Incident Field Parameters - Administrator Guide - 8 - Cortex XSOAR - Cortex

Incident Field Parameters - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product

Cortex XSOAR

Version

Creation date

2024-02-14

Last date published

2024-04-25

Note

Some fields can be made mandatory. The mandatory field is only enforced when using a form (such as creating an incident) or when directly calling the Incident creation API. If incidents are ingested from an integration, the field is not enforced.

Field Type	Description
Attachments	Enables adding an attachment, such as .doc, malicious files, reports, incident images, etc.
Boolean	Checkbox
Date picker	Adds the date to the field.
Grid (table)	Include an interactive, editable grid as a field type for selected incident types or all incident types. To see how to create a grid field and to use a script, see Create a Grid Field for an Incident Type.
HTML	Create and view HTML content, which can be used in any type of indicator.
Long text	Long text is analyzed and tokenized, and entries are indexed as individual words, enabling you to perform advanced searches and use wildcards. Long text fields cannot be sorted and cannot be used in graphical dashboard widgets. While editing a long text field, pressing enter will create a new line. Case is insensitive.
Markdown	Add markdown-formatted text as a Template which will be displayed to users in the field after the indicator is created. Markdown lets you add basic formatting to text to provide a better end-user experience.How to use markdown in Cortex XSOAR
Multi select / Array	Includes two options: Multi select from a pre-filled list. An empty array field for the user to add one or more values as a comma-separated list.
Number	Can contain any number. Default is 0.
Role	Role assigned to the incident, determines which users (by role) can view the incident.
Short Text	Short text is treated as a single unit of text, and is not indexed by word. Advanced search, including wildcards, is not supported. Short text fields are case sensitive by default, but can be changed to case insensitive when creating the field. While editing a short text field, pressing enter will save and close. Maximum length 60,000 characters. Recommended use is one word entries. Examples: username, email address, etc.
Single select	Select for a one from a list of options. Add comma separated values.
Tags	Accepts a single tag or a comma-separated list, not case sensitive.
Timer/SLA	View how much time is left before an SLA becomes past due, as well as configure actions to take in the event that the SLA does pass.
URL	Add a URL when completing the field.
User	A user in the system

Basic Settings

The following table lists the fields that appear in the Basic Settings page, and their descriptions. The Basic Settings page is available for some fields, such as long text, multi-select, short text, single select and tags.

Name	Description
Placeholder	Optional text to display in the field when it is empty. This text will appear in the layout, but not in the created indicator. Available for Short text, Long text, Multi select / Array, Tags.
Values	A comma-separated list of values that are valid values for the field.

Timer/SLA Fields

The following table lists the fields specific to Timer/SLA fields, and their descriptions.

Name	Description
SLA	Determine the amount of time in which this item needs to be resolved. If no value is entered, the field serves as a counter.
Risk Threshold	Determine the point in time at which an item is considered at risk of not meeting the SLA. By default, the threshold is 3 days, which is defined in the global system parameter.
Run on SLA Breach	In the Run on SLA Breach field, select the script to run when the SLA time has passed. For example, email the supervisor or change the assignee. Note Only scripts to which you have added the SLA tag appear in list of scripts that you can select.

Attribute Parameters for Incident Fields

The following table list the fields that are common to all Incident Fields.

Name	Description
Script to run when field value changes	The script that dynamically changes the field value when script conditions are met. For a script to be available, it must have the `field-change-triggered` tag, when defining a script. For more information, see Incident Field Trigger Scripts.
Run the field triggered script after the new value is saved.	Leave unchecked for the script to execute before the incident is stored in the database, so the script can modify the incident field value. Useful in most cases including performing validations and starting and stopping Timer/SLA fields. When checked, the script executes after the incident is stored in the database, so that the script cannot modify the incident unless through CLI or API calls.
Field display script	Determines which fields display in forms, as well as the values that are available for single-select and multi-select fields. For more information, see Create Dynamic Fields in Incident Forms.
Add to all Incident types	Determines for which incident types this field is available. By default, fields are available to all incident types. To change this, clear the Add to all Incident types checkbox and select the specific incident types to which the field is available.
Default display on	Determines at which point the field is available. For more information, see Incident Field Examples.
Edit Permissions	Determines whether only the owner of the incident can edit this field.
Make data available for search	Determines if the values in these fields are available when searching. Note In most cases, Cortex XSOAR recommends that you select this checkbox so values in the field are available for indexing and querying. However, in some cases, to avoid adverse affects on performance, you should clear this checkbox. For example, if you are ingesting an email to an email body field, we recommend that you not index the field.