Create Dynamic Fields in Incident Forms
incidents automation
Dynamic fields can display different data
depending on the field value. You can control which fields display
in an incident form, and which values display for single-select
and multi-select fields. You need to create an automation script
in the
Automation
page and then add the automation
to a field. Scripts support JavaScript, Python, and PowerShell.Dynamic
fields are useful in the following scenarios:
- You want specific values to appear in a field when the value of another field is different. For example, if the value in theOwnerfield isAdmin, the values in the assignee field should beJane,Joe, orBob. If the value in theOwnerfield is anything else, the values in the assignee field should beMark,Jack, orChristine.
- You want a field to be available in a form only in certain conditions. For example, if the value in theSeverityfield isHighorCritical, theEscalatefield should be available with values ofYesorNo. If the value in the Severity field isLoworInformational, theEscalatefield should not appear.
- You want to see only relevant data according to the user’s role, when assigning an incident to a user.
- Create an automation script.
- Go to theAutomationpage and selectNew Automation.
- Give the script a descriptive name.
- Enter a useful description.
- UnderTags, from the dropdown list, selectfield-display.This tag must be applied for the script to be available to be used on the field.
- Write the automation script.TheCustom ScriptsContent Pack comes out of the box with thehideFieldsOnNewIncidentautomation, which hides the incident field for new incidents, but appears when editing an incident. For examples, such as changing the owner field dynamically, see the examples below.The field script contains the following.NameDescriptiondemisto.incidentsThe incident in which this script is running.fieldThe field attributes. Add metadata to the field, such ascliName,type,select values, etc. For example,[‘field’] [‘cliName’]is the machine learning name of the field.formTypeEnables Cortex XSOAR to process the script in thenew,edit,closeincident forms. For example, you may want the field to appear in the close form and not in the edit form.incident.get (‘field’)The field within the incident. For example,incident.get.(‘owner’)retrieves theownerfield. If you create a custom field, you need to change this toCustomFields. For example, for theincidentclassificationcustom field, type:if incident.get('CustomFields').get('incidentclassification').demisto.resultsThe results to return.currentUserSpecifies the current user. For example, if you want the script to check on a role assigned to user and display the appropriate output, type the following:demisto.executeCommand("getUserByUsername", {"username": demisto.args()["currentUser"] })Add the information that you want to display according to the user roles.
- Create a new field.
- Select .If you want to add the script to an existing field, select the field and clickEdit.
- UnderField Type, select the field type. For example, Single select.
- UnderField Name, enter a descriptive name.
- Under theAttributestab, in theField display scriptfield, select the script you created in step 1.
- Complete the remaining field-definitions and clickSave.
Example
- Change Field Values Dynamically
The following example
shows how you would create a script for the Assignee field, which
shows different values depending on the values in the
Owner
field.
If the Owner is defined as ‘admin’, the list of available assignees
will include one group of people. If the Owner is defined as anything else,
the list of available assignees will include a different group of
people. - In theAutomationspage, we copy thehideFieldsOnNewIncidentand name itchangeAsigneesPerOwner.
- In theDescriptionfield, we enter the following:Changes values available in the Assignees field based on the person defined as the owner.
- UnderTags, let’s add thefield-displaytag.
- For the automation, type the following script:incident = demisto.incidents()[0] field = demisto.args()['field']['cliName'] if incident.get('owner') == 'admin': demisto.results({'hidden': False, 'options': ['jane','joe', 'bob']}) else: demisto.results({'hidden': False, 'options': ['mark','jack', 'christine']})where
- demisto.incidentsis the incident in which the script is running.
- incident.get(‘owner’)is the field within the incident.
- demisto.resultstells us whether to hide the field or not, and which values should appear in the field. When theownerfield isAdmin, the values areJane, Joe, Bob. When theownerowner is anyone else, the values areMark, Jack, Christine.
- Select .
- Name the fieldAssign To:.TheValuesfield in theBasic Settingstab has been left blank because we hard-coded the values in our script.
- Under theAttributestab, in theField display scriptfield, select thechangeAsigneesPerOwnerscript we created above.
- Fill in the rest of the field definitions as desired and clickSave.
- Add the field to an incident layout. In this example, add the field to the Authentication incident type.
- Create an incident to see what happens when theOwneris set toAdminand when theOwneris set to anything else.
Example
- Hide Field based on Context
In this example, we want
to hide a field for a new incident form, but display the field when
editing the form. We also set field values for a multi-select field
in the case of an existing incident.
In this example, use
the
hideFieldsOnNewIncident
out of the box
automation. incident = demisto.incidents()[0] field = demisto.args()['field'] formType = demisto.args()['formType'] if incident["id"] == "": # This is a new incident, hide the field demisto.results({"hidden": True, "options": []}) else: # This is an existing incident, we want to show the field, to know which values to display options = [] # The field type includes the word select, such as Single select or Multi select if "Select" in demisto.get(field, "type"): # take the options from the field definition options = demisto.get(field, "selectValues") demisto.results({"hidden": False, "options": options})
- Go to .
- Select theMalicious Causefield and clickEdit.
- Under theField display scriptfield, select thehideFieldsOnNewIncidentscript and clickSave.
- Go to theIncidentspage and clickNew Incident.
- Under theTypefield, selectGDPR DataBreach.Scroll down and note that underMandatory Information, there is noMalicious Causefield.
- ClickCreate New Incidentto save the incident.
- Select the incident you just created and clickEdit.Scroll down to theMandatory Informationsection and note that theMalicious Causefield appears and the options for the field are retrieved from the initial field definition.
