Incident Fields - Administrator Guide - 6.6 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide

Incident fields in Cortex XSOAR, including incident field types, fields common to all incident fields, timer/sla fields. Troubleshoot custom incident fields.

Use Incident Fields to accept or populate incident data coming from incidents. You create fields for information that arrives from third-party integrations in which you want to insert information. The fields are added to Incident Type layouts and are mapped using the Classification and Mapping feature.

Incident Fields can be populated by the incident team members during an investigation, at the beginning of the investigation, or prior to closing the investigation.


Creating Incident Fields is an iterative process in which you continue to create fields as you gain a better understanding of your needs and the information available in the third-party integrations that you use.

You can set and update all system incident fields using the setIncident command, of which each field is a command argument.

Incident Field Types

You can add the following field types, when adding a new field.

  • Attachments : enables adding an attachment, such as .doc, malicious files, reports, images of an incident, etc.

  • Boolean (checkbox)

  • Date picker

  • Grid (table): include an interactive, editable grid as a field type for selected incident types or all incident types.

  • HTML : you can Configure the HTML Field by applying your own theme.

  • Long text:

    • Long text is analyzed and tokenized.

    • Long text field entries are indexed as individual words, enabling you to perform advanced searches and use wildcards.

    • Case insensitive.

    • Long text fields cannot be sorted and cannot be used in graphical dashboard widgets.

    • While editing a long text field, pressing enter will create a newline.

  • Markdown: Add markdown-formatted text as a Template which will be displayed to users in the field after the indicator is created. Markdown lets you add basic formatting to text to provide a better end-user experience.

  • Multi select / Array: Includes two options a) Multi select from a pre-filled list b) An empty array field for the user to add one or more values as a comma-separated list.

  • Number: can contain any number. The default number is 0. Any quantity can be used.

  • Role: roles assigned to the incident determine which users (by the role to which they are assigned) can view the incident.

  • Short text:

    • Treated as a single unit of text, not indexed by word. Advanced search, including wildcards, is not supported.

    • Case sensitive by default, but can be changed to case insensitive when creating the field.

    • While editing a short text field, pressing enter will save and close.

    • Maximum length 60,000 characters.

    • Recommended use is one word entries. Examples: username, email address, etc.

  • Single select

  • Tags: accepts a single tag or a comma-separated list, not case sensitive.

  • Timer/SLA: view how much time is left before an SLA becomes past due, as well as configure actions to take in the event that the SLA does pass.

  • URL

  • User : a user in the system to state a manager or fallback.

Basic Settings

The following table lists the fields that appear in the Basic Settings page, and their descriptions. The Basic Settings page is available for the following field types:

  • Long text

  • Multi select

  • Short text

  • Single select

  • Tags




Optional text to display in the field when it is empty. This text will appear in the layout, but not in the created indicator. Available for Short text, Long text, Multi select / Array, Tags.


A comma-separated list of values that are valid values for the field.

Timer/SLA Fields

The following table lists the fields specific to Timer/SLA fields, and their descriptions.




Determine the amount of time in which this item needs to be resolved. If no value is entered, the field serves as a counter.

Risk Threshold

Determine the point in time at which an item is considered at risk of not meeting the SLA. By default, the threshold is 3 days, which is defined in the global system parameter.

Run on SLA Breach

In the Run on SLA Breach field, select the script to run when the SLA time has passed. For example, email the supervisor or change the assignee.


Only scripts to which you have added the SLA tag appear in list of scripts that you can select.

Attributes Parameters for Incident Fields

The following tables list the fields that are common to all Incident Fields.



Script to run when field value changes

The script that dynamically changes the field value when script conditions are met. For a script to be available, it must have the field-change-triggered tag, when defining an automation. For more information, see Incident Field Trigger Scripts.

Run triggered script after Incident is modified

Leave unchecked for the script to execute before the incident is stored in the database, so the script can modify the incident field value. Useful in most cases including performing validations and starting and stopping Timer/SLA fields.

When checked, the script executes after the incident is stored in the database, so that the script cannot modify the incident unless through CLI or API calls.

Field display script

Determines which fields display in forms, as well as the values that are available for single-select and multi-select fields. For more information, see Create Dynamic Fields in Incident Forms.

Add to all incident types

Determines for which incident types this field is available. By default, fields are available to all incident types. To change this, clear the Associate to all checkbox and select the specific incident types to which the field is available.

Default display on

Determines at which point the field is available. For more information, see Incident Field Examples.

Edit Permissions

Determines whether only the owner of the incident can edit this field.

Make data available for search

Determines if the values in these fields are available when searching.


In most cases, Cortex XSOAR recommends that you select this checkbox so values in the field are available for indexing and querying. However, in some cases, to avoid adverse affects on performance, you should clear this checkbox. For example, if you are ingesting an email to an email body field, we recommend that you not index the field.

Incident Field Examples

The following section shows several examples of common fields that are used in real-life incidents.

False Positive

Below is an example of a mandatory Incident field "False Positive" to be filled at time of Incident Close. The Field can have a value YES or NO and the SOC admin should be able to query or run report based on this field. After this field is added, all incidents will need to have this filled in before an incident can be marked closed.


SLA Fields

The following SLA field can be used to trigger a notification when the status effecting the SLA of an incident changes. If the SLA is breached, we have configured the field such that an email is sent to the owner's supervisor.

Troubleshooting Conflicts with Custom Incident Fields

When trying to download a content update, you receive the following message:

Warning: content update has encountered some conflicts

This occurs when a content update has an incident field with the same name as a custom incident field that already exists in Cortex XSOAR.


Click Install Content to force the update and retain your custom incident field. The content update will install without the system version of the incident field.

Create a Custom Incident Field

Create custom incident fields in Cortex XSOAR.

You can define custom incident fields based on the information you want to display in your Incident Type layouts, as well as the information ingested from third-party integrations.


If you try to create a new incident field with a name that already exists in the system such as Account, you may receive a message similar to this: [Could not create incidentfield with ID '' and name 'Account'. Field already exists as a builtin field (100709)]. If so, you should select a different name as the incident field is already reserved for system use.

  1. Select SettingsOBJECTS SETUPIncidentsIncident Fields.

    Depending on the field type, you can determine if the field contents are case-sensitive, as well as if the field is mandatory.

  2. Click +New Field.

  3. Complete the following parameters:



    Field Name

    A descriptive name indicating the information that the field contains.


    (Optional) Additional information you want to make available to users of this field.

  4. If relevant to the field type, add the Basic Settings.

    If adding a grid, see Create a Grid Field for an Incident Type.

  5. In the Attributes tab, add the attribute parameters.

  6. Click Save.

  7. To add the field to a system incident type:

    1. Go to SettingsOBJECTS SETUPIncidentsTypes.

    2. Select the checkbox for the incident type you want to edit.

    3. Click Duplicate. A copy of the incident type appears with the string _copy appended to the name of the incident type. If more than one copy of the incident type is created, a number is appended to the _copy string. The number is increased with each additional duplication.

    4. Click the name of the newly created incident type.

      You are presented with the current layout, which is populated with demo data so you can see how the fields fit.

  8. To add the field to a custom incident type:

    1. Go to SettingsOBJECTS SETUPIncidentsTypes.

    2. Select the incident type whose layout you want to edit and click the Edit Layout.

      You are presented with the current layout, which is populated with demo data so you can see how the fields fit.

      Make sure you select an incident type where the Layout field is empty.

  9. In the Library dialog box, in the Cortex XSOAR Sections tab, drag and drop New Section on to the required tab.

  10. In the Incident field tab, drag and drop the field that you have created into the New Section.