Create a Custom Incident Field - Administrator Guide - 6.8 - Cortex XSOAR - Cortex - Security Operations

Select Settings → OBJECTS SETUP → Incidents → Incident Fields.

Depending on the field type, you can determine if the field contents are case-sensitive, as well as if the field is mandatory.

Click +New Field.

Complete the following parameters:

If relevant to the field type, add the Basic Settings.

If adding a grid, see Create a Grid Field for an Incident Type.

In the Attributes tab, add the attribute parameters.

Click Save.

To add the field to a system incident type:

1. Go to Settings → OBJECTS SETUP → Incidents → Types.

2. Select the checkbox for the incident type you want to edit.

3. Click Duplicate. A copy of the incident type appears with the string _copy appended to the name of the incident type. If more than one copy of the incident type is created, a number is appended to the _copy string. The number is increased with each additional duplication.

4. Click the name of the newly created incident type.

   You are presented with the current layout, which is populated with demo data so you can see how the fields fit.

To add the field to a custom incident type:

1. Go to Settings → OBJECTS SETUP → Incidents → Types.

2. Select the incident type whose layout you want to edit and click the Edit Layout.

   You are presented with the current layout, which is populated with demo data so you can see how the fields fit.

   Make sure you select an incident type where the Layout field is empty.

In the Library dialog box, in the Cortex XSOAR Sections tab, drag and drop + New Section on to the required tab.

In the Incident field tab, drag and drop the field that you have created into the New Section.