Incident Fields - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide

Incident fields in Cortex XSOAR, including incident field types, fields common to all incident fields, timer/sla fields, and troubleshooting.

Use incident fields to accept or populate incident data coming from incidents. You create fields for information that arrives from third-party integrations in which you want to insert information. The fields are added to incident type layouts and are mapped using the Classification and Mapping feature.

Incident fields can be populated by the incident team members during an investigation, at the beginning of the investigation, or prior to closing the investigation.

You can set and update all system incident fields using the setIncident command, of which each field is a command argument. To create incident fields, see Create a Custom Incident Field.

Incident Field Examples

The following section shows several examples of common fields that are used in real-life incidents.

False Positive

Below is an example of a mandatory Incident field "False Positive" to be filled at time of Incident Close. The Field can have a value YES or NO and the SOC admin should be able to query or run report based on this field. After this field is added, all incidents will need to have this filled in before an incident can be marked closed.


SLA Fields

The following SLA field can be used to trigger a notification when the status affecting the SLA of an incident changes. In this example, if the SLA is breached an email is sent to the owner's supervisor.

Troubleshooting Conflicts with Custom Incident Fields

When trying to download a content update, you may receive the following message:

Warning: content update has encountered some conflicts

This occurs when a content update has an incident field with the same name as a custom incident field that already exists in Cortex XSOAR.


Click Install Content to force the update and retain your custom incident field. The content update will install without the system version of the incident field.