Create a Custom Incident Field - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
8
Creation date
2023-11-02
Last date published
2024-03-28
Category
Administrator Guide
Solution
Cloud
Abstract

Create custom incident fields in Cortex XSOAR.

You can define custom incident fields based on the information you want to display in your incident type layouts, as well as the information ingested from third-party integrations.

Creating incident fields is an iterative process in which you continue to create fields as you gain a better understanding of your needs and the information available in the third-party integrations that you use.

To edit an existing incident field, right-click the field name in the Fields table and select Edit.

Note

If you try to create a new incident field with a name that already exists in the system such as Account, you may receive a message similar to this: [Could not create incidentfield with ID '' and name 'Account'. Field already exists as a builtin field (100709)]. If so, you should select a different name as the incident field is already reserved for system use.

Note

You should not create a custom field named reason as it is a saved keyword in the tenant.

  1. Create a new field.

    Depending on the field type, you can define whether the field contents are case-sensitive or if the field is mandatory.

    1. Select Settings & InfoSettingsObject SetupIncidentsIncident FieldsNew.

    2. Complete the Incident Field Parameters.

    3. If adding a grid, see Create a Grid Field for an Incident Type.

    4. Save your changes.

  2. Add the field to a custom incident type layout.

    1. Go to Settings & InfoSettingsObject SetupIncidentsTypes.

    2. Select the incident type whose layout you want to edit and click Edit Layouts.

      Note

      If the layout is installed from a content pack you need to duplicate or detach the layout. If the layout is detached it does not receive content pack updates.

      You are presented with the current layout, which is populated with demo data so you can see how the fields fit.

      Ensure you select an incident type where the Layout field is empty.

    3. In the Library dialog box Sections tab, drag and drop New Section onto the required tab.

      library-section-xsiam.png
    4. From the Fields and Buttons tab, drag and drop the custom field that you created into the New Section.

    5. Save the layout.

  3. Add the layout to the incident type:

    1. Go to Settings & InfoSettingsObject SetupIncidentsTypes.

    2. Select the checkbox for the incident type you want to edit.

      Note

      If the incident types is installed from a content pack you need to duplicate or detach the incident type. If the incident type is detached it does not receive content pack updates.

    3. In the layout section, add the layout you created in step 2.

    4. Save your changes.