Incident fields in Cortex XSOAR, including incident field types, fields common to all incident fields, timer/sla fields, and troubleshooting.
Use incident fields to accept or populate incident data coming from incidents. You create fields for information that arrives from third-party integrations in which you want to insert information. The fields are added to incident type layouts and are mapped using the Classification and Mapping feature.
Incident fields can be populated by the incident team members during an investigation, at the beginning of the investigation, or prior to closing the investigation.
You can set and update all system incident fields using the setIncident
command, of which each field is a command argument. To create incident fields, see Create a Custom Incident Field.
Incident Field Examples
The following section shows several examples of common fields that are used in real-life incidents.
False Positive
Below is an example of a mandatory Incident field "False Positive" to be filled at time of Incident Close. The Field can have a value YES or NO and the SOC admin should be able to query or run report based on this field. After this field is added, all incidents will need to have this filled in before an incident can be marked closed.
SLA Fields
The following SLA field can be used to trigger a notification when the status affecting the SLA of an incident changes. In this example, if the SLA is breached an email is sent to the owner's supervisor.
Troubleshooting Conflicts with Custom Incident Fields
When trying to download a content update, you may receive the following message:
Warning: content update has encountered some conflicts
This occurs when a content update has an incident field with the same name as a custom incident field that already exists in Cortex XSOAR.
Solution
Click Install Content to force the update and retain your custom incident field. The content update will install without the system version of the incident field.