Incident Fields - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
8
Creation date
2023-11-02
Last date published
2024-04-11
Category
Administrator Guide
Solution
Cloud
Abstract

Incident fields in Cortex XSOAR, including incident field types, fields common to all incident fields, timer/sla fields, and troubleshooting.

Use incident fields to accept or populate incident data coming from incidents. You create fields for information that arrives from third-party integrations in which you want to insert information. The fields are added to incident type layouts and are mapped using the Classification and Mapping feature.

Incident fields can be populated by the incident team members during an investigation, at the beginning of the investigation, or prior to closing the investigation.

You can set and update all system incident fields using the setIncident command, of which each field is a command argument. To create incident fields, see Create a Custom Incident Field.

Incident Field Examples

The following section shows several examples of common fields that are used in real-life incidents.

False Positive

Below is an example of a mandatory Incident field "False Positive" to be filled at time of Incident Close. The Field can have a value YES or NO and the SOC admin should be able to query or run report based on this field. After this field is added, all incidents will need to have this filled in before an incident can be marked closed.

incident-single-select-false-positive-2.png

SLA Fields

The following SLA field can be used to trigger a notification when the status affecting the SLA of an incident changes. In this example, if the SLA is breached an email is sent to the owner's supervisor.

incident-field-sla.png
Troubleshooting Conflicts with Custom Incident Fields

When trying to download a content update, you may receive the following message:

Warning: content update has encountered some conflicts

This occurs when a content update has an incident field with the same name as a custom incident field that already exists in Cortex XSOAR.

Solution

Click Install Content to force the update and retain your custom incident field. The content update will install without the system version of the incident field.