Incident Customization - Administrator Guide - 8.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR On-prem Documentation

Product
Cortex XSOAR
Version
8.5
Creation date
2024-03-10
Last date published
2024-11-28
Category
Administrator Guide
Solution
On-prem
Abstract

Create and edit incident types, fields, and layouts in Cortex XSOAR.

Several content packs, such as Cortex XDR by Palo Alto Networks, include out-of-the-box integrations, incident types, fields, and layouts. You may need to customize incident types, fields, and layouts to suit your needs or create new ones to investigate and respond to potential security threats specific to your organization.

You can customize the following:

Option

Description

Incident types

You can create a new incident type or customize the incident type, such as setting the default playbook, adding the layout, and any post-process and indicator extraction rules. You can create, duplicate, import, export, and customize incident types. For more information about creating an incident type, see Create an incident type.

Incident fields

Custom incident fields add specific details or attributes to incidents, helping analysts to investigate and understand potential security threats. You can edit or create an incident field. For more information, see Create an incident field.

After creating an incident indicator field, map the field to the relevant context data. You can add the field to an incident type and view it in an incident layout.

Incident layouts

Custom incident layouts enable you to organize and display specific details about potential threats in a way that makes sense for your organization, making it easier to quickly understand and respond to security issues. You can view, customize, import, and export indicator layouts and add a custom layout to an incident type. For more information, see Incident layout customization.

This is an iterative process. After you initially create your types, fields, and layouts, you can start the process of ingesting information by installing and configuring an integration to fetch incidents.

When you configure an integration instance, you can define a classifier and a mapper for the integration. When an incident is ingested into Cortex XSOAR, the integration assigns the incident type when classified and maps the event data into incident fields. For example, when defining the EWS O365 instance integration, setting the classifier to EWS - Classifier, classifies all incoming incident types as Phishing from the O365 integration.

Consider the following:

  • When an incident is ingested, one of the first entries in the War Room is the fields and values returned. You may want some of this information to appear on the Incident Info/Summary page when an analyst starts investigating.

  • Review the context data (from Side panels). Context data is a map (dictionary) that stores structured results from data, such as commands, playbooks, and scripts. If there is information in the context data you don't see in the incident, map it into incident fields and display it in the layout. For more information, see Use incident context data.

See this video about creating incident types and fields.