs, duplicating system alert layouts for editing, or creating new custom alert layouts. Alert layouts are applied to incoming alerts based on alert layout rules.
When viewing an alert, to see how alert information is displayed in a layout, click on Investigate. To see which alert layout has been applied to the layout and which rule triggered the use of the layout, click the Layout Info button 
in the upper right corner of the layout. Empty layout fields are hidden by default, but are shown if you select Show empty fields.
The default alert layouts and any layouts that are added from content packs, are locked by default and cannot be deleted, edited, or exported. To view a system layout, right-click the layout row and select View. If you want to edit a system layout, you can detach or duplicate the layout by right-clicking the layout row in the alert layout table and selecting Detach or Duplicate. If you detach a layout, the layout does not receive content updates until it is reattached. To reattach a system layout, right-click the layout row and select Attach. If you detach a layout and make changes, those changes may be overwritten if you later reattach the layout. If a layout is detached, you can edit or duplicate it, but you cannot delete or export it. If you instead duplicate the alert layout, the new duplicated layout can be edited, deleted, or exported, the same as a custom alert layout.
When viewing an alert, most alert fields can be edited inline, by users with editing permissions. . After editing a field inline, click the check mark 
to save your change. Some system fields, such as Source Instance, cannot be edited.
To modify an existing custom layout, go to → → → → , right-click the layout in the layouts table, and select Edit, Duplicate, Delete, or Export.