Create custom fields

Administrators can create custom fields to add specific information to cases and alerts. These custom fields can be added to a Custom Fields Form widget, which defines the default views for cases and alerts. Analysts can enter information to the Custom Fields Form widget directly within cases and alerts, depending on the custom field's scope. This widget is available in the Overview tab of cases and alerts.

Create a custom field

The Admin can create a maximum of 1000 different custom fields. The "Scope", "Type", and "Name" of a custom field can't be modified after the custom field is saved. To create a custom field, do the following:

1. Go to SOAR Settings > Case Data > Custom Fields.
2. Click Add Add to create a new custom field.
3. Select Scope and then select Case, Alert, or All (both). The Scope field is required and can't be changed after the custom field is created.
4. Select Name. The Name field is required and can't be changed after the custom field is created.

5. Select a custom field Type from the list:

   • Free Text: Allows any text input with a limit of 1,024 characters.
   • Radio Button: A radio button with two options.
   • Single Select: A list with a single selected option. Supports a maximum of 1024 characters, with each option name limited to 255 characters.
   • Multi Select: A list with multiple selected options. Supports a maximum of 1024 characters, with each option name limited to 255 characters.
   • Calendar: A date and time field.

6. Select Save.

Use case: use custom fields to enhance phishing resistance

This use case outlines the steps for defining three custom fields: a radio button, a single-select drop-down list, and a calendar, and adding them to the Custom Field Form widget to enrich the default alert view with additional information related to phishing alerts.

1. Go to SOAR Settings > Case Data > Custom Fields.
2. Select Add Add to create a new custom field.
3. Under Scope select Alert.
4. In the Name field, enter False Positive.
5. From the Type drop-down list, select Radio Button.
6. In the Options field, type True Positive for the first radio button, then press Enter. Enter False Positive for the second radio button, and press Enter again.
7. Select Save.
8. Select Add Add to create a new custom field.
9. Under Scope, select Alert.
10. In the Name field, enter the name User Action.
11. From the Type drop-down list, select Single Select.
12. In the Options field, type Clicked, press Enter, type Reported, press Enter; then type Ignored, and press Enter.
13. Select Save.
14. Select Add Add to create a new custom field.
15. Under Scope select Alert.
16. In the Name field, enter Report Time.
17. From the Type drop-down list, select Calendar.
18. Select Save.

Add the custom fields to the custom field widget–alert level

After defining custom fields, you can add them to the custom field widget. Each widget can hold up to 50 custom fields. Building on the earlier example, the following steps outline how to add the three custom fields created in the previous section to the Custom Field Form widget.

1. Go to SOAR Settings > Case Data > Views > Default Alert View. The Default Alert View dialog opens, showing the widgets appearing in the Default Alert View.
2. In the General tab, drag the Custom Fields Form widget to the Default Alert View pane.
3. Select Settings Configuration on the Custom Fields Form; the Custom Fields Form widget configuration window opens.
4. in the Widget Title field, enter True or False Positive Alert.
5. Select Manage Custom Fields.
6. Select the False Positive, User Action and Report Time checkboxes, and then click Save. The custom fields are added to the Custom Field Form widget.
7. Turn on the Mandatory toggle.
8. Select Save to save the configuration and close the window.
9. Click Save View.

Use the Custom Fields widget

Once custom fields are added to the Custom Field Form widget, it appears in the Overview tab of cases and alerts, where analysts can enter the required information. Based on the previous example, do the following:

1. In the Alert Overview tab, select the Custom Fields widget, and then click editEdit.
2. Fill in the appropriate information for the three custom fields:
   • In the False Positive custom field, select the appropriate radio button to indicate whether the alert is a true positive or a false positive.
   • In the User Action custom field, select the appropriate User action from the drop-down list: Clicked, Reported, or Ignored.
   • In the Report Time custom field, select the date the alert was reported.
3. Click Save.

Use custom fields in playbooks

You can use the custom fields you define in this page as part of playbook actions and placeholders. For more information on playbook actions, see Marketplace Integrations Siemplify.

Placeholders for custom fields

Custom Fields are available under the "Custom Fields" placeholder category. The format for these placeholders is as follows:

• [AlertCustom.{custom field name}]
• [CaseCustom.{custom field name}]

What's next

• Define Default View for Cases (Admin)
• Define Default View for Alerts (Admin)
• View Case Overview tab?
• View Alert Overview tab?

Need more help? Get answers from Community members and Google SecOps professionals.