Incident types are used to classify the events that are ingested into the Cortex XSOAR system. Each incident type can be configured to work with a dedicated playbook, which can either run automatically when an event is ingested, or can be triggered separately at a later point. In addition, you can configure dedicated SLA parameters for each incident type, as well run specific post-processing scripts for the given incident type.
All incidents that are ingested into Cortex XSOAR are assigned an incident type when they are classified. After you classify the incident, you can then map the relevant fields to the incident. Only events that are ingested through integrations or the REST API are processed through the classification engine and automatically assigned an incident type. Incidents that you create manually, or are created through a playbook, are not processed through the classification engine and should be assigned an incident type.
If the incident type does not exist you can create an incident type and classify the incident according to this incident type. You can create, duplicate, import, export, and customize incident types, by going to → → → . Each incident type has a unique set of data that is relevant to that specific incident type. When you duplicate an incident type, the duplicate is associated with the same set of incident fields that belonged to the original incident type. Incident layouts enable you to display the most relevant data for users at all stages of the incident life cycle.
Attach and Detach Incident Types
When installing incident types from a Content Pack, by default, the incident types are attached, which means that they are not editable. If you want to edit the incident type, you have the following options:
Duplicate the incident type: You can duplicate an incident type and the duplicate is editable. The original incident type continues to receive Content Pack updates, but the duplicate does not.
Detach the incident type: You can edit a detached incident. While an incident type is detached, it does not receive Content Pack updates. If you detach an incident type, make edits, and later want to receive Content Pack updates for that incident type, we recommend you duplicate the incident type before reattaching the original, to protect your changes from Content Pack upgrades.
Regardless of whether the incident type is detached, you can detach the incident layout, which enables you to make changes to the layout without making a copy. If the incident layout is detached and the incident type is attached, the incident type receives updates but the layout does not. To receive content updates for the layout, the incident layout needs to be attached.
(Multi-tenant) When content is pushed from the Main account to tenants, the incident type is attached when received by the tenants. The tenants can detach both the incident type and the incident layout, without making copies.
If upgrading from a version earlier than v6.1, by default, all out of the box incident types (from a Content Pack) are detached. To receive content updates for detached incident types, reattach the incident type.
Indicator Extraction Rules
The Indicator Extraction feature extracts indicators from incident fields and enriches them using commands and scripts defined for the indicator type. You can view and create indicator extraction rules according to incident fields.
When upgrading from v6.0 and below, by default, all incident types (Content Pack) are detached and Indicator Extraction is enabled for all incident fields. To receive content updates, reattach the incident type.
Customize Incident Layouts
You can Customize Incident Layouts to ensure that you see the information that is relevant to the incident type.
You can do the following:
Duplicate and edit an incident layout, detach the incident type, and then edit the incident type to add the new layout.
Detach the layout and edit it.
Create a new layout, detach the incident type, and then edit the incident type to add the new layout.