Set and update incident fields - Administrator Guide - 8.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR On-prem Documentation

Product
Cortex XSOAR
Version
8.5
Creation date
2024-03-10
Last date published
2024-11-28
Category
Administrator Guide
Solution
On-prem
Abstract

Use the setIncident script to set and update all system incident fields.

Using a playbook to create incident fields offers a structured and automated approach to defining and populating fields with relevant data during incident handling. This ensures consistency in data collection, enhances the organization of incident information, and facilitates streamlined analysis and response processes.

Creating incident fields is essential for structuring and storing specific information related to security incidents. These fields enable efficient organization and retrieval of incident data, enhancing analysis, decision-making, and automated response actions. It is an iterative process in which you create fields as you better understand your needs and the information available in the third-party integrations you use. You initially define incident fields after the planning stage, with mapping and classification for how the incidents will be ingested from third-party integrations into Cortex XSOAR.

During the investigation, you can then use the setIncident script in a playbook task to set and update incident fields.

xsoar8-set-incident-playbook-automation.png

Note

  • The setIncident script includes all available input fields. Click + Add input and use the scroll bar to see all the fields.

  • The name field has a limit of 600 characters. If there are more than 600 characters, you can shorten the name field to under 600 characters and then include the full information in a long text field such as the description field.

  • There are many fields already available as part of the Common Type content pack. Before creating a new incident field, check if there is an existing field that matches your needs.

For more information on creating custom incident types and fields, see this video.