Configure timer fields - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide
Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-25
Category
Administrator Guide
Abstract

Create a timer fields and optionally add scripts to trigger when timers have been breached.

You can create timer fields that display in the alerts table and alert layouts. When you create a timer field, you have the option of providing a target for completion and also the option of triggering a script when the timer field has timed out (the target has passed). For more information about scripts, see Automate changes to alert fields using timer scripts.

If you set a target for a timer field, the Risk Threshold is automatically activated and displays when the timer is considered at risk. You can customize the timeframe for the Risk Threshold

If you do not provide a target, the timer only counts up from when it was triggered.

Timers can be started, stopped, or paused from the CLI, from scripts, and from playbooks.

To create a timer alert field:

  1. Navigate to SettingsConfigurationsObject SetupAlertsFields+New Field.

  2. Select Timer as the Field Type.

  3. Provide a Field Name.

  4. (Optional) Under Basic Settings, Timer you have the option of setting a target for the timer field. By default, the timer field shows hours and minutes. You can change this to days and hours, by clicking Hours. If you do not enter the number of hours and minutes, the timer only counts up from when it is triggered.

    If you set a target in the timer field, by default the Risk Threshold field is activated. You can edit the Risk Threshold value.

  5. (Optional) Under Run script on timeout, select the script to run when the target has timed out. For example, you could write a script that sends an email when the target has timed out. For more information, see Automate changes to incident fields using SLA scripts.Automate changes to incident fields using SLA scripts

    Note

    Only scripts to which you have added the SLA tag appear in the list of scripts you can select. To add a tag to a script, create a new script or edit an existing script and enter the tag name in the script settings.

    When you hover over the machine name (below the Field Name) note the name which is used in the command line or script.

  6. Save the field.

  7. (Optional) Add the field to one or more alert layouts. By default, the timer field is available to view in the alerts table.