Incident Field Parameters - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
8
Creation date
2023-11-02
Last date published
2024-02-21
Category
Administrator Guide
Abstract

Describes the available incident field types and attribute parameters.

All fields must have a field name. You have the option of adding a tooltip to display additional information to the user.

Note

Some fields can be made mandatory. The mandatory field is only enforced when using a form (such as creating an incident) or when directly calling the Incident creation API. If incidents are ingested from an integration, the field is not enforced.

Field Type

Description

Attachments

Enables adding an attachment, such as .doc, malicious files, reports, incident images, etc.

Boolean

Checkbox

Date picker

Adds the date to the field.

Grid (table)

Include an interactive, editable grid as a field type for selected incident types or all incident types. To see how to create a grid field and to use a script, see Create a Grid Field for an Incident Type.

HTML

Create and view HTML content, which can be used in any type of indicator.

Long text

  • Long text is analyzed and tokenized, and entries are indexed as individual words, enabling you to perform advanced searches and use wildcards.

  • Long text fields cannot be sorted and cannot be used in graphical dashboard widgets.

  • While editing a long text field, pressing enter will create a new line. Case is insensitive.

Markdown

Add markdown-formatted text as a Template which will be displayed to users in the field after the indicator is created. Markdown lets you add basic formatting to text to provide a better end-user experience.

Multi select / Array

Includes two options:

  • Multi select from a pre-filled list.

  • An empty array field for the user to add one or more values as a comma-separated list.

Number

Can contain any number. Default is 0.

Role

Role assigned to the incident, determines which users (by role) can view the incident.

Short Text

  • Short text is treated as a single unit of text, and is not indexed by word. Advanced search, including wildcards, is not supported.

  • Short text fields are case sensitive by default, but can be changed to case insensitive when creating the field.

  • While editing a short text field, pressing enter will save and close.

  • Maximum length 60,000 characters.

  • Recommended use is one word entries. Examples: username, email address, etc.

Single select

Select for a one from a list of options. Add comma separated values.

Tags

Accepts a single tag or a comma-separated list, not case sensitive.

Timer/SLA

View how much time is left before an SLA becomes past due, as well as configure actions to take in the event that the SLA does pass.

URL

Add a URL when completing the field.

User

A user in the system

Basic Settings

The following table lists the fields that appear in the Basic Settings page, and their descriptions. The Basic Settings page is available for some fields, such as long text, multi-select, short text, single select and tags.

Name

Description

Placeholder

Optional text to display in the field when it is empty. This text will appear in the layout, but not in the created indicator. Available for Short text, Long text, Multi select / Array, Tags.

Values

A comma separated list of values that are valid values for the field.

Timer/SLA Fields

The following table lists the fields specific to Timer/SLA fields, and their descriptions.

Name

Description

SLA

Determine the amount of time in which this item needs to be resolved. If no value is entered, the field serves as a counter.

Risk Threshold

Determine the point in time at which an item is considered at risk of not meeting the SLA. By default, the threshold is 3 days, which is defined in the global system parameter.

Run on SLA Breach

In the Run on SLA Breach field, select the script to run when the SLA time has passed. For example, email the supervisor or change the assignee.

Note

Only scripts to which you have added the SLA tag appear in list of scripts that you can select.

Attribute Parameters for Incident Fields

The following table list the fields that are common to all Incident Fields.

Name

Description

Script to run when field value changes

The script that dynamically changes the field value when script conditions are met. For a script to be available, it must have the field-change-triggered tag, when defining a script. For more information, see Incident Field Trigger Scripts.

Run the field triggered script after the new value is saved.

Leave unchecked for the script to execute before the incident is stored in the database, so the script can modify the incident field value. Useful in most cases including performing validations and starting and stopping Timer/SLA fields.

When checked, the script executes after the incident is stored in the database, so that the script cannot modify the incident unless through CLI or API calls.

Field display script

Determines which fields display in forms, as well as the values that are available for single-select and multi-select fields. For more information, see Create Dynamic Fields in Incident Forms.

Add to all Incident types

Determines for which incident types this field is available. By default, fields are available to all incident types. To change this, clear the Add to all Incident types checkbox and select the specific incident types to which the field is available.

Default display on

Determines at which point the field is available. For more information, see Incident Field Examples.

Edit Permissions

Determines whether only the owner of the incident can edit this field.

Make data available for search

Determines if the values in these fields are available when searching.

Note

In most cases, Cortex XSOAR recommends that you select this checkbox so values in the field are available for indexing and querying. However, in some cases, to avoid adverse affects on performance, you should clear this checkbox. For example, if you are ingesting an email to an email body field, we recommend that you not index the field.