Create an Evidence Field - Create custom evidence fields in Cortex XSOAR. - Administrator Guide - 6.14 - Cortex XSOAR - Cortex

Create an Evidence Field - Create custom evidence fields in Cortex XSOAR. - Administrator Guide - 6.14 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product

Cortex XSOAR

Version

6.14

Creation date

2024-10-09

Last date published

2026-06-01

Field types

You can create the following field types:

Field Type	Description
Boolean	Checkbox
Date picker	Adds the date to the field.
Long text	Long text is analyzed and tokenized, and entries are indexed as individual words, enabling you to perform advanced searches and use wildcards. Long text fields can't be sorted and used in graphical dashboard widgets. While editing a long text field, pressing Enter will create a new line (case is insensitive). Add a placeholder, if required.
Markdown	Add markdown-formatted text as a template that will be displayed to users in the field after the indicator has been created. Markdown lets you add basic formatting to text to provide a better end-user experience.
Multi select / Array	Select the following options: Multi-select from a (static) pre-filled list. An empty array field for the user to add one or more values as a comma-separated list. Add a placeholder, if required.
Number	Can contain any number. Default is 0.
Role	Role assigned to the evidence. Determines which users (by role) can view the evidence.
Short Text	Short text is treated as a single unit of text and is not indexed by word. Advanced search, including wildcards, is not supported. Short text fields are case-sensitive by default, but can be changed to case-insensitive when creating the field. While editing a short text field, pressing Enter will save and close. Maximum length 60,000 characters. Recommended use is one-word entries. Examples: username, email address, etc.
Single select	Select a value from a list of options. Add comma-separated values.
URL	Add a URL when completing the field.
User	A user in Cortex XSOAR.

Go to Settings → Objects Setup → Incidents → Evidence Fields → New Field.
To edit an existing custom evidence field, select the box next to the name and click Edit.
Select the relevant field type.

Add the following information:

Parameter	Description
Field Name	A meaningful display name for the field. After you type a name, you will see below the field that the Machine name is automatically populated. The field’s machine name is applicable for searching and the CLI. The field name must be unique, start with a letter, and contain only ASCII characters.
Case sensitive	Select this checkbox if the field should be case sensitive. This option is available for multi select/array, role, short text, single select, and user field types.
Mandatory	Select this checkbox if the field must be completed.
Tooltip	An optional tooltip for the field.

(Optional) In the Basic Settings tab, define the values according to the select field type.

Parameter	Description
Placeholder	Optional text to display in the field when it is empty. Placeholder text can be provided for short text, long text, and multi-select/ array field types.
Values	A comma-separated list of values that are valid for the field. Available for multi select/array and single select field types.
Template	Available for markdown fields.

In the Attributes tab, configure the indexing. By default, data in the field is available for search. If you do not want to include this field in search results, clear the checkbox for Make data available for search.
Click Save to create the field.