Create a Threat Intel Report field - Threat Intel Management Guide - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2024-12-10
Category
Administrator Guide
Solution
Cloud
Abstract

Create a Threat Intel Report and add it to a report layout.

Add/create Threat Intel Report fields to populate a report layout with relevant data.

Field Type

Description

Boolean

Checkbox

Date picker

Adds the date to the field

Grid (table)

Include an interactive, editable grid as a field type for selected report types or all report types. To see how to create a grid field and to use a script, see Create a grid field for an incident type.

When you select Grid (table) you can format the table and determine if the user can add rows,

HTML

HTML: Create and view HTML content, which can be used in any type of report.

Long text

  • Long text is analyzed and tokenized, and entries are indexed as individual words, enabling you to perform advanced searches and use wildcards.

  • Long text fields cannot be sorted and cannot be used in graphical dashboard widgets.

  • While editing a long text field, pressing enter will create a new line. Case insensitive.

Add a placeholder if required.

Markdown

Add markdown-formatted text as a Template which will be displayed to users in the field after the indicator is created. Markdown lets you add basic formatting to text to provide a better end-user experience.

Multi select/Array

Select the following options:

  • Multi-select from a prefilled (static) list.

  • An empty array field for the user to add one or more values as a comma-separated list.

Add a placeholder if required.

Number

Can contain any number. Default is 0.

Role

The role assigned to the Threat Intel Report determines which users (by role) can view the report.

Short Text

  • Short text is treated as a single unit of text and is not indexed by word. Advanced search, including wildcards, is not supported.

  • Short text fields are case-sensitive by default but can be changed to case-insensitive when creating the field.

  • While editing a short text field, pressing enter will save and close.

  • Maximum length 60,000 characters.

Recommended use is one-word entries, such as username and email address.

Select a placeholder, if required.

Single select

Select a value from a list of options. Add comma-separated values.

Tags

Accepts a single tag or a comma-separated list, not case-sensitive.

Add a placeholder if required.

Timer/SLA

Set up when an SLA is due, the risk threshold, and configure actions to take if the SLA does pass.

URL

Add a URL when completing the field.

User

A user in Cortex XSOAR.

  1. Select Settings & InfoSettingsObject SetupThreat Intel ReportsFieldsNew Field.

  2. Select the relevant field type.

  3. Complete the following fields:

    Parameter

    Description

    Mandatory

    If selected, this field is mandatory when used in a form.

    Field Name

    A meaningful display name for the field. After you type a name, you will see below the field that the Machine name is automatically populated. The field’s machine name is applicable for searching and the CLI.

    Tooltip

    An optional tooltip for the field.

  4. Configure the attributes:

    Name

    Description

    Script to run when field value changes

    The script dynamically changes the field value when script conditions are met. For a script to be available, it must have the field-change-triggered-ThreatIntelReport tag, which is added when defining a script.

    Run the field triggered script after the new field value is saved

    By default, the script executes before the threat intel report is stored in the database. If you select this option, the script instead executes after the threat intel report is modified, so that the script cannot make changes to the threat intel report.

    Add to all Threat Intel Report types

    Determines which threat intel report types have this field available. By default, fields are available to all types. To change this, clear the checkbox and select the specific threat intel report types.

    Make data available for search

    Determines if the values in these fields are available when searching. Enabled by default.

  5. (Multi-tenant only) In the Propagation tab, add or select Propagation labels. You can also view any dependencies.