End-of-Life (EoL)

Create Dynamic Fields in Incident Forms

incidents automation
Dynamic fields can display different data depending on the field value. You can control which fields display in an incident form, and which values display for single-select and multi-select fields. You need to create an automation script in the
Automation
page and then add the automation to a field. Scripts support JavaScript, Python, and PowerShell.
Dynamic fields are useful in the following scenarios:
  • You want specific values to appear in a field when the value of another field is different. For example, if the value in the
    Owner
    field is
    Admin
    , the values in the assignee field should be
    Jane
    ,
    Joe
    , or
    Bob
    . If the value in the
    Owner
    field is anything else, the values in the assignee field should be
    Mark
    ,
    Jack
    , or
    Christine
    .
  • You want a field to be available in a form only in certain conditions. For example, if the value in the
    Severity
    field is
    High
    or
    Critical
    , the
    Escalate
    field should be available with values of
    Yes
    or
    No
    . If the value in the Severity field is
    Low
    or
    Informational
    , the
    Escalate
    field should not appear.
  • You want to see only relevant data according to the user’s role, when assigning an incident to a user.
  1. Create an automation script.
    1. Go to the
      Automation
      page and select
      New Automation
      .
    2. Give the script a descriptive name.
    3. Enter a useful description.
    4. Under
      Tags
      , from the dropdown list, select
      field-display
      .
      This tag must be applied for the script to be available to be used on the field.
    5. Write the automation script.
      The
      Custom Scripts
      Content Pack comes out of the box with the
      hideFieldsOnNewIncident
      automation, which hides the incident field for new incidents, but appears when editing an incident. For examples, such as changing the owner field dynamically, see the examples below.
      The field script contains the following.
      Name
      Description
      demisto.incidents
      The incident in which this script is running.
      field
      The field attributes. Add metadata to the field, such as
      cliName
      ,
      type
      ,
      select values
      , etc. For example,
      [‘field’] [‘cliName’]
      is the machine learning name of the field.
      formType
      Enables Cortex XSOAR to process the script in the
      new
      ,
      edit
      ,
      close
      incident forms. For example, you may want the field to appear in the close form and not in the edit form.
      incident.get (‘
      field’)
      The field within the incident. For example,
      incident.get.(‘owner’)
      retrieves the
      owner
      field. If you create a custom field, you need to change this to
      CustomFields
      . For example, for the
      incidentclassification
      custom field, type:
      if incident.get('CustomFields').get('incidentclassification')
      .
      demisto.results
      The results to return.
      currentUser
      Specifies the current user. For example, if you want the script to check on a role assigned to user and display the appropriate output, type the following:
      demisto.executeCommand("getUserByUsername", {"username": demisto.args()["currentUser"] })
      Add the information that you want to display according to the user roles.
  2. Create a new field.
    1. Select
      Settings
      Advanced
      Fields
      +New Field
      .
      If you want to add the script to an existing field, select the field and click
      Edit
      .
    2. Under
      Field Type
      , select the field type. For example, Single select.
    3. Under
      Field Name
      , enter a descriptive name.
    4. Under the
      Attributes
      tab, in the
      Field display script
      field, select the script you created in step 1.
    5. Complete the remaining field-definitions and click
      Save
      .
Example - Change Field Values Dynamically
The following example shows how you would create a script for the Assignee field, which shows different values depending on the values in the
Owner
field. If the Owner is defined as ‘admin’, the list of available assignees will include one group of people. If the Owner is defined as anything else, the list of available assignees will include a different group of people.
  1. In the
    Automations
    page, we copy the
    hideFieldsOnNewIncident
    and name it
    changeAsigneesPerOwner
    .
  2. In the
    Description
    field, we enter the following:
    Changes values available in the Assignees field based on the person defined as the owner.
  3. Under
    Tags
    , let’s add the
    field-display
    tag.
  4. For the automation, type the following script:
    incident = demisto.incidents()[0] field = demisto.args()['field']['cliName'] if incident.get('owner') == 'admin': demisto.results({'hidden': False, 'options': ['jane','joe', 'bob']}) else: demisto.results({'hidden': False, 'options': ['mark','jack', 'christine']})
    where
    • demisto.incidents
      is the incident in which the script is running.
    • incident.get(‘owner’)
      is the field within the incident.
    • demisto.results
      tells us whether to hide the field or not, and which values should appear in the field. When the
      owner
      field is
      Admin
      , the values are
      Jane, Joe, Bob
      . When the
      owner
      owner is anyone else, the values are
      Mark, Jack, Christine
      .
  5. Select
    Settings
    Advanced
    Fields
    +New Field
    .
    • Name the field
      Assign To:
      .
      The
      Values
      field in the
      Basic Settings
      tab has been left blank because we hard-coded the values in our script.
    • Under the
      Attributes
      tab, in the
      Field display script
      field, select the
      changeAsigneesPerOwner
      script we created above.
    • Fill in the rest of the field definitions as desired and click
      Save
      .
  6. Add the field to an incident layout. In this example, add the field to the Authentication incident type.
  7. Create an incident to see what happens when the
    Owner
    is set to
    Admin
    and when the
    Owner
    is set to anything else.
Example - Hide Field based on Context
In this example, we want to hide a field for a new incident form, but display the field when editing the form. We also set field values for a multi-select field in the case of an existing incident.
In this example, use the
hideFieldsOnNewIncident
out of the box automation.
incident = demisto.incidents()[0] field = demisto.args()['field'] formType = demisto.args()['formType'] if incident["id"] == "": # This is a new incident, hide the field demisto.results({"hidden": True, "options": []}) else: # This is an existing incident, we want to show the field, to know which values to display options = [] # The field type includes the word select, such as Single select or Multi select if "Select" in demisto.get(field, "type"): # take the options from the field definition options = demisto.get(field, "selectValues") demisto.results({"hidden": False, "options": options})
  1. Go to
    Settings
    Advanced
    Fields
    .
  2. Select the
    Malicious Cause
    field and click
    Edit
    .
  3. Under the
    Field display script
    field, select the
    hideFieldsOnNewIncident
    script and click
    Save
    .
  4. Go to the
    Incidents
    page and click
    New Incident
    .
  5. Under the
    Type
    field, select
    GDPR DataBreach.
    Scroll down and note that under
    Mandatory Information
    , there is no
    Malicious Cause
    field.
  6. Click
    Create New Incident
    to save the incident.
  7. Select the incident you just created and click
    Edit
    .
    Scroll down to the
    Mandatory Information
    section and note that the
    Malicious Cause
    field appears and the options for the field are retrieved from the initial field definition.

Recommended For You