Alert layouts - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-13
Category
Administrator Guide
Abstract

View system layouts or create custom layouts for your alert type.

Cortex XSIAM includes default alert layouts. You can add additional alert layouts by installing content packs, duplicating system alert layouts, or creating new custom alert layouts. Alert layouts are applied to incoming alerts based on alert layout rules.

Alert layouts control the information displayed in the Investigate panel. To see the alert layout that has been applied, in the Investigate panel click the Layout Info button layout-info-button.png in the upper right corner. Empty layout fields are hidden by default, but are shown if you select Show empty fields.

The default alert layouts and any layouts that are added from content packs, are locked by default and cannot be deleted, edited, or exported. To view a system layout, right-click the layout row and select View. If you want to edit a system layout, you can detach or duplicate the layout by right-clicking the layout row in the alert layout table and selecting Detach or Duplicate. If you detach a layout, the layout does not receive content updates until it is reattached. To reattach a system layout, right-click the layout row and select Attach. If you detach a layout and make changes, those changes may be overwritten if you later reattach the layout. If a layout is detached, you can edit or duplicate it, but you cannot delete or export it. If you instead duplicate the alert layout, the new duplicated layout can be edited, deleted, or exported, the same as a custom alert layout.

When viewing an alert, most alert fields can be edited inline, by users with editing permissions. After editing a field inline, click the check mark to save your change. Some system fields, such as Source Instance, cannot be edited.

To modify an existing custom layout, go to SettingsConfigurationsObject SetupAlertsLayouts, right-click the layout in the layouts table, and select Edit, Duplicate, Delete, or Export.