Timer fields count up from when a specific event begins and can also count down to a deadline. You can trigger actions in the event the timer field is breached.
By default, timer fields are disabled in Cortex XSIAM. To enable timer fields, go to → → → → and Enable Timer Field.
Timer alert fields provide you with the ability to track reaction time and help you measure alert-level metrics. Timers can measure multiple aspects of an alert. You can, for example, have a timer track how long since the first playbook ran, and have another timer track how long you've been waiting for a user's response. Timers display in the alerts table and in alert layouts.
Timer fields can be started, stopped, or paused in a playbook, script, or manually in the CLI.
Timer fields count up from when a specific action or task began and also (optionally) count down from a target. The Risk Threshold tells you when a timer is considered at risk and you can customize the time period for the Risk Threshold.
Timer fields always show the total duration while they are still running. If they are at risk, they show the at risk status. After a timer field has timed out (passed the target), the timer shows both the total duration and how long past the target.
Timer fields do not automatically trigger actions when timers time out. You can configure a script to run when a timer times out.
You can run scripts to act on timeouts, such as sending an email when a timeout occurs. You can also make specific changes to an alert field or a parent incident alert, such changing the incident owner. Cortex XSIAM includes out-of-the-box scripts or you can create your own scripts. Scripts must have the SLA
tag to be used for timer fields. For more information, see Automate changes to alert fields using timer scripts.
If you want to set or change timers for an alert you can use the setAlert
command in the CLI. You can also use commands such as startTimer
, stopTimer
, and pauseTimer
. For more information, see Use timer field commands manually in the CLI.