Create custom alert fields - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2025-02-09
Category
Administrator Guide
Abstract

Create alert fields so you can map from incoming alerts, map the output of queries from correlation rules, and add them to custom alert layouts.

You can create custom alert fields to:

  • Map raw JSON fields from incoming alerts.

  • Display custom fields data in the Alerts table.

  • Create correlation rules that generate alerts from XQL queries and map the output of the queries to custom alert fields.

  • Design custom alert layouts that include custom alert fields.

How to create a custom alert field:
  1. Select SettingsConfigurationsObject SetupAlertsFieldsNew Field.

  2. Choose a field type and enter a field name. For a description of available field types, see Alert field types. You can add an optional tooltip to provide users with information about the field.

    If adding a grid, see Create a grid field.

  3. Click Save.

Custom alert fields can be exported and imported. To export a single custom alert field, right-click on the field in the fields table, and select Export. To export all custom alert fields in a single JSON file, click the Export All button above the fields table.

After a custom alert field is created, it can be edited, deleted, or exported by right-clicking on the row. The field name and field type cannot be changed after the field is created.

You can also update the custom field values by running the Set command in the CLI, a script, or a playbook. For more information, see Update alert fields.