End-of-Life (EoL)

Customize an Indicator Type Layout

Follow these instructions to customize Indicator layouts for each Indicator type.
Each out-of-the-box indicator comes with its own layout, but there might be times where customization is needed. You can customize almost every aspect of the layout, including, but not limited to:
You can customize almost every aspect of the layout, including, but not limited to:
  • which tabs appear
  • in which order they appear
  • who has permissions to view the tabs
  • which information appears and how it is displayed
System and custom indicators appear in the
Indicator Types
page. The name of the out-of-the-box layout for the system indicator appears in the
column. To customize the layout of a system indicator, you need to create a copy of the indicator in the
page and then customize the copy. If you want to add the customized system layout to an existing indicator type, you need to add the layout to the indicator type.
  1. (
    System Indicator Type
    ) Create a copy of the indicator layout.
    1. Go to
    2. Select the check box for the indicator layout you want to edit.
    3. Click
      . A copy of the indicator layout appears with the string _copy appended to the name of the indicator type. If more than one copy of the indicator layout is created, a number is appended to the _copy string. The number is increased with each additional duplication.
    4. Click the name of the newly created indicator layout.
      You are presented with the current layout, which is populated with demo data so you can see how the fields fit.
  2. (
    Custom Indicator Type
    ) Edit the indicator type layout.
    1. Go to
      Indicator Types
    2. Select the indicator type whose layout you want to edit and click the
      Edit Layout
      You are presented with the current layout, which is populated with demo data so you can see how the fields fit.
  3. Customize the tabs.
    1. Click and drag the tab to reorder the appearance of the tabs.
    2. Configure which tabs appear and for whom, as well as duplicate or remove tabs from the layout.
    3. Click the gear icon.
    4. Click one of the following options:
      • Rename
      • Duplicate
      • Delete
      • Hide
      • Viewing Permissions
  4. Add sections to the layout.
    1. From the Library section, in the Cortex XSOAR Sections drag and drop the required sections as follows:
      New Section
      After creating a new section, click the
      <Indicator Type>
      tab and drag and drop the fields as required.
      Cortex XSOAR out of the box sections
      Out of the box sections such as Expiration Status, Reputation, and so on.
      General Purpose Dynamic Section
      Enables you to Add a Script in the Indicator Layout. For example, assign a script that determines and displays the Geo location of an IP address on a map.
  5. Define the section properties.
    You can determine how a section in the layout appears in the layout. For example, does the section include the section header or not. You can also configure the fields to appear in rows or as cards. For example, if you know that some of the field values will be very long, you are better off using rows. If you know that the field values are short, you might want to use cards so you can fit more fields in a section.
    1. Select the section, click and then click
      Edit section settings
    2. Edit the section as required and click
    3. Click the save button or
      Save Version
  6. Remove or duplicate a section, select the section, click and select the relevant option.
  7. Add fields and custom buttons.
    To add a custom button, you need to create an automation and then add the buttons to the layout using the automation. These buttons can simplify and assist an analyst in carrying out various tasks. For example, create a button to run an enrichment script on an identified indicator. After indicators are identified, click the Actions button and run an enhancement script directly on an indicator.
    In the following example we want to create a button, which adds the indicator to a Hunt incident type, so the Threat Intel team can review it.
    1. Select
      New Automation
      and add the following script:
      commonfields: id: d3716514-4c2b-453c-8072-4fd4807bca0a version: 30 vcShouldKeepItemLegacyProdMachine: false name: newIncidentFromIndicator script: |+ from pprint import pformat args = demisto.args() fields = {} fields['type'] = args['type'] fields['details'] = args['indicator']['value'] fields['name'] = args['type'] + " for " + args['indicator']['value'] res = demisto.executeCommand('createNewIncident', fields) newID = res[0]['EntryContext']['CreatedIncidentID'] demisto.executeCommand("associateIndicatorsToIncident", {"indicatorsValues": args['indicator']['value'], "incidentId":int(newID)}) type: python tags: - indicator-action-button enabled: true args: - name: type required: true description: Incident Type scripttarget: 0 subtype: python3 pswd: "" runonce: false dockerimage: demisto/python3: runas: DBotWeakRole
    2. From
      Incident Layout Builder
      Fields and Buttons
      tab, drag the
      +New Button
      and drop into the relevant section.
    3. Click to configure
    4. Enter a descriptive name for the button, select a color, and select the script we added above.
    5. In the
      field, add
    6. Click
      In the Summary tab of the Indicator page, you can see the new button:
      When you click the button, an incident is created with the Hunt incident type.
  8. (
    System Indicator Type
    ) Add the layout to the indicator.
    1. Go to the
      Indicator Types
    2. Select the indicator type and click
    3. In the
      field, from the drop down list, add the customized layout.
  9. If the layout you created was for a new indicator type that was based on a system indicator type, you can contribute it to Marketplace.
    1. In the
      page, click the new indicator type you want to contribute to Marketplace.
    2. Complete the information in the Contribute form and click

Recommended For You