Incident field types - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Cortex XSIAM
Creation date
Last date published
Administrator Guide

When creating incident fields, you can select field types, such as boolean, date picker, and grid (table).

You can create the following types of incident fields.




True or False

  • Incoming values 0, false, and False are treated as False.

  • Incoming values true, True, or any number besides 0 are treated as True.

  • Other values are treated as null.

Date picker

Adds the date to the field.

Supported time formats for validation are ISO 8601 and Epoch. Other values are treated as null.


You cannot set filters, starring rules, playbook triggers, layout rules, or alert exclusions based on the values in custom timestamp fields.

Grid (table)

Include an interactive, editable grid as a field. For details, see Create a Grid Field.


When grid field is shown in the Incident table, if there are values in the field, they do not display in the Incident table. Instead, the column shows Data Available.


Create and view HTML content.


When an HTML field is shown in the Alerts table, if there is a value in the field, it does not display in the Incident table. Instead, the column shows Data Available.

Long text

  • Long text is analyzed and tokenized, and entries are indexed as individual words, enabling you to perform advanced searches and use wildcards.

  • Long text fields cannot be sorted and cannot be used in graphical dashboard widgets.

  • While editing a long text field, pressing enter will create a new line. Case is insensitive.


Add markdown-formatted text as a Template which is displayed to users in the field. Markdown lets you add basic formatting to text to provide a better end-user experience.


When a Markdown field is shown in the Incident table, if there is a value in the field, it does not display in the Incident table. Instead, the column shows Data Available.

Multi select / Array

Includes two options:

  • Multi select from a pre-filled list.

  • An empty array field for the user to add one or more values as a comma-separated list.

In the Basic Settings section, enter a comma-separated list of values.


Can contain any number. Default is 0.

Short Text

  • Short text is treated as a single unit of text, and is not indexed by word. Advanced search, including wildcards, is not supported.

  • Short text fields are case insensitive.

  • While editing a short text field, pressing enter will save and close.

  • Recommended use is one word entries. Examples: username, email address, etc.

Single select

Select one from a list of options. Add a list of comma-separated values. By default, the first value is used, unless the checkbox for Use first as default is cleared.


SLA can be used to trigger a notification when the status affecting the SLA of an incident changes. In this example, if the SLA is breached an email is sent to the owner's supervisor.

For more information on SLAs, see Create incident timers and SLAs.


Timer fields enable you to view how much time has passed since the timer was started and how much time remains until the timer times out. You can also configure a script to run when a timer times out.


Contains a URL.


If you make changes to incident fields you can update the context data by running a playbook, script, or command. For more information, see Update Incident Fields From an Alert.

To update dynamic custom incident fields, such as SLA and Timer fields, see Update timer and SLA fields.