This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

XDR add more values to incident classification

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

XDR add more values to incident classification

Go to solution
tlmarques
L4 Transporter

‎02-17-2026 06:19 AM

 

Hi everyone,

When I close each incident, I need to add the CSIRT taxonomy flags (from the ENISA Reference Incident Classification Taxonomy: https://www.enisa.europa.eu/publications/reference-incident-classification-taxonomy) to the Cortex XDR case.

Does anyone know if that is possible?




If this post answers your question, please mark it as the solution.




Best regards
Tiago Marques
Cortex XDR
Thumbnail of Cortex XDR
Palo Alto Networks
Cortex XDR
Security Operations
View on Product Page
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
susekar
L4 Transporter

‎02-17-2026 11:39 AM

Hello @tlmarques,

 

Greetings for the day.

 

Based on the provided internal documentation and technical cases, the ability to add custom taxonomy flags (such as a CSIRT taxonomy) depends on whether you are using Cortex XDR (Standard/Pro) or Cortex XSIAM.

1. Cortex XDR (Standard/Pro):

In the standard version of Cortex XDR, there is currently no native support for creating user-defined custom fields or custom incident statuses specifically for taxonomies.

 

Workarounds for XDR

Resolution Comments:
When closing an incident, you can change the status to Resolved and manually add the CSIRT taxonomy flags into the Resolution Comment field.

 

Resolution Reason:
You can select from the predefined resolution reasons (e.g., True Positive, False Positive, Security Testing), but these cannot currently be customized to match ENISA or CSIRT taxonomies.

 

Public API
You can use the update_incident API to programmatically add comments or update incident details. A sample request body:

 
{ "requestdata": { "incidentid": "1001", "updatedata": { "status": "resolvedtruepositive", "resolvecomment": "ENISA Taxonomy: [CSIRT-FLAG-HERE]", "comment": { "comment_action": "add", "value": "Added CSIRT Taxonomy flags for closure." } } } }

 

This approach allows structured tagging via comments, but it does not create searchable, normalized taxonomy fields.

2. Cortex XSIAM:

If your organization uses Cortex XSIAM, the capability to add these flags is natively supported through Editable Incident Layouts and Custom Incident Fields.

Custom Incident Fields:

You can create dedicated fields such as:

  • CSIRT Taxonomy

  • Incident Classification

  • ENISA Category

Path:
Settings > Configurations > Object Setup > Incidents

These fields can be text, dropdown, multi-select, or other structured types.

Editable Layouts:

You can modify the incident page layout to:

  • Display the custom taxonomy fields

  • Make them mandatory

  • Organize them under a dedicated classification section

This ensures analysts consistently apply the taxonomy during investigation or closure. You can also enforce population of these fields via playbooks.

Summary Comparison:

Feature Cortex XDR Cortex XSIAM
Custom Incident Fields No Yes
Custom Statuses No Yes
Editable Layouts No Yes
Recommended Approach Use Resolution Comments or external orchestration Use Custom Incident Fields

Recommendation:

  • If you are using Cortex XDR and require formal structured taxonomy fields, the only current options are comment-based tagging, API-driven enrichment, or external orchestration (e.g., via XSOAR).

  • If you are using Cortex XSIAM, implement Custom Incident Fields and enforce taxonomy usage through layout configuration and playbooks.

  • If structured taxonomy support is required in Cortex XDR, submit a Feature Request through your Sales Engineer or Account Team.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

View solution in original post

4 REPLIES 4

Go to solution
susekar
L4 Transporter

‎02-17-2026 11:39 AM

Hello @tlmarques,

 

Greetings for the day.

 

Based on the provided internal documentation and technical cases, the ability to add custom taxonomy flags (such as a CSIRT taxonomy) depends on whether you are using Cortex XDR (Standard/Pro) or Cortex XSIAM.

1. Cortex XDR (Standard/Pro):

In the standard version of Cortex XDR, there is currently no native support for creating user-defined custom fields or custom incident statuses specifically for taxonomies.

 

Workarounds for XDR

Resolution Comments:
When closing an incident, you can change the status to Resolved and manually add the CSIRT taxonomy flags into the Resolution Comment field.

 

Resolution Reason:
You can select from the predefined resolution reasons (e.g., True Positive, False Positive, Security Testing), but these cannot currently be customized to match ENISA or CSIRT taxonomies.

 

Public API
You can use the update_incident API to programmatically add comments or update incident details. A sample request body:

 
{ "requestdata": { "incidentid": "1001", "updatedata": { "status": "resolvedtruepositive", "resolvecomment": "ENISA Taxonomy: [CSIRT-FLAG-HERE]", "comment": { "comment_action": "add", "value": "Added CSIRT Taxonomy flags for closure." } } } }

 

This approach allows structured tagging via comments, but it does not create searchable, normalized taxonomy fields.

