Create alert fields so you can map from incoming alerts, map the output of queries from correlation rules, and add them to custom alert layouts.
You can create custom alert fields to:
Map raw JSON fields from incoming alerts.
Display custom fields data in the Alerts table.
Create correlation rules that generate alerts from XQL queries and map the output of the queries to custom alert fields.
Design custom alert layouts that include custom alert fields.
Select → → → → → .
Choose a field type and enter a field name. For a description of available field types, see Alert Field Types. You can add an optional tooltip to provide users with information about the field.
If adding a grid, see Create a Grid Field.
Save your changes.
Custom alert fields can be exported and imported. To export a single custom alert field, right-click on the field in the fields table, and select Export. To export all custom alert fields in a single JSON file, click the Export All button above the fields table.
After a custom alert field is created, it can be edited, deleted, or exported by right-clicking on the row. The field name and field type cannot be changed after the field is created.