Create custom incident fields in Cortex XSOAR.
You can define custom incident fields based on the information you want to display in your incident type layouts, as well as the information ingested from third-party integrations.
Creating incident fields is an iterative process in which you continue to create fields as you gain a better understanding of your needs and the information available in the third-party integrations that you use.
To edit an existing incident field, right-click the field name in the Fields table and select Edit.
If you try to create a new incident field with a name that already exists in the system such as
Account, you may receive a message similar to this:
[Could not create incidentfield with ID '' and name 'Account'. Field already exists as a builtin field (100709)]. If so, you should select a different name as the incident field is already reserved for system use.
You should not create a custom field named
reason as it is a saved keyword in the tenant.
Create a new field.
Depending on the field type, you can define whether the field contents are case-sensitive or if the field is mandatory.
Add the field to a custom incident type layout.
Go to→ → → → .
Select the incident type whose layout you want to edit and click Edit Layouts.
If the layout is installed from a content pack you need to duplicate or detach the layout. If the layout is detached it does not receive content pack updates.
You are presented with the current layout, which is populated with demo data so you can see how the fields fit.
Ensure you select an incident type where the Layout field is empty.
In the Library dialog box Sections tab, drag and drop New Section onto the required tab.
From the Fields and Buttons tab, drag and drop the custom field that you created into the New Section.
Save the layout.
Add the layout to the incident type:
Go to→ → → → .
Select the checkbox for the incident type you want to edit.
If the incident types is installed from a content pack you need to duplicate or detach the incident type. If the incident type is detached it does not receive content pack updates.
In the layout section, add the layout you created in step 2.
Save your changes.