Create a Threat Intel Report and add it to a report layout.
Add/create Threat Intel Report fields to populate a report layout with relevant data.
Field Type | Description |
---|---|
Boolean | Checkbox |
Date picker | Adds the date to the field |
Grid (table) | Include an interactive, editable grid as a field type for selected report types or all report types. To see how to create a grid field and to use a script, see Create a grid field for an incident type. When you select Grid (table) you can format the table and determine if the user can add rows, |
HTML | HTML: Create and view HTML content, which can be used in any type of report. |
Long text |
Add a placeholder if required. |
Markdown | Add markdown-formatted text as a Template which will be displayed to users in the field after the indicator is created. Markdown lets you add basic formatting to text to provide a better end-user experience. |
Multi select/Array | Select the following options:
Add a placeholder if required. |
Number | Can contain any number. Default is 0. |
Role | The role assigned to the Threat Intel Report determines which users (by role) can view the report. |
Short Text |
Recommended use is one-word entries, such as username and email address. Select a placeholder, if required. |
Single select | Select a value from a list of options. Add comma-separated values. |
Tags | Accepts a single tag or a comma-separated list, not case-sensitive. Add a placeholder if required. |
Timer/SLA | Set up when an SLA is due, the risk threshold, and configure actions to take if the SLA does pass. |
URL | Add a URL when completing the field. |
User | A user in Cortex XSOAR. |
Select Settings & Info → Settings → Object Setup → Threat Intel Reports → Fields → New Field.
Select the relevant field type.
Complete the following fields:
Parameter
Description
Mandatory
If selected, this field is mandatory when used in a form.
Field Name
A meaningful display name for the field. After you type a name, you will see below the field that the Machine name is automatically populated. The field’s machine name is applicable for searching and the CLI.
Tooltip
An optional tooltip for the field.
Configure the attributes:
Name
Description
Script to run when field value changes
The script dynamically changes the field value when script conditions are met. For a script to be available, it must have the
field-change-triggered-ThreatIntelReport
tag, which is added when defining a script.Run the field triggered script after the new field value is saved
By default, the script executes before the threat intel report is stored in the database. If you select this option, the script instead executes after the threat intel report is modified, so that the script cannot make changes to the threat intel report.
Add to all Threat Intel Report types
Determines which threat intel report types have this field available. By default, fields are available to all types. To change this, clear the checkbox and select the specific threat intel report types.
Make data available for search
Determines if the values in these fields are available when searching. Enabled by default.
(Multi-tenant only) In the Propagation tab, add or select Propagation labels. You can also view any dependencies.