The maximum number of suggestions for malicious suggestions in the investigation canvas. For more information, see Edit Dbot Incident and Indicator Suggestions.
The maximum number of suggestions for common indicators between incidents in the investigation canvas. For more information, see Edit Dbot Incident and Indicator Suggestions.
The maximum number of suggestions for indicators in the investigation canvas. For more information, see Edit Dbot Incident and Indicator Suggestions.
Whether any fetching limits are imposed.
The period of time (hours) within which to limit incidents that can be fetched.
The maximum number of incidents that can be fetched within the time period defined in the
Customizes incident close reasons in a comma separated list. For example,
When attempting to close an incident as duplicate, if the incident has mandatory fields that must be populated before closing, the close action fails by default. With this server configuration, you can change the default from
Configures the HTML field, if missing HTML styles. Add the following settings to the allowed list the attributes used in your HTML code. Supports the following styles:
Configures an ignored list for which incident fields to use for related incidents. A comma-separated list. For more information, see Configure Incident Fields for Related Incidents.
Configures an allowed list for which incident fields to use for related incidents. A comma-separated list. For more information, see Configure Incident Fields for Related Incidents.
Prevents modifying closed reasons for an incident.
Prevents the default administrator from viewing restricted incidents.
This is required in order to use
In addition, if you set the configuration for this, you MUST NOT set
Indicates whether to save the raw JSON for fetched incidents (fetched from SIEM) in ALL incidents. Values:
In some cases, it is useful to record the raw JSON for debugging issues with fetched incidents.
By default, this feature is not enabled. Enabling this feature might drastically impact disk size due to data duplication. We recommend that you only enable this feature when creating playbooks in Cortex XSOAR development instances.
By default, when editing the following inline values in an incident/indicator/threat intel reports, the changes are not saved until you confirm your changes (clicking the checkmark icon in the value field).
These icons are designed to let you have an additional level of security before you make changes to the fields in incidents/indicators.
Set this configuration to true, to enable you to make changes to the inline fields without clicking the checkmark. The changes are automatically saved when clicking anywhere on the page or when navigating to another page. For text values you can also click anywhere in the value field to edit
Whether to add chats and notes to closed investigation (set to
Whether to index all the tasks or a subset of them. Indexing all can take a lot of memory and affect performance.
Default is the total sum of the above values:
Add a new label field so that it is available at all times, when creating an incident. Use comma separated labels for multiple values.
Sets the number of times to retry linking an incident upon failure. When dealing with linking hundreds of incidents, start with a value of 100 and go up if there are still some failures.
Whether to ignore failed fetched incidents. For more information, see Receive Notification on an Incident Fetch Error.
The maximum number of incidents in the Quick View window. For more information, see Edit Dbot Incident and Indicator Suggestions.
List of names in CSV format to receive notifications when an integration experiences a fetch error. For more information, see Receive Notification on an Incident Fetch Error.
The interval in minutes, for fetching incidents. Set by the following configuration:
Increases the number of incidents per page.
Changes the display name of security incidents. For a list of values, see Change the Display Name of Security Incidents.