View system layouts or create custom layouts for your incident type.
Cortex XSIAM includes default incident layouts. Additional incident layouts can be added by installing content packs, duplicating system incident layouts for editing, or creating new custom incident layouts.
To see which incident layout has been applied to the layout and which rule triggered the use of the layout, click the Layout Info button in the upper right corner of the layout. Empty layout fields are hidden by default, but are shown if you select Show empty fields.
The default incident layouts and any layouts that are added from content packs, are locked by default and cannot be deleted, edited, or exported. To view a system layout, right-click the layout row and select View. If you want to edit a system layout, you can detach or duplicate the layout by right-clicking the layout row in the alert layout table and selecting Detach or Duplicate. If you detach a layout, the layout does not receive content updates until it is reattached. To reattach a system layout, right-click the layout row and select Attach. If you detach a layout and make changes, those changes may be overwritten if you later reattach the layout. If a layout is detached, you can edit or duplicate it, but you cannot delete or export it. If you instead duplicate the alert layout, the new duplicated layout can be edited, deleted, or exported, the same as a custom alert layout.
When viewing an incident, most incident fields can be edited inline, by users with editing permissions. . After editing a field inline, click the check mark to save your change. Some system fields, such as Source Instance, cannot be edited.
To modify an existing custom layout, go to Edit, Duplicate, Delete, or Export.
→ → → → , right-click the layout in the layouts table, and select