Incident Server Configurations - Administrator Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-12-04
End_of_Life
EoL
Category
Administrator Guide
Abstract

Server configurations for incidents.

Key

Description

Default

canvas.suggestions.IncidentIndicatorSuggestions.max

The maximum number of suggestions for malicious suggestions in the investigation canvas. For more information, see Edit Dbot Incident and Indicator Suggestions.

5

canvas.suggestions.IncidentMutualIndicatorSuggestions.max

The maximum number of suggestions for common indicators between incidents in the investigation canvas. For more information, see Edit Dbot Incident and Indicator Suggestions.

5

canvas.suggestions.IndicatorIndicatorSuggestions.max

The maximum number of suggestions for indicators in the investigation canvas. For more information, see Edit Dbot Incident and Indicator Suggestions.

5

create.incidents.limit.by.time.range

Whether any fetching limits are imposed.

false

create.incidents.limit.by.time.range.hours

The period of time (hours) within which to limit incidents that can be fetched.

24

create.incidents.limit.by.time.range.max.allowed

The maximum number of incidents that can be fetched within the time period defined in the create.incidents.limit.by.time.range.hours server configuration.

1000

Export.utf8bom

Whether to export an incident to CSV using the UTF-BOM format.

true

incident.closereasons

Customizes incident close reasons in a comma separated list. For example, false positive, resolved, duplicate, low priority, invalid, other.

false positive, resolved, duplicate, other

incident.batch.close.fields

When attempting to close an incident as duplicate, if the incident has mandatory fields that must be populated before closing, the close action fails by default. With this server configuration, you can change the default from fail to allow or populate. Allow closes the duplicate incident. Populate closes the duplicate incident after populating the missing values of the mandatory fields. The values are copied from the original incident that this incident duplicates.

fail

incident.html.style.attributes

Configures the HTML field, if missing HTML styles. Add the following settings to the allowed list the attributes used in your HTML code. Supports the following styles:

text-align,font-size,font-family,font-weight,color,line-height,border-style,border,page-break-inside,tablelayout,padding,background-size,display,padding-top,padding-right,padding-bottom,padding-left,text-size-adjust,break-inside,word-break,width,height,-ms-text-size-adjust,-webkit-text-size-adjust

N/a

incident.metadata.ignore.list

Configures an ignored list for which incident fields to use for related incidents. A comma-separated list. For more information, see Configure Incident Fields for Related Incidents.

N/a

incident.metadata.whitelist

Configures an allowed list for which incident fields to use for related incidents. A comma-separated list. For more information, see Configure Incident Fields for Related Incidents.

N/a

incident.prevent.modify.closed

Prevents modifying closed reasons for an incident.

false

incident.restrict.default.admin

Prevents the default administrator from viewing restricted incidents.

false

incident.stuck.notification.status

This is required in order to use playbook.stuck.notification.users, and if you want it to only send error emails then it needs to be set to:

incident.stuck.notification.status = error

In addition, if you set the configuration for this, you MUST NOT set message.ignore.incidentstatuschanged = true, or you will receive no notifications.

N/a

ingestion.samples.save-mapped

Indicates whether to save the raw JSON for fetched incidents (fetched from SIEM) in ALL incidents. Values: true/false.

In some cases, it is useful to record the raw JSON for debugging issues with fetched incidents.

Caution

By default, this feature is not enabled. Enabling this feature might drastically impact disk size due to data duplication. We recommend that you only enable this feature when creating playbooks in Cortex XSOAR development instances.

false

inline.edit.on.blur

By default, when editing the following inline values in an incident/indicator/threat intel reports, the changes are not saved until you confirm your changes (clicking the checkmark icon in the value field).

  • Dropdown values, such as Owner, Severity, etc.

  • Text values, such as Asset ID. (You can only edit when you click the pencil in the value field).

These icons are designed to let you have an additional level of security before you make changes to the fields in incidents/indicators.

Set this configuration to true, to enable you to make changes to the inline fields without clicking the checkmark. The changes are automatically saved when clicking anywhere on the page or when navigating to another page. For text values you can also click anywhere in the value field to edit

false

investigation.prevent.modify.closed

Whether to add chats and notes to closed investigation (set to false to allow).

true

investigation.task.partial.index

Whether to index all the tasks or a subset of them. Indexing all can take a lot of memory and affect performance.

Values:

  • 1: Manual tasks

  • 2: Tasks that have an assignee

  • 4: Tasks that have a due date

  • 8: Tasks that are in an error state

  • 16: Oversized tasks

Default is the total sum of the above values: 31.

31

labels.type.user

Add a new label field so that it is available at all times, when creating an incident. Use comma separated labels for multiple values.

N/a

linked.inc.retry.limit

Sets the number of times to retry linking an incident upon failure. When dealing with linking hundreds of incidents, start with a value of 100 and go up if there are still some failures.

100

message.ignore.failedFetchIncidents

Whether to ignore failed fetched incidents. For more information, see Receive Notification on an Incident Fetch Error.

false

ml.suggestions.canvas.leftpane.incidents.limit

The maximum number of incidents in the Quick View window. For more information, see Edit Dbot Incident and Indicator Suggestions.

10

module.health.notification.users

List of names in CSV format to receive notifications when an integration experiences a fetch error. For more information, see Receive Notification on an Incident Fetch Error.

N/a

serverSiemIncidents.schedule

The interval in minutes, for fetching incidents. Set by the following configuration:

recent.integration.siem.fetch.incidents.delay

1

ui.incidents.page.size

Increases the number of incidents per page.

50

(Multi-tenant) 200 Main Account

UI.term.incident

Changes the display name of security incidents. For a list of values, see Change the Display Name of Security Incidents.

N/a