Incident Field Parameters - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide

Describes the available incident field types and attribute parameters.

All fields must have a field name. You have the option of adding a tooltip to display additional information to the user.


Some fields can be made mandatory. The mandatory field is only enforced when using a form (such as creating an incident) or when directly calling the Incident creation API. If incidents are ingested from an integration, the field is not enforced.

Field Type



Enables adding an attachment, such as .doc, malicious files, reports, incident images, etc.



Date picker

Adds the date to the field.

Grid (table)

Include an interactive, editable grid as a field type for selected incident types or all incident types. To see how to create a grid field and to use a script, see Create a Grid Field for an Incident Type.


Create and view HTML content, which can be used in any type of indicator.

Long text

  • Long text is analyzed and tokenized, and entries are indexed as individual words, enabling you to perform advanced searches and use wildcards.

  • Long text fields cannot be sorted and cannot be used in graphical dashboard widgets.

  • While editing a long text field, pressing enter will create a new line. Case is insensitive.


Add markdown-formatted text as a Template which will be displayed to users in the field after the indicator is created. Markdown lets you add basic formatting to text to provide a better end-user experience.How to use markdown in Cortex XSOAR

Multi select / Array

Includes two options:

  • Multi select from a pre-filled list.

  • An empty array field for the user to add one or more values as a comma-separated list.


Can contain any number. Default is 0.


Role assigned to the incident, determines which users (by role) can view the incident.

Short Text

  • Short text is treated as a single unit of text, and is not indexed by word. Advanced search, including wildcards, is not supported.

  • Short text fields are case sensitive by default, but can be changed to case insensitive when creating the field.

  • While editing a short text field, pressing enter will save and close.

  • Maximum length 60,000 characters.

  • Recommended use is one word entries. Examples: username, email address, etc.

Single select

Select for a one from a list of options. Add comma separated values.


Accepts a single tag or a comma-separated list, not case sensitive.


View how much time is left before an SLA becomes past due, as well as configure actions to take in the event that the SLA does pass.


Add a URL when completing the field.


A user in the system

Basic Settings

The following table lists the fields that appear in the Basic Settings page, and their descriptions. The Basic Settings page is available for some fields, such as long text, multi-select, short text, single select and tags.




Optional text to display in the field when it is empty. This text will appear in the layout, but not in the created indicator. Available for Short text, Long text, Multi select / Array, Tags.


A comma-separated list of values that are valid values for the field.

Timer/SLA Fields

The following table lists the fields specific to Timer/SLA fields, and their descriptions.




Determine the amount of time in which this item needs to be resolved. If no value is entered, the field serves as a counter.

Risk Threshold

Determine the point in time at which an item is considered at risk of not meeting the SLA. By default, the threshold is 3 days, which is defined in the global system parameter.

Run on SLA Breach

In the Run on SLA Breach field, select the script to run when the SLA time has passed. For example, email the supervisor or change the assignee.


Only scripts to which you have added the SLA tag appear in list of scripts that you can select.

Attribute Parameters for Incident Fields

The following table list the fields that are common to all Incident Fields.



Script to run when field value changes

The script that dynamically changes the field value when script conditions are met. For a script to be available, it must have the field-change-triggered tag, when defining a script. For more information, see Incident Field Trigger Scripts.

Run the field triggered script after the new value is saved.

Leave unchecked for the script to execute before the incident is stored in the database, so the script can modify the incident field value. Useful in most cases including performing validations and starting and stopping Timer/SLA fields.

When checked, the script executes after the incident is stored in the database, so that the script cannot modify the incident unless through CLI or API calls.

Field display script

Determines which fields display in forms, as well as the values that are available for single-select and multi-select fields. For more information, see Create Dynamic Fields in Incident Forms.

Add to all Incident types

Determines for which incident types this field is available. By default, fields are available to all incident types. To change this, clear the Add to all Incident types checkbox and select the specific incident types to which the field is available.

Default display on

Determines at which point the field is available. For more information, see Incident Field Examples.

Edit Permissions

Determines whether only the owner of the incident can edit this field.

Make data available for search

Determines if the values in these fields are available when searching.


In most cases, Cortex XSOAR recommends that you select this checkbox so values in the field are available for indexing and querying. However, in some cases, to avoid adverse affects on performance, you should clear this checkbox. For example, if you are ingesting an email to an email body field, we recommend that you not index the field.