Create a featured alert field - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

You can label specific alert attributes as featured alert fields.

You can highlight alerts that are significant to you by labeling specific alert attributes as featured alert fields. Featured alert fields help you track alerts that involve specific host names, user names, and IP addresses.

How to create a featured alert field
  1. Go to Incident ResponseIncident ConfigurationFeatured Fields and select a type of featured field.

  2. In the field type table, Add featured <field-type> to define a list of alert fields that you want to flag in the Alerts table. You can either create a new featured alert field from scratch, or upload field values from a CSV file. Select one of the following options:

  3. (Optional) Manage your featured alert field list.

    • Locate the alert field you want to edit or delete.

    • Right-click and Edit to modify the field definition, or Delete to remove the featured flag.

  4. Investigate alerts that contain the featured alert fields.

    • In the Alerts table, use the following filters:

      • Contains Featured Host

      • Contains Featured User

      • Contains Featured IP Address

    • In the Alert Name field, Cortex XSIAM displays alerts that contain a matching featured field value with a featured-alert-field-flag.png flag.

      Note

      Featured Active Directory values are displayed in the User and Host fields accordingly.

    • (Optional) Create an incident scoring rule using the Contains Featured fields to further highlight and prioritize alerts containing the Host, User, and IP address attributes. For more information, see Set up incident scoring.