Create Threat Intel Report Fields - Threat Intel Management Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Threat Intel Management Guide

Product
Cortex XSOAR
Version
8
Creation date
2023-11-02
Last date published
2024-03-25
Category
Threat Intel Management Guide
Solution
Cloud
Abstract

Configure threat intel report fields.

Use fields to populate a report with relevant data. Fields are included with, and can be added to, report layouts.

Note

Out-of-the-box fields that have been installed from a content pack, such as the Threat Intel Reports (BETA) content pack, are automatically added to the relevant layout. To remove the field from the layout, you need to duplicate or detach the layout. You cannot edit these fields, apart from selecting whether to add the field to Threat Intel types and whether the field is mandatory.

  1. Select Settings & InfoSettingsObject SetupThreat Intel ReportsFieldsNew.

  2. Complete the following parameters.

    Field

    Description

    Field Name

    A meaningful display name for the field. After you type a name, you will see below the field that the Machine name is automatically populated. The field’s machine name is applicable for searching and the CLI.

    Tooltip

    An optional tooltip for the field.

    Field Type

    Determines the acceptable values for the field. You can add the following field types:

    Boolean (checkbox)

    Date picker

    Grid (table): Include an interactive, editable grid.

    HTML: Create and view HTML content, which can be used in any type of indicator. HTML fields do not use Cortex XSOAR theme styles.

    Long text: Long text is analyzed and tokenized, and entries are indexed as individual words, enabling you to perform advanced searches and use wildcards. Long text fields cannot be sorted and cannot be used in graphical dashboard widgets. While editing a long text field, pressing enter will create a newline. Case insensitive.

    Markdown: Add markdown-formatted text as a Template which will be displayed to users in the field after the report is created. Markdown lets you add basic formatting to text to provide a better end-user experience. A user-friendly Markdown Editor markdown_icon.png is available when you inline edit the field, which lets you easily apply styles.

    Multi select / Array: Includes two options a) Multi select from a pre-filled list b) An empty array field for the user to add one or more values as a comma separated list.

    Number: Can contain any number. Default is 0.

    Role: Role assigned to the threat intel report, determines which users (by role) can view the report.

    Short text: Short text is treated as a single unit of text, and is not indexed by word. Advanced search, including wildcards, is not supported. Short text fields are case sensitive by default, but can be changed to case insensitive when creating the field. While editing a short text field, pressing enter will save and close. Maximum length 60,000 characters. Recommended use is one word entries. Examples: username, email address, etc.

    Single select

    Tags

    Timer/SLA

    URL

    User: A user in the system.

    Case Sensitive

    If selected, the field is case sensitive, which affects how the search results for this field are returned in Cortex XSOAR.

    Mandatory

    If selected, this field is mandatory when used in a form.

    Placeholder

    Optional text to display in the field when it is empty. This text will appear in the layout, but not in the created report. Available for Short text, Long text, Multi select / Array, Tags.

  3. Configure the attributes.

    Name

    Description

    Script to run when field value changes

    The script that dynamically changes the field value when script conditions are met. For a script to be available for use here, it must have the field-change-triggered-ThreatIntelReport tag, which is added when defining a script.

    Run the field triggered script after the new field value is saved

    By default, the script executes before the threat intel report is stored in the database. If you select this option, the script instead executes after the threat intel report is modified, so that the script cannot make changes to the threat intel report.

    Add to all Threat Intel Report types

    Determines which threat intel report types have this field available. By default, fields are available to all types. To change this, clear the checkbox and select the specific threat intel report types.

    Make data available for search

    Determines if the values in these fields are available when searching. Enabled by default.