Describes the available incident field types and attribute parameters.
All fields must have a field name. You have the option of adding a tooltip to display additional information to the user.
Some fields can be made mandatory. The mandatory field is only enforced when using a form (such as creating an incident) or when directly calling the Incident creation API. If incidents are ingested from an integration, the field is not enforced.
Enables adding an attachment, such as .doc, malicious files, reports, incident images, etc.
Adds the date to the field.
Include an interactive, editable grid as a field type for selected incident types or all incident types. To see how to create a grid field and to use a script, see Create a Grid Field for an Incident Type.
Create and view HTML content, which can be used in any type of indicator.
Add markdown-formatted text as a Template which will be displayed to users in the field after the indicator is created. Markdown lets you add basic formatting to text to provide a better end-user experience.
Multi select / Array
Includes two options:
Can contain any number. Default is 0.
Role assigned to the incident, determines which users (by role) can view the incident.
Select for a one from a list of options. Add comma separated values.
Accepts a single tag or a comma-separated list, not case sensitive.
View how much time is left before an SLA becomes past due, as well as configure actions to take in the event that the SLA does pass.
Add a URL when completing the field.
A user in the system
The following table lists the fields that appear in the Basic Settings page, and their descriptions. The Basic Settings page is available for some fields, such as long text, multi-select, short text, single select and tags.
Optional text to display in the field when it is empty. This text will appear in the layout, but not in the created indicator. Available for Short text, Long text, Multi select / Array, Tags.
A comma separated list of values that are valid values for the field.
The following table lists the fields specific to Timer/SLA fields, and their descriptions.
Determine the amount of time in which this item needs to be resolved. If no value is entered, the field serves as a counter.
Determine the point in time at which an item is considered at risk of not meeting the SLA. By default, the threshold is 3 days, which is defined in the global system parameter.
Run on SLA Breach
In the Run on SLA Breach field, select the script to run when the SLA time has passed. For example, email the supervisor or change the assignee.
Only scripts to which you have added the SLA tag appear in list of scripts that you can select.
Attribute Parameters for Incident Fields
The following table list the fields that are common to all Incident Fields.
Script to run when field value changes
The script that dynamically changes the field value when script conditions are met. For a script to be available, it must have the
Run the field triggered script after the new value is saved.
Leave unchecked for the script to execute before the incident is stored in the database, so the script can modify the incident field value. Useful in most cases including performing validations and starting and stopping Timer/SLA fields.
When checked, the script executes after the incident is stored in the database, so that the script cannot modify the incident unless through CLI or API calls.
Field display script
Determines which fields display in forms, as well as the values that are available for single-select and multi-select fields. For more information, see Create Dynamic Fields in Incident Forms.
Add to all Incident types
Determines for which incident types this field is available. By default, fields are available to all incident types. To change this, clear the Add to all Incident types checkbox and select the specific incident types to which the field is available.
Default display on
Determines at which point the field is available. For more information, see Incident Field Examples.
Determines whether only the owner of the incident can edit this field.
Make data available for search
Determines if the values in these fields are available when searching.
In most cases, Cortex XSOAR recommends that you select this checkbox so values in the field are available for indexing and querying. However, in some cases, to avoid adverse affects on performance, you should clear this checkbox. For example, if you are ingesting an email to an email body field, we recommend that you not index the field.