Configuring incident layouts
Use the Incident Layouts feature to visually present the incident, and define the wizard to help users create incidents.
Use the Layouts tab to determine the type of information to show for each incident. Specifically, you can control the information and layout, hide tabs on the incident page, make tabs visible only when the incident meets one or more conditions, and create your own custom tabs. You can also customize the summary information that is shown in the incident page.
You can also determine the information that is prompted by the new incident wizard, and the text that displays to the user when the user closes an incident.
New Incident Wizard
The New Incident Wizard is the set of steps that prompts users for information when they create a new incident. You can rearrange and modify the steps, add custom fields, and create steps.
The New Incident Wizard page shows each step as a block and in order. In the example, steps 1, 2, and 3 are Describe the Incident, Date and Location, and Implications.
Use the up and down arrows in each step to reorder the steps.
Use the wrench icon to name the step and to set conditions. When you set a condition, the wizard displays that step only when the incident meets the condition. Using this feature, you can configure the wizard to show only some steps when certain conditions occur, such as when a particular field value is selected in previous steps. The wizard always displays the first step regardless of any conditions.
You can add fields, views, and blocks to each step in the wizard, as described later.
Use Add Step to create a new step then drag the appropriate fields, views, and blocks from the right-side column into the step. Afterward, click the Wrench icon to name the step and set any conditions. When done, move the step to its correct position by using the down arrow.
If you are using workspaces in your configuration, you can add the Workspace field to the new incident wizard so that the user can determine where to assign the incident.
When done, click Save to implement your changes.
Configuring incident tabs
Each incident page has a number of tabs. You can modify the standard tabs, add your own custom tabs, and hide default tabs. You can also set conditions that determine when to display a tab.
In addition, each incident page has a navigation area that provides additional information, which you can customize.
To view the list of tabs available for each incident page, click Incident Tabs then Manage Tabs, as shown in the following example.
- Manage Tabs
Use this area to determine which tabs are available to users when they view incidents. You can add, reorder, rename, make conditional, and hide tabs.
The icons in each tab represent visibility, conditional, and user created. In the following example, all tabs are visible except News Feed and Email. Email, Affect, and Stats are user-created tabs. Stats is also conditional.
To set a condition on a tab, click the tab and select Conditional then select Add Condition. You can then select a field and determine the condition that allows the tab to be shown. You can have multiple conditions, where all conditions must be satisfied before the tab is shown.
To add a custom tab, click Add Tab in the navigation area or the plus icon at the right then enter a name and select its visibility. You can then add fields, views, data tables, blocks, or any combination to the incident. These items are described later.
To delete a custom tab, click the delete icon, which is next to the visibility icon. In the previous example, Affect is a custom tab. You can delete custom tabs only. You can rename or hide the default tabs, but not delete them.
To reorder the tabs, click and drag the tab or use the left and right arrows in each tab.
Note: Data in tabs that are configured as not visible are not included in reports; however, data in tabs that might be hidden by a condition are always included in reports.You can create a tab to gather data for reports but never have it visible to users. Create a condition that can never occur then configure the tab to be visible only when that condition is true.
- Summary Section
Each incident page has a summary section on the left side that contains useful information. The section displays on the incident page regardless of the tab selected.
You can customize the summary section by dragging the components from the column on the right into the areas on the left. To display groups of fields only under certain conditions, add a Section (under Blocks) to the layout and then drag the corresponding fields into the section. You can then configure the conditions necessary for that section to be displayed by clicking the wrench icon in the upper right area of the section.
When you add multiple conditions, the section displays only when all of the individual conditions are met (conditions are AND’ed together). For a single condition with a multi-select field, the condition is met when any value that is selected in the condition is also selected in a specific incident (values are OR’ed).
To modify the order in which fields appear, drag the various components. You can modify or remove certain fields by using the “pencil” icon or the small “x” found near the field name. When finished, click Save.
You can add new fields, views, data tables, and blocks to the incident. These items are described later.
To remove customization and return to the default view, click Restore to Default at the end of the page.
- Various tabs
Click a tab name in the left navigation area to display its content and format.
You can customize the tab by dragging the components from the column on the right into the areas on the left. To display groups of fields only under certain conditions, add a Section (under Blocks) to the layout and then drag the corresponding fields into the section. You can then configure the conditions necessary for that section to display by clicking the wrench in the upper right area of the section.
When you add multiple conditions, the section displays only when all of the individual conditions are met (conditions are AND’ed together). For a single condition with a multi-select field, the condition is met if any value that is selected in the condition is also selected in a specific incident (values are OR’ed).
To modify the order in which fields appear, drag the various components. You can modify or remove certain fields by using the “pencil” icon or the small “x” found near the field name. When finished, click Save.
You can add new fields, views, data tables, and blocks to the incident. These items are described later.
To remove customization and return to the default view, click Restore to Default at the end of the page.
Close incident
The Close Incident view determines whether a dialog is presented when a user closes an incident.
You can determine the layout of the Close incident dialog and prompt users for additional information, which is not mandatory on close.
Regardless of the Close Incident view, a dialog always displays when a user closes an incident when the incident has mandatory fields that have not been filled.
Fields in wizards and incidents
The Fields section lists all the possible fields available for the wizard or incidents.
The SOAR Platform provides a number of fields. Most fields are self-explanatory. The following list provides a description of some fields.
- Department. You can specify a custom internal department name within your organization that might be involved in a data exposure.
- Exposure Source/Vendor. You can specify a custom name for a vendor or other third party to your organization that might be involved in a data exposure.
- Last Modified. Tracks the time of the last change to an incident. It is a read-only field that can be used in filters and layouts, and displayed in the incident list. It cannot be used in rules or other conditions.
- Source of Data. You can specify a custom source of data loss, such as a specific name of a database or business application. This information becomes useful when you analyze trends.
- Sequence Code. The field includes a prefix and index that increments for each new incident that is created within the organization. The sequence code is included in reports and the audit log. Unlike other fields, users cannot edit the field value in an incident. The prefix can be modified in the Administrator Settings.
You can edit each field to customize it to your own needs. To use a field in your incident, drag it to a location in the Incident column.
In addition, you can create new data fields for tracking, reporting, and documentation purposes.
- If the Label for the field is more than 80 characters, an Abbreviated label property is shown. It allows designers to provide a long name or instructions for users but a shorter name for designers and programmers. The API name is then derived from the Abbreviated label instead of the label for the field. By default, the abbreviated label is the first 80 characters of the field label. The text in the Abbreviated label is not shown to users.
- If the user does not have to complete the field, mark it as Optional.
- Use Always to make it a mandatory field when opening an incident. When a user creates a new incident, fields marked as Always show up with an asterisk in the user interface, which indicates it is mandatory.
- Use On Close to make it mandatory when closing an incident. When a user closes an incident, the system prompts the user with a dialog that displays any fields marked On Close but have not yet been set.
When creating a field of the type Select, you can set a default value. The value is shown only if it exists in the new incident wizard or anywhere else in the layout.
Changed in 51.0.0.1 When creating a field of the type JSON, you can set an optional JSON schema value.
When creating a field of the type Multiselect, you can set a default value; however, the default value is relevant only for the new incident wizard. When the field is used in other places, the default value is not shown.
You cannot delete a value in an existing Select or Multiselect field if it is used in a running playbook, rule, or workflow. However, playbooks, rules, and workflows that were created before V43 and not saved since then are not checked.
When you create or edit a field of the type Select or Boolean, you can track the duration that the field spends on each value by selecting Track change times. You can use the tracking information in custom graphs or in an incident tab where the Timers Widget view is added. For more information, see the Creating custom incident graphs topic of the User Guide, or Displaying time tracking information in a tab.
Views in incidents
Views are pre-built modules that combine multiple fields and provide more logic.
Views are not editable. To use a view in your incident, drag the view to the appropriate location.
Data tables
You can organize information in a tabular format with rows and columns. Incident response users can then add information to this table.
To create a data table, click Add Table in the Data Tables section. When you choose to add a table, a wizard walks you through the following process.
- Table Definition. You add a label, which is a descriptive name for the table. The API Access Name is, by default, the same as the label with underscores instead of spaces.
- Define Layout. Determine the number of columns you need and enter a title for each column. If you add a column but do not enter a title, the column is not created. You can reorder the columns by dragging them as needed.
- Configure Table Fields. Each column has its own page where you define the field for that column. Choosing Always as a Requirement requires the user to complete this column whenever the user adds a row.
- Preview & Confirm. Review the table. You can resize the columns. Use Reset Column Widths to resize the columns so that they are approximately equal width. Use Back to make any changes or Save to save the table.
As an example, you can create a data table to list all users impacted by the incident. In this example, all the columns are of type text.
Specific apps can create data tables and populate them with data from the program. You can determine where to place these data tables in your layout.
Blocks in incidents
Blocks are special components that you can use to further design your incident.
- Header. Adds header text in the incident.
- HTML. Adds custom HTML code.
- Section. Organizes fields. Drag it to the Incident column and then drag the fields into the section. You can edit the section to make it visible only upon a specific condition. Section is not applicable to the Close Incident view.
<h1>
, <h2>
, <p>
,
<ul>
, <ol>
, <li>
,
<br>
, <hr>
, <b>
,
<i>
, and <s>
are supported. The following tags are supported:<br>
<p></p>
<h1></h1>
<h2></h2>
<h3></h3>
<h4></h4>
<h5></h5>
<h6></h6>
<b></b>
<strong></strong>
<i></i>
<em></em>
<mark></mark>
<table>
<tr>
<th></th>
</tr>
</table>
<ul>
<li></li>
</ul>
<ol>
<li></li>
</ol>
Displaying time tracking information in a tab
You can display time tracking data for an incident.
As described in Fields in wizards and incidents, you can create a field that tracks the duration that each incident spends on each value for that field. To display the time in a tabular format within an incident tab, use the Timers Widget View with the field. The View displays data for the current incident in a tabular format within the tab.
The following example shows the Time tracking data tab in an incident. The Phase field is configured to track time. In this example, the incident is showing that the incident was in the Initial Phase for 21 days, 4 hours, 32 minutes, and 51 seconds. It is now in the Respond Phase for 2days, 0 hours, 59 minutes, and 8 seconds.