1. Home
    2. Security Operations
    3. Cortex XSOAR
    4. Cortex XSOAR Threat Intel Management Guide
    5. Manage Indicators
    6. Understand Indicators
    7. Customize Indicator View Layouts
    8. Customize an Indicator Type Layout
    End-of-Life (EoL)

    Customize an Indicator Type Layout

    Customize Indicator layouts for each Indicator type in Cortex XSOAR.
    Each out-of-the-box indicator comes with its own layout, but there might be times where customization is needed. You can customize almost every aspect of the layout, including which tabs appear, in which order they appear, who has permissions to view the tabs, and which information appears and how it is displayed.
    System and custom indicators appear in the
    Indicator Types
     page. The name of the out-of-the-box layout for the system indicator appears in the
    Layout
     column. To customize the layout of a system indicator, you can do the following:
    • Duplicate and edit an indicator layout and then edit the indicator type to add the new layout
    • Detach and edit the layout.
      While an indicator layout is detached, it does not receive Content Pack updates. If you detach an indicator type layout, make edits, and later want to receive Content Pack updates for that layout, we recommend you duplicate the indicator layout before reattaching the original, to protect your changes from Content Pack updates.
    Indicator Layout Builder
    You can customize the display information including fields for existing indicators, by modifying the sections and fields for the following views:
    • Indicator Summary
      You can customize almost every aspect of the layout, including which tabs appear, the order they appear, who has permissions, hide tabs, etc. In each field or tab you can add filters by clicking on the eye icon, which enables you to add conditions that show specific fields or tabs relevant for the indicator.
      You can add an Add a Script in the Indicator Layout, such as a mapping script, which determines where an IP address originates and displays it on a map.
    • Quick View
      Add, edit, delete sections, fields, and filters in the Quick view section in the incident.
    1. Go to
      Settings
      ADVANCED
      Layouts
      .
    2. (
      System Indicator Type Layout
      ) Detach the indicator layout.
      1. Select the check box for the indicator layout you want to detach.
      2. Click
        Detach
        .
        When the layout is detached, you can also edit the layout in the Indicator Type tab.
    3. Edit the indicator type layout.
      1. Select the indicator type whose layout you want to edit and click the layout.
        You are presented with the current layout, which is populated with demo data so you can see how the fields fit.
    4. In the
      Indicator Summary
       tab, customize the tabs.
      1. Drag and drop the tab to reorder the tabs.
      2. Configure the tabs by clicking the settings cog wheel icon in the tab and then select one of the following options.
        • Rename
        • Duplicate
        • Delete
        • Hide
        • Viewing Permissions
          When clicking Viewing permissions, select which roles can view the tabs.
          You can also decide whether you want each tab to appear in the Mobile App, by selecting the
          Show this tab on Cortex XSOAR mobile App if role allows
           checkbox. If selected, you can
          Hide this tab on Cortex XSOAR web
          .
    5. Add sections to the layout.
      1. From the Library section, in the Cortex XSOAR Sections drag and drop the required sections as follows:
        Section
        Description
        New Section
        After creating a new section, click the
        <Indicator Type>
         Fields
         tab and drag and drop the fields as required.
        Cortex XSOAR out of the box sections
        Out of the box sections such as Expiration Status, Reputation, and so on.
        General Purpose Dynamic Section
        Enables you to Add a Script in the Indicator Layout. For example, assign a script that determines and displays the Geo location of an IP address on a map. You can Set up Google Maps in Cortex XSOAR to use map automations.
      2. Define the section properties by clicking and then
        Edit section settings
        .
        You can determine how a section in the layout appears in the layout. For example, does the section include the section header or not. You can also configure the fields to appear in rows or as cards. For example, if you know that some of the field values will be very long, you are better off using rows. If you know that the field values are short, you might want to use cards so you can fit more fields in a section.
      3. To remove or duplicate a section, select the section, click and select the relevant option.
    6. Drag and drop fields, as required.
    7. Add fields and custom buttons.
      To add a custom button, you need to create an automation and then add the buttons to the layout using the automation. These buttons can simplify and assist an analyst in carrying out various tasks. For example, create a button to run an enrichment script on an identified indicator. After indicators are identified, click the Actions button and run an enhancement script directly on an indicator.
      In the following example we want to create a button, which adds the indicator to a Hunt incident type, so the Threat Intel team can review it.
      1. Select
        Automation
        New Automation
         and add the following script:
        commonfields:
  id: d3716514-4c2b-453c-8072-4fd4807bca0a
  version: 30
vcShouldKeepItemLegacyProdMachine: false
name: newIncidentFromIndicator
script: |+
  from pprint import pformat

  args = demisto.args()

  fields = {}
  fields['type'] = args['type']
  fields['details'] = args['indicator']['value']
  fields['name'] = args['type'] + " for " + args['indicator']['value']

  res = demisto.executeCommand('createNewIncident', fields)



  newID = res[0]['EntryContext']['CreatedIncidentID']

  demisto.executeCommand("associateIndicatorsToIncident", {"indicatorsValues": args['indicator']['value'], "incidentId":int(newID)})


type: python
tags:
- indicator-action-button
enabled: true
args:
- name: type
  required: true
  description: Incident Type
scripttarget: 0
subtype: python3
pswd: ""
runonce: false
dockerimage: demisto/python3:3.8.5.11789
runas: DBotWeakRole
      2. From
        Incident Layout Builder
        Fields and Buttons
         tab, drag the
        +New Button
         and drop into the relevant section.
      3. Click to configure
        .
      4. Enter a descriptive name for the button, select a color, and select the script we added above.
      5. In the
        type
         field, add
        Hunt
        .
      6. Click
        Save
        .
        In the Summary tab of the Indicator page, you can see the new button:
        When you click the button, an incident is created with the Hunt incident type.
    8. Add required sections and fields in the
      Quick View
       tab.
    9. Add the layout to the indicator.
      1. Go to the
        Indicator Types
         tab.
      2. Select the indicator type and click
        Edit
        .
      3. In the
        Layout
         field, from the drop down list, add the customized layout.
    10. (
      Optional
      ) For a customized layout, you can contribute it to the Marketplace.
      1. In the
        Layouts
         page, select the layout and then click
        Contribute to Marketplace
        .
      2. In the dialog box select either
        Save and submit your contribution
         or
        Save and download your contribution
         for later use, which you can view in the
        Contributions
         tab in the Marketplace.
        If you select
        Save and submit your contribution
         your layout is validated and then you prompted to submit to review. You can also view your contribution in the Marketplace.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo