Create an alert layout to select the specific fields and buttons you require.
Custom alert layouts let you choose the specific fields and buttons that are displayed for different types of alerts. You can create custom alert layouts that include both custom and out-of-the-box alert fields.
The Alert Info tab and any new tabs you create can be renamed, hid, duplicated, or deleted. To make these changes, hover over the tab name, click the settings button, and select the relevant option. You can drag and drop tabs to change the order they appear. By default, empty fields within the tab are hidden in the alert layout. To show empty fields, hover over the tab name, click the settings button, and select Show empty fields.
You cannot edit the War Room and Work Plan tabs in the alert layout. You can hide these tabs from the layout by hovering over the tab name, clicking the settings button, and selecting Hide tab.
Custom alert layouts, as well as duplicates of system alert layouts, can be exported. To export a single alert layout, right-click on the layout in the layouts table, and select Export. To export all custom alert layouts and duplicates of system alert layouts in a single JSON file, click the Export All button above the layouts table.
You can import a custom alert layout by clicking Import and uploading the JSON file.
Select → → → → → .
Enter a name for the layout.
You can add sections and fields to the Alert Info tab or click +New tab .
To add a new section, in the Library dialog box Sections tab, drag and drop New Section into the Alert Info tab or your new custom tab.
By clicking on the pencil icon for a section, you can configure how a section appears, by hiding or showing the section header, as well as configuring the section fields to appear in rows or as cards.
Some sections have additional configuration options. If you add a Malicious or Suspicious Indicators section, for example, you can configure the indicator search query. If you add a War Room Entries section, you can filter by type of entry, such as chats, notes, files, etc.
The General Purpose Dynamic Section enables you to configure a section that displays the results of a script. Only scripts to which you have added the
dynamic-sectiontag appear in the dropdown list. You can use the General Purpose Dynamic Section to display custom or system widgets, text, markdown, or HTML.To add custom or out-of-the-box alert fields to the layout, drag the fields from the Fields and Buttons tab into existing sections or new sections that you added to the layout.
Tip
Limit the number of alert fields to 50 in each section. You can create additional sections as needed.
Custom buttons can simplify and assist an analyst in carrying out various tasks. For example, you can add a button to scan a host or kill a process.
For fields (script arguments) that are optional, you can define whether to show them to analysts when they click on buttons. To expose an optional field, select the Ask User checkbox next to the script argument(s) in the button settings page.
Note
The script that runs when an action button is clicked accepts only mandatory arguments through the pop up window and does not provide an option for any non-mandatory arguments to be filled in when the button is clicked. We recommend using a wrapper script to collect and validate arguments in scenarios where there can be a combination of mandatory and non-mandatory arguments for a button.
To add a button to a layout:
Drag the +New Button from the Fields and Buttons tab and drop into the relevant section.
Click to configure.
Enter a descriptive name for the button, select a color, and select the script that you want to run when the button is clicked.
Click Save.
Save the layout.
(Optional) To modify an existing layout, right-click the layout in the layout table and select Edit, Duplicate, Delete, or Export.