2. Cortex XSIAM:

If your organization uses Cortex XSIAM, the capability to add these flags is natively supported through Editable Incident Layouts and Custom Incident Fields.

Custom Incident Fields:

You can create dedicated fields such as:

  • CSIRT Taxonomy

  • Incident Classification

  • ENISA Category

Path:
Settings > Configurations > Object Setup > Incidents

These fields can be text, dropdown, multi-select, or other structured types.

Editable Layouts:

You can modify the incident page layout to:

  • Display the custom taxonomy fields

  • Make them mandatory

  • Organize them under a dedicated classification section

This ensures analysts consistently apply the taxonomy during investigation or closure. You can also enforce population of these fields via playbooks.

Summary Comparison:

Feature Cortex XDR Cortex XSIAM
Custom Incident Fields No Yes
Custom Statuses No Yes
Editable Layouts No Yes
Recommended Approach Use Resolution Comments or external orchestration Use Custom Incident Fields

Recommendation:

  • If you are using Cortex XDR and require formal structured taxonomy fields, the only current options are comment-based tagging, API-driven enrichment, or external orchestration (e.g., via XSOAR).

  • If you are using Cortex XSIAM, implement Custom Incident Fields and enforce taxonomy usage through layout configuration and playbooks.

  • If structured taxonomy support is required in Cortex XDR, submit a Feature Request through your Sales Engineer or Account Team.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Thanks & Regards,
S. Subashkar Sekar

Go to solution
tlmarques
L4 Transporter

‎02-18-2026 05:26 AM

@susekar 

If I have Cortex XDR  integrated with Cortex XSOAR (whether on-prem or cloud) for incident resolution through XSOAR, then I can perform the classification there. However, I only retrieve the data via XSOA


Do you know if this also works with XSOAR Cloud? I know it works in the on-prem version because I already have playbooks configured for that.

I assume the cloud version behaves the same way.

If this post answers your question, please mark it as the solution.




Best regards
Tiago Marques
Cortex XDR
Thumbnail of Cortex XDR
Palo Alto Networks
Cortex XDR
Security Operations
View on Product Page
Cortex XSOAR
Thumbnail of Cortex XSOAR
Palo Alto Networks
Cortex XSOAR
Security Operations
View on Product Page
0 Likes Likes

Go to solution
tlmarques
L4 Transporter

‎02-18-2026 10:10 AM

@susekar 

Another question, if you happen to know: is it possible to export all incidents to an external platform?

For example, can I export incident data to a SQL database, including fields such as IncidentID, Description, and CloseReason?

I need to perform a more granular classification of incidents — not just a true/false categorization — but also include additional flags aligned with European Union Agency for Cybersecurity (ENISA) taxonomy.

I'll use only Cortex XDR 

If this post answers your question, please mark it as the solution.




Best regards
Tiago Marques
Cortex XDR
Thumbnail of Cortex XDR
Palo Alto Networks
Cortex XDR
Security Operations
View on Product Page
0 Likes Likes

Go to solution
susekar
L4 Transporter
In response to tlmarques

‎02-18-2026 11:19 AM

Hello @tlmarques ,

 

Thank you for the response.

 

Yes, it is possible to export incident data from Cortex XDR to an external platform like a SQL database, though the method depends on whether you require a manual one-time export or a programmatic, automated integration.

1. Export Methods for Incidents:

To move data to an external SQL database, you have two primary options:

  • Public API (Recommended for Automation):
    You can use the Cortex XDR Public API to programmatically retrieve incident data. The get_incidents and get_incident_extra_data endpoints provide structured JSON responses that include the fields you requested.

    • IncidentID: Available as incident_id.
    • Description: Available as description.
    • CloseReason: Available via fields such as resolution_status and resolution_comment.

    To implement this, you would write a script (e.g., in Python) to call the API and then insert that data into your SQL database. You will need to generate an API Key and API Key ID in the Cortex XDR console under Settings → Configurations → API Keys.

  • Manual Export (UI):
    For manual analysis, you can export incidents directly from the console as a Tab-Separated Values (TSV) file, which can then be imported into a SQL database.

    1. Navigate to Incident Response → Incidents.
    2. Switch to Table View or Detail View (Mailbox View).
    3. Apply desired filters and timeframes (within the 180-day retention limit).
    4. Click the Export to file icon.

 

0 Likes Likes
  • 1 accepted solution
  • 105 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks