Customize incident layouts in Cortex XSOAR to view relevant information.
Each incident type has a unique set of data relevant to that specific incident type, including layouts. It is important to display the most appropriate data for users. Each out-of-the-box incident comes with a layout. You can customize almost every aspect of the layout, including which tabs appear, in which order they appear, who has permission to view the tabs, what information appears, and how it is displayed.
It's important to build or customize the layout so that you see the information that is relevant to the incident type. For example, in a phishing incident, you may want to see email headers, but not in an access incident. While some information might be appropriate for multiple incident types, its location in one incident may require more prominence than in another incident.
You can see which incident type uses the incident layout in the Types tab under → → → . The incident layout name appears in the Layout column. You can edit the layouts in the Layouts tab.
You can customize the display information including fields for existing incidents, by modifying the sections and fields for the following views:
Section | Description |
---|---|
Incident Summary | The Incident Summary tab displays the information necessary to investigate an incident. You can customize almost every aspect of the layout, including which tabs appear, the order they appear, and who has permission. In each field or tab, you can add filters by clicking on the eye icon, which enables you to add conditions that show specific fields or tabs. For example, if an analyst decides that a Cortex XDR Malware incident is a Ransomware subtype, they may only want fields to appear that show data about the encryption method and not to show information if the Malware subtype is adware. You may also want to limit specific tabs to certain scenarios. For example, if a user clicks a phishing link, the new tab can contain relevant fields and action buttons for this scenario. You can also add dynamic fields, such as a graph of several bad indicators, their source, and severity. For more information, see Create dynamic fields. Also, you can use queries to filter the information in the dynamic section to suit your exact needs. |
New/Edit form | Add, edit, and delete fields and buttons to be displayed when creating or editing an incident. |
Close Form | Add, edit, or delete sections, fields, and filters, when closing an incident. |
Incident Quick View | Add, edit, and delete sections, fields, and filters in the Incident Quick view section in the incident. |
Note
There are several out-of-the-box layout sections and fields that you cannot remove, but you can rearrange them in the layout and modify their queries and filters. These layouts need to be duplicated or detached to make changes.
We recommend copying an existing out-of-the-box incident layout so you don't miss any important information.