Create an incident type - Administrator Guide - 8.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR On-prem Documentation

Product
Cortex XSOAR
Version
8.5
Creation date
2024-03-10
Last date published
2024-11-28
Category
Administrator Guide
Solution
On-prem
Abstract

Create and edit incident types in Cortex XSOAR.

You can create an incident type If the incident type does not exist and then classify the incident according to this incident type. Each incident type has a unique set of data relevant to that specific incident type. When you duplicate an incident type, the duplicate is associated with the same set of incident fields that belonged to the original incident type.

By default, when installing incident types from a content pack, incident types are attached, which means they are not editable. If you want to edit the incident type, such as changing the layout or the default playbook, you have the following options:

  • Duplicate the incident type

    The duplicate type is editable and the original incident type continues to receive content pack updates, but the duplicate does not.

  • Detach the incident type

    While an incident type is detached, it does not receive content pack updates. If you detach an incident type and make changes, any changes made while it was detached are overwritten by the default values from the content pack. If you want to keep the changes and protect your changes from content pack upgrades, duplicate the incident type before reattaching the original.

  1. Select Settings & InfoSettingsObject SetupIncidentsTypesNew Incident Type.

  2. In the Settings tab, add the following parameters, as required:

    Field

    Description

    Name

    Enter a descriptive name for the type. Try to make the name informative, so users know what the type does before viewing the type details.

    Default playbook

    Select the default playbook that is associated with the incident type.

    Run playbook automatically

    Determines if the playbook runs automatically when the incident is ingested.

    Layout

    Select the incident layout for the incident type.

    Post Process using

    After incidents have been investigated, select the post-process script to run on these incident types. For more information, see Use post-processing scripts in an incident.

    SLA

    Determines the SLA for this incident type in any combination of Weeks, Days, and Hours. For more information, see Configure an SLA in an incident type.

    Set Reminder at

    Optionally configure a reminder for the SLA in any combination of Weeks, Days, and Hours.

  3. In the Indicators Extraction Rules tab, add the required rules.

    Indicator extraction rules extract indicators from incident fields and enrich them using commands and scripts. You can view and create indicator extraction rules according to incident fields. For more information, see Create indicator extraction rules for an incident type.

  4. Save the indicator type.