Incident fields - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-10
Category
Administrator Guide
Abstract

Add incident fields for incident custom layouts and for display in the incident table.

Cortex XSIAM includes out-of-the-box incident fields, incident fields from installed content packs, and user defined custom incident fields. Incident fields can be used for custom incident layouts, and for display in the Incident table.

Custom incident fields can be exported and imported. To export a single custom incident field, right-click on the field in the fields table, and select Export. To export all custom incident fields in a single JSON file, click the Export All button above the fields table. System incident fields cannot be exported or imported.

After a custom incident field is created, it can be edited, deleted, or exported by right-clicking on the row. The field name and field type cannot be changed after the field is created. System fields cannot be edited, deleted, or exported.

Warning

Deleting an incident field or uninstalling a content pack containing an incident field may affect capabilities based on the deleted field. layouts and incident scoring.