Create custom incident fields - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-13
Category
Administrator Guide
Abstract

Create incident fields so you can add them to custom incident layouts.

Create incident fields so you add them to custom incident layouts.

You can create custom incident fields to:

  • Map raw JSON fields from incoming alerts.

  • Display custom fields data in the Incident table.

  • Create correlation rules that generate alerts from XQL queries and map the output of the queries to custom incident fields.

  • Design custom incident layouts that include custom incident fields.

How to create a new custom incident field:
  1. Select SettingsConfigurationsObject SetupIncidentsFieldsNew Field.

  2. Choose a field type and enter a field name. You can add an optional tooltip to provide users with information about the field.

    If adding a grid, see Create a grid field for an incident.

  3. Save your changes.

Custom incident fields can be exported and imported. To export a single custom incident field, right-click on the field in the fields table, and select Export. To export all custom incident fields in a single JSON file, click the Export All button above the fields table.

After a custom incident field is created, it can be edited, deleted, or exported by right-clicking on the row. The field name and field type cannot be changed after the field is created.