Customize incident layouts in Cortex XSOAR to view relevant information.
It is important to build or customize the layout to ensure that you see the information that is relevant to the incident type. For example, in a phishing incident you want to see email headers, which would not be relevant for an access incident.
While some information might be relevant for multiple incident types, its location in one incident type might require more prominence than in another incident type.
You can see which incident type uses the incident layout in the Types tab ( → → → ). The incident layout name appears in the Layout column. You can edit the layouts in the Layouts tab, which shows both out-of-the-box content pack and custom layouts.
Content Pack Incident Layouts
Content pack incident layouts display a locked icon, which means to edit the layout, you need to do one of the following:
Duplicate an incident layout. To add the layout to the incident type, you need to detach the incident type and then add the layout. To duplicate an incident layout, right-click the layout name in the layouts table, and select Duplicate.
Detach the layout. When detached, the layout does not receive content pack updates until you reattach it. You do not need to edit incident type, as the layout name remains the same. If you detach a layout, make edits, and later want to receive content pack updates for that layout, we recommend you duplicate the incident layout before reattaching the original, to protect your changes from content pack updates. To detach or reattach an incident layout, right-click the layout name in the layouts table, and select Detach or Attach.
Incident Layout Builder
You can customize the display information including fields for existing incidents, by modifying the sections and fields for the following views:
Within the incident summary, you can see different tabs that appear for the incident type, some of which can be customized.
You can customize almost every aspect of the layout, including which tabs appear, the order they appear, who has permissions and what type of information appears. In each field or tab you can add filters by clicking on the eye icon, which enables you to add conditions that show specific fields or tabs. For example, if an analyst decides that a Cortex XDR Malware incident is a Ransomware subtype, they may only want fields to appear that show data about the encryption method and not to show information if the Malware subtype is adware.
You may also want to limit specific tabs to certain scenarios. For example, if a user clicks a phishing link, the new tab can contain the relevant fields and action buttons for this scenario.
You can add dynamic fields to a layout, such as a graph of the number of bad indicators, their source, and severity. Also, you can use queries to filter the information in the dynamic section to suit your exact needs.
When creating or editing an incident you can add, edit, delete sections, fields, and filters, as required.
Add, edit, or delete sections, fields, filters, when closing an incident.
Incident Quick View
Add, edit, delete sections, fields, and filters in the Incident Quick view section in the incident.
There are several out-of-the-box layout sections and fields that you cannot remove, but you can rearrange them in the layout and modify their queries and filters. These layouts need to be duplicated or detached to make changes.
Go to→ → → → .
If the incident layout is from a content pack and is attached, detach the layout by right-clicking the layout name and selecting Detach.
When the layout is detached, you can also edit the layout in the Incident Type tab.
Right-click the layout name and select Edit.
You are presented with the current layout, which is populated with sample data so you can see how the fields fit.
In the Incident Summary tab, customize the tabs.
Drag and drop the tab to reorder the tab. For example, you can move the War Room tab so it appears after the Work Plan tab.
Configure the tabs by clicking the settings cog wheel icon in the tab and then select one of the following options.
Show Empty Fields
The setting that you configure in the layout becomes the default value seen in the incident for the specific tab, which can then be overridden. You can also set a global default value using the
UI.summary.page.hide.empty.fieldsserver configuration, which can also be overridden for a specific tab.
Format for exporting
Build your layout based on A4 proportions to match the format used for exporting. Selecting this option hides the tab by default, but the tab will remain available for export.
When clicking Viewing permissions, select which roles can view the tabs.
Display Filter: Enables you to add or view any filter applied to the tab. If the filters apply, the specific fields or tabs are shown in the layout. If the mandatory field is not shown in the layout, the user is not obliged to complete it.
Not all of the options are available for each tab.
Add sections to the layout.
From the Library section, in the Cortex XSOAR Sections drag and drop the following required sections:
After creating a new section, click the Incident type Fields tab and drag and drop the fields as required.
Cortex XSOAR out-of-the-box sections
Out-of-the-box sections such as Attachments, Evidence, and so on.
General Purpose Dynamic Section
Enables you to assign a script to this section. For example, assign a script that calculates the total number of entries that exist for an incident, and it dynamically updates when new entries are added to the incident.
Define section properties.
You can determine how a section in the layout appears in the layout. For example, does the section include the section header or not. You can also configure the fields to appear in rows or as cards. For example, if you know that some of the field values will be very long, you are better off using rows. If you know that the field values are short, you might want to use cards so you can fit more fields in a section. If a field label is very long, you can select to wrap the label so that you can see the full name of the field.
Select the section, click and then click Edit section settings.
Edit the section as required and click OK.
To remove or duplicate a section, select the section, click and then select Duplicate or Remove.
If adding the Malicious or Suspicious Indicators section, you can change the information that appears, by clicking , selecting Edit section settings and then editing the Query.
For example, to see all indicators of type IP and with a reputation of Bad that were found by a specific source since January 2nd 2022, enter
Type:IP and reputation:Bad and firstseenbysource:>="2021-01-02T00:00:00 +0200"
Drag and drop fields and add any filters, as required.
Limit the number of incident fields to 50 in each section. You can create additional sections as needed.
Add any custom buttons.
To add custom buttons, you need to create a script and then add the buttons to the layout using the script. These buttons can simplify and assist an analyst in carrying out various tasks. For example, add buttons for an analyst to self-assign an incident, link or unlink an incident, close an incident as a duplicate, generate a summary report, etc.
For fields (script arguments) that are optional, you can define whether to show them to analysts when they click on buttons. To expose an optional field, select the Ask User checkbox next to the script argument/s in the button settings page.
The script that runs when an action button is clicked accepts only mandatory arguments through the pop up window and does not provide an option for any non-mandatory arguments to be filled in when the button is clicked. It is recommended to use a wrapper script to collect and validate arguments in scenarios where there can be a combination of mandatory and non-mandatory arguments for a button.
In the following example, we will add a button to self assign an incident for an analyst. The script is included in the Case Management - Generic Content Pack.
Drag the +New Button and drop into the relevant section.
Click to configure.
Enter a descriptive name for the button, select a color, and choose the script that you want to run when the button is clicked.
In the Incident Summary tab, when clicking on Assign To Me, the incident will be self-assigned.
Add required sections and fields in the New/Edit Form, Close Form, and Incident Quick View tabs.
If you have created a new or a duplicate of the layout, add the layout to the incident.
Go to→ → → → .
(Content Pack Incident Types) Detach or duplicate the incident type.
Select the incident type and click Edit.
In the Layout field, from the dropdown list, add the customized layout.
Create or ingest an incident to test the new layout and verify fields are populated.
(Optional) For a customize layout, contribute it to the Marketplace.
In the Layouts page, right-click the new layout and select Contribute.
In the dialog box, select either Save and submit your contribution or Save and download your contribution for later use, which you can view in the Contributions tab in the Marketplace.
If you select Save and submit your contribution your layout is validated and then you prompted to submit to review. You can also view your contribution in the Marketplace.