Add a Cortex XSOAR server configuration to change the name of security incidents from ‘incident’ to another term - cases, issues, etc.
In Cortex XSOAR, the default term used for a security incident is incident
. You can change the term that is used for security incidents from a predefined list of options. This term displays in reports, menus, tables, and commands (local and server) in Cortex XSOAR.
When you change the display name of a security incident, the following commands are deprecated and are replaced with commands with the new name:
associateIndicatorstoIncident
associateIndicatortoIncident
createNewIncidents
linkIncidents
relatedIncidents
setIncident
unAssociateIndicatorstoIncident
unAssociateIndicatortoIncident
For example, if you change the security incident name to Cases
, the setIncident
command appears as setIncident (Deprecated)
and the setCase
command replaces it. You can still use the deprecated command but we recommend replacing the command for clarity.
The term you select does not change the display name for content-related items, such as playbooks, integrations, scripts, dashboards, or the API.
Note
(Multi-Tenant) When changing the display name of security incidents, the URL link which contains /incident
may not work properly. For example, when changing the incident to case, sometimes the links are formed with the/incident
URL and not with the /case
URL. This can usually be corrected by clearing the browser cache and reloading the page.
Navigate to
→ → .In the Server Configuration section, click Add Server Configuration.
In the Key field type
UI.term.incident
.In the Value field enter the value for the term. In the following table, the Command column displays the correct command to use.
Value
Term
Command
0
Incidents (default)
setIncident
1
Cases
setCase
2
Alerts
setAlert
3
Events
setEvent
4
Plays
setPlay
5
Tickets
setTicket
6
Issues
setIssue
Restart the server.