Create a custom indicator field in the Fields tab in Cortex XSOAR. Add specific indicator information to incidents.
Indicator fields are used to add specific indicator information to incidents. When you create an indicator field, you can associate the field to a specific indicator type or to all indicator types.
Select→ → → → .
Click New Field.
In the Basic Settings tab, add the following:
Determines the acceptable values for the field. You can add the following field types:
Grid (table): Includes an interactive, editable grid.
HTML: Create and view HTML content, which can be used in any type of indicator.
Long text: Long text is analyzed and tokenized, and entries are indexed as individual words, enabling you to perform advanced searches and use wildcards. Long text fields cannot be sorted and cannot be used in graphical dashboard widgets. While editing a long text field, pressing enter will create a new line. Case is insensitive.
Markdown: Add markdown formatted text as a Template which will be displayed to users in the field after the indicator is created. Markdown lets you add basic formatting to text to provide a better end-user experience.
Multi select / Array: Includes two options a) Multi select from a pre-filled list b) An empty array field for the user to add one or more values as a comma-separated list.
Number: Can contain any number. Default is 0.
Role: Role assigned to the indicator. Determines which users (by role) can view the indicator.
Short text: Short text is treated as a single unit of text, and is not indexed by word. Advanced search, including wildcards, is not supported. Short text fields are case sensitive by default, but can be changed to case insensitive when creating the field. While editing a short text field, pressing enter will save the change. Maximum length 60,000 characters. Recommended use is one word entries. Examples: username, email address, etc.
User: A user in the system.
If selected, the field is case sensitive, which affects how the search results for this field are returned in Cortex XSOAR.
If selected, this field is mandatory when used in a form.
A meaningful display name for the field. After you type a name, you will see below the field that the Machine name is automatically populated. The field’s machine name is applicable for searching and the CLI.
An optional tooltip for the field.
(Basic Settings) Optional text to display in the field when it is empty. This text will appear in the layout, but not in the created indicator. Available for Short text, Long text, Multi select / Array, Tags.
In the Attributes tab configure the following:
Script to run when field value changes
The script that dynamically changes the field value when script conditions are met. For a script to be available, it must have the
field-change-triggered-indicatortag, when defining a script. For more information, see Indicator Field Trigger Scripts.
Add to indicator types
This option is selected by default, which means this field is available to use in all incident types.
Clear the checkbox to associate this field to a subset of indicator types.
Make data available for search
The values for this field can be returned in searches.
(Optional) Select Don't show in the indicators layout.
If selecting this option, the field does not appear in the layout, but the data is displayed in the context data,
Save the changes.
If you did not select Don't show in the indicators layout, in some layouts, the field automatically appears in the layout. If it does not appear in the layout you need to add it to the layout.
(Optional) Map Custom Indicator Fields.
Mapping a field enables you to automatically update the indicator without the analyst having to change it.