12-21-2025 12:35 AM
Hello Livecomm,
I am working on the XSIAM platform and I want to provide a default layout for cases that are manually opened. The classic fields that contain this info such as _product and tags cannot be filtered on.
Does anyone have a solution for this?
Many thanks,
MSysec
02-11-2026 06:15 AM
Hello @michaelsysec242 ,
Greetings for the day.
In Cortex XSIAM, you can provide a default or specific layout for manually opened cases by utilizing Incident Layout Rules in conjunction with Custom Incident Fields. Since certain system fields like tags or _product may have filtering limitations in the layout rule engine or exhibit known UI issues, the most reliable solution is to create a dedicated custom field to trigger your desired layout.
To apply a specific layout to manual cases when system filters are not working as expected, follow these steps:
Create a field that will act as the trigger for your manual case layout.
Navigate to:
Cases & Issues → Case Configuration → Incident Fields
Create a new field (for example, Manual_Case_Type) with a type such as:
Short Text, or
Single Select
This field will be used in your layout rule condition.
Design the layout you want to display for manually created cases.
Navigate to:
Cases & Issues → Case Configuration → Incident Layouts
Create a new layout.
Add the sections, tabs (such as Key Assets, Alerts & Insights), and fields you want to display.
You can hide or reorder default tabs such as the Incident War Room or Timeline if needed.
Create the rule that applies your layout based on your custom field.
Navigate to:
Cases & Issues → Case Configuration → Incident Layout Rules
Create a new rule.
Set the condition to use your custom field (for example, Manual_Case_Type equals Manual).
Select your custom layout as the layout to apply.
Important:
Layout rules are evaluated from top to bottom. The system applies the first matching rule, so ensure your new rule is ordered correctly in the list.
When manually opening a case, make sure the trigger field is populated.
If the custom field is included in the default case creation form:
Set it to the value defined in your rule (for example, Manual).
The correct layout will be applied immediately upon case creation.
Tags / Data Source: Data source information is often stored as tags, which may not be consistently supported for filtering in certain configuration engines or datasets.
Filtering Issues: There are known UI issues in some versions where tag-based filtering may not populate correctly or return expected results.
Incident Name Field: Although layout rules can be based on Incident Name, some versions have exhibited inconsistent behavior with this field, making custom fields a more stable and predictable option.
If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".
Thanks & Regards,
S. Subashkar Sekar
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
