Create an incident field - Administrator Guide - 8.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR On-prem Documentation

Product
Cortex XSOAR
Version
8.5
Creation date
2024-03-10
Last date published
2024-11-28
Category
Administrator Guide
Solution
On-prem
Abstract

Create custom incident fields in Cortex XSOAR.

Incident fields are used to accept or populate incident data coming from incidents. These fields are added to incident layouts and are mapped using classification and mapping.

Creating incident fields is an ongoing process. You can create fields from information ingested from third-party integrations. As you learn more about your needs and the capabilities of your third-party integrations, you can continually add new fields to capture the most relevant information.

When investigating an incident, an analyst can easily add relevant information to the fields in the layout. Incident fields can be populated by incident team members during an investigation at the beginning of the investigation, or before closing the investigation.

Note

In the CLI, you can set and update all system incident fields using the setIncident command, of which each field is a command argument.

You can create the following field types:

Field Type

Description

Attachments

Enables the user to add an attachment, such as .doc, malicious files, reports, and incident images.

Boolean

Checkbox

Date picker

Adds the date to the field.

Grid (table)

Include an interactive, editable grid as a field type for selected incident types or all incident types. To see how to create a grid field and to use a script, see Use scripts with a grid field.

When you select Grid (table) you can format the table and determine if the user can add rows.

HTML

Create and view HTML content, which can be used in any incident type.

Long text

  • Long text is analyzed and tokenized, and entries are indexed as individual words, enabling you to perform advanced searches and use wildcards.

  • Long text fields can't be sorted and used in graphical dashboard widgets.

  • While editing a long text field, pressing enter will create a new line (case is insensitive).

Add a placeholder, if required.

Markdown

Add markdown formatted text as a Template which will be displayed to users in the field after the indicator has been created. Markdown lets you add basic formatting to text to provide a better end-user experience.

Multi select / Array

Select the following options:

  • Multi-select from a (static) pre-filled list.

  • An empty array field for the user to add one or more values as a comma-separated list.

Add a placeholder, if required.

Number

Can contain any number. Default is 0.

Role

Role assigned to the incident. Determines which users (by role) can view the incident.

Short Text

  • Short text is treated as a single unit of text and is not indexed by word. Advanced search, including wildcards, is not supported.

  • Short text fields are case-sensitive by default but can be changed to case-insensitive when creating the field.

  • While editing a short text field, pressing enter will save and close.

  • Maximum length 60,000 characters.

  • Recommended use is one-word entries. Examples: username, email address, etc.

Single select

Select a value from a list of options. Add comma-separated values.

Tags

Accepts a single tag or a comma-separated list, not case-sensitive.

Add a placeholder, if required.

Timer/SLA

View how much time is left before an SLA becomes past due, as well as configure actions to take if the SLA does pass.

Note

Incidents sorted using an SLA/Timer field are sorted by the due date of the SLA field.

URL

Add a URL when completing the field.

User

A user in Cortex XSOAR.

  1. Select Settings & InfoSettingsObject SetupIncidentsIncident FieldsNew Field.

    To edit an existing incident field, right-click the field name and select Edit.

  2. Select the relevant field type.

  3. Add the following information:

    Parameter

    Description

    Mandatory

    If selected, this field is mandatory when used in a form.

    Field Name

    A meaningful display name for the field. After you type a name, you will see below the field that the Machine name is automatically populated. The field’s machine name is applicable for searching and the CLI.

    Note

    If you try to create a new incident field with a name that already exists in the system such as Account, you may receive a message like this:

    [Could not create incidentfield with ID '' and name 'Account'.Field already exists as a builtin field (100709)].

    If so, select a different name as the incident field is already reserved for system use.

    You should not create a custom field named reason as it is a saved keyword in the tenant.

    Tooltip

    An optional tooltip for the field.

  4. In the Basic Settings tab, define the values according to the selected field type.

    Parameter

    Description

    Placeholder

    Optional text to display in the field when it is empty. This text will appear in the layout, but not in the created incident. Available for Short text, Long text, Multi select / Array, and Tags.

    Values

    A comma-separated list of values that are valid values for the field.

  5. If selecting a TImer/SLA field, define the following:

    Parameter

    Description

    SLA

    Determine the amount of time in which this item needs to be resolved. If no value is entered, the field serves as a counter.

    Risk Threshold

    Determine the point in time at which an item is considered at risk of not meeting the SLA. By default, the threshold is 3 days, which is defined in the global system parameter.

    Run on SLA Breach

    In the Run on SLA Breach field, select the script to run when the SLA time has passed. For example, email the supervisor or change the assignee.

    Note

    Only scripts to which you have added the SLA tag appear in list of scripts that you can select.

  6. If you are creating a Grid (table) field, in the Grid tab, define the following values.

    • To enable users to add/remove rows in the grid, select the User can add rows field. If selected, the user can add rows but not columns.

    • Manage rows and columns. You can move the columns and add/delete rows and columns (using the + and - signs). How you design the grid determines how it appears to users.

    • Configure each column by clicking the settings button in each column. Add the column name, select whether the column is mandatory, and the field type. If you select Lock, the value for that field is static (not editable). If you do not select the Lock checkbox (default), users can perform inline editing.

  7. In the Attributes tab, define the following:

    Field

    Description

    Script to run when field value changes

    The script dynamically changes the field value when script conditions are met. For a script to be available, it must have the field-change-triggered-indicator tag when defining the script.

    For more information, see .

    Run the field triggered script after the new field value is saved

    Leave unchecked for the script to execute before the incident is stored in the database, so the script can modify the incident field value. Useful in most cases including performing validations and starting and stopping Timer/SLA fields.

    When checked, the script executes after the incident is stored in the database, so that the script cannot modify the incident unless through CLI or API calls.

    For example, add the emailFieldTriggered script, which runs after the Incident Updates tag is stored in the database (unchecked).

    Field display script

    Determines which fields display in forms, as well as the values that are available for single-select and multi-select fields. For more information, see Create Dynamic Fields in Incident Forms.

    Add to all incident types

    Determines for which incident types this field is available. By default, fields are available to all incident types. To change this, clear the Add to all Incident types checkbox and select the specific incident types to which the field is available. For example, you may want to limit the field to Access, Malware and Network incident types.

    Default display on

    Determines at which point the field is available. For more information, see Incident Field Examples.

    Edit Permissions

    Determines whether only the owner of the incident can edit this field.

    Indexing Make data available for search

    Determines if the values in these fields are available when searching.

    Note

    In most cases, Cortex XSOAR recommends that you select this checkbox so values in the field are available for indexing and querying. However, in some cases, to avoid adverse effects on performance, you should clear this checkbox. For example, if you are ingesting an email to an email body field, we recommend that you not index the field.

  8. Save the field.

    if you subsequently edit the field, you can select Don't show in the incidents layout. If selected, the incident field does not appear in the layout, but the data is displayed in the context data.

  9. Add the field to an incident layout.

  10. (Optional) In the incident type, map the incident field, so the incident field is automatically updated, without the analyst having to change it.

The following section shows several examples of common fields used in real-life incidents.

False positive

Below is an example of a mandatory False Positive field, which will be completed when the incident is closed. The Field can have a value Yes or No. The Administrator can query or run a report based on this field. After this field is added, all incidents need to complete this field, before an incident can be marked closed.

new-incident-field-basic.png
new-incident-field-attributes.png

SLA fields

The following SLA field can be used to trigger a notification when the status affecting the SLA of an incident changes. In this example, if the SLA is breached an email is sent to the owner's supervisor.

sla-field.png