Incident Customization - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
8
Creation date
2023-11-02
Last date published
2024-04-11
Category
Administrator Guide
Solution
Cloud
Abstract

Create and edit incident types in Cortex XSOAR. Attach and detach incident types. Configure indicator extraction.

All incidents that are ingested into Cortex XSOAR are assigned an incident type when they are classified. After you classify the incident, you can then map the relevant fields to the incident.

If the incident type does not exist you can create an incident type and classify the incident according to this incident type. You can create, duplicate, import, export, and customize incident types, by going to Settings & InfoSettingsObject SetupIncidentsTypes. Each incident type has a unique set of data relevant to that specific incident type. When you duplicate an incident type, the duplicate is associated with the same set of incident fields that belonged to the original incident type. Incident layouts enable you to display the most relevant data for users at all stages of the incident life cycle.

Attach and Detach Incident Types

When installing incident types from a content pack, by default, the incident types are attached, which means that they are not editable. If you want to edit the incident type, you have the following options:

  • Duplicate the incident type: You can duplicate an incident type and the duplicate is editable. The original incident type continues to receive content pack updates, but the duplicate does not.

  • Detach the incident type: You can edit a detached incident. While an incident type is detached, it does not receive content pack updates. If you detach an incident type, make edits, and later want to receive content pack updates for that incident type, we recommend you duplicate the incident type before reattaching the original, to protect your changes from content pack upgrades.

Note

Regardless of whether the incident type is detached, you can detach the incident layout, which enables you to make changes to the layout without making a copy. To detach an incident layout, right-click the incident layout name in the layouts table and select Detach. If the incident layout is detached and the incident type is attached, the incident type receives updates but the layout does not. To receive content updates for the layout, the incident layout needs to be attached. To attach an incident layout, right-click the incident layout name in the layouts table and select Attach.

(Multi-tenant) When content is pushed from the Main Account to child tenants, the incident type is attached when received by the child tenants. Child tenants can detach the incident type and the incident layout as well as duplicate the incident type and layout.

Indicator Extraction Rules

The Indicator extraction feature extracts indicators from incident fields and enriches them using commands and scripts defined for the indicator type. You can view and create indicator extraction rules according to incident fields.

Customize Incident Layouts

You can Customize Incident Layouts to ensure you see the information relevant to the incident type.

You can do the following:

  • Duplicate and edit an incident layout, detach the incident type, and then edit the incident type to add the new layout.

  • Detach the layout and edit it.

  • Create a new layout, detach the incident type, and then edit the incident type to add the new layout.

Note

Configure inline Value Fields

By default, when editing the following inline values in an incident, the changes are not saved until you confirm your changes (clicking the check mark icon in the value field):

  • Dropdown values, such as Owner, Severity, etc.

  • Text values, such as Asset ID. (You can only edit when you click the pencil in the value field).

These icons are designed to let you have an additional level of security before you make changes to the fields in incidents, indicators, and threat intel reports. If you want to allow users to make changes to inline fields without clicking the check mark, you can add a server configuration.

  1. Select Settings & InfoSettingsSystemServer SettingsServer ConfigurationAdd Server Configuration.

  2. Add the following server configuration.

    Key

    Value

    inline.edit.on.blur

    Set the server configuration to true, which enables you to make changes to inline fields without clicking the check mark. The changes are automatically saved when clicking anywhere on the page or when navigating to another page. For text values you can also click anywhere in the value field to edit.