Create rules for alert layouts - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

Add rules to assign a custom alert layout based on the alert source,

Alert layouts are applied to alerts according to layout rules. Using a layout rule, you can assign a custom alert layout based on the alert source, such as a specific layout for alerts generated from a correlation rule.

You can create multiple rules. If the first rule does not apply to the incoming alert, the next rule is checked, and so on. If a content pack is installed and it contains a layout rule, by default the layout rule is placed at the top of the rules list. You can change the order of the rules by dragging and dropping the rules in the list. You can filter the rule list by name, description, rule, layout, and source. If no layout rules apply to the alert, a default alert layout is used.

To edit or delete existing rules, right-click on the rule in the list and select Edit or Delete.

How to create layout rules
  1. Go to SettingsConfigurationsObject SetupAlertsLayout RulesNew Rule.

  2. Enter a rule name, select the layout to use if the rule is met, and provide a description.

  3. Search for alerts that match the criteria you want to use for the layout rule. For example, you can search for alerts from a specific alert source.

  4. Click Create.

  5. Repeat as needed to create multiple rules.

  6. Click Save.

SBAC considerations

Layout rules support SBAC (scoped based access control). The following parameters are considered for editing access.

  • If Scoped Server Access is enabled and set to restrictive mode, you can edit a rule if you are scoped to all tags in the rule.

  • If Scoped Server Access is enabled and set to permissive mode, you can edit a rule if you are scoped to at least one tag listed in the rule.

  • As a scoped user who has editing permissions to a rule, you can change the order among other rules that are locked.

  • If a rule was added when set to restrictive mode, and then changed to permissive (or vice versa), you will only have view permissions.