Add rules to assign a custom alert layout based on the alert source,
Alert layouts are applied to alerts according to layout rules. For example, using a layout rule, you can assign a custom alert layout based on the alert source, such as a specific layout for alerts generated from a correlation rule.
You can create multiple rules. If the first rule does not apply to the incoming alert, the next rule is checked, and so on. If a content pack is installed and it contains a layout rule, the layout rule is placed at the top of the rules list, by default. You can change the order of the rules by dragging and dropping the rules in the list. You can filter the rule list by name, description, rule, layout, and source. If no layout rules apply to the alert, a default alert layout is used.
To edit or delete existing rules, right-click on the rule in the list and select Edit or Delete.
Note
Layout rules support SBAC (scoped based access control). The following parameters are considered for editing access.
If Scoped Server Access is enabled and set to restrictive mode, you can edit a rule if you are scoped to all tags in the rule.
If Scoped Server Access is enabled and set to permissive mode, you can edit a rule if you are scoped to at least one tag listed in the rule.
As a scoped user who has editing permissions to a rule, you can change the order among other rules that are locked.
If a rule was added when set to restrictive mode, and then changed to permissive (or vice versa), you will only have view permissions.
Select → → → → → .
Enter a Rule Name, select the custom or out-of-the-box Layout to Display if the rule is met, and provide a Description.
Search for alert(s) that match the criteria you want to use for the layout rule. For example, you can search for alerts from a specific alert source.
Create the rule.
Repeat as needed to create multiple rules.
Save the rules you have created.