Create Dynamic Fields in Incident Forms - Administrator Guide - 6.6 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.6
Creation date
2022-09-29
Last date published
2024-03-21
End_of_Life
EoL
Category
Administrator Guide
Abstract

Create dynamic incident fields using an automation script.

Dynamic fields can display different data depending on the field value. You can control which fields display in an incident form, and which values display for single-select and multi-select fields. You need to create an automation script in the Automation page and then add the automation to a field. Scripts support JavaScript, Python, and PowerShell.

Dynamic fields are useful in the following scenarios:

  • You want specific values to appear in a field when the value of another field is different. For example, if the value in the Owner field is Admin, the values in the assignee field should be Jane, Joe, or Bob. If the value in the Owner field is anything else, the values in the assignee field should be Mark, Jack, or Christine.

  • You can use display scripts to change the value displayed in single select or multi select fields in the layout. This means that the form would display a list of labels but when you select one of the labels, the field would be set to a value that would not necessarily be the same as the value displayed.

    For example, you need to select an incident to relate to the current incident. You select one from the list of incident names. The field is populated with the incident ID (not the name) of the related incident.

  • You want to see only relevant data according to the user’s role, when assigning an incident to a user.

  1. Create an automation script.

    1. Go to the Automation page and select New Automation.

    2. Give the script a descriptive name.

    3. Enter a useful description.

    4. Under Tags, from the dropdown list, select field-display.

      This tag must be applied for the script to be available to be used on the field.

    5. Write the automation script.

      The Custom Scripts Content Pack comes out of the box with the hideFieldsOnNewIncident automation, which hides the incident field for new incidents, but appears when editing an incident. For examples, such as changing the owner field dynamically, see the ??? below.

      The field script contains the following.

      Name

      Description

      demisto.incidents

      The incident in which this script is running.

      field

      The field attributes. Add metadata to the field, such as cliName, type, select values, etc. For example, [‘field’] [‘cliName’] is the machine learning name of the field.

      formType

      Enables Cortex XSOAR to process the script in the new, edit, close incident forms. For example, you may want the field to appear in the close form and not in the edit form.

      incident.get (‘field’)

      The field within the incident. For example, incident.get.(‘owner’) retrieves the owner field. If you create a custom field, you need to change this to CustomFields. For example, for the incidentclassification custom field, type: if incident.get('CustomFields').get('incidentclassification') .

      demisto.results

      The results to return.

      currentUser

      Specifies the current user. For example, if you want the script to check on a role assigned to user and display the appropriate output, type the following:

      demisto.executeCommand("getUserByUsername", {"username": demisto.args()["currentUser"] })

      Add the information that you want to display according to the user roles.

  2. Create a new field.

    1. Select Settings → Advanced → Fields → +New Field.

      If you want to add the script to an existing field, select the field and click Edit.

    2. Under Field Type, select the field type. For example, Single select.

    3. Under Field Name, enter a descriptive name.

    4. Under the Attributes tab, in the Field display script field, select the script you created in Step 1.

    5. Complete the remaining field-definitions and click Save.

Example - Change Field Values Dynamically

The following example shows how you would create a script for the Assignee field, which shows different values depending on the values in the Owner field. If the Owner is defined as ‘admin’, the list of available assignees will include one group of people. If the Owner is defined as anything else, the list of available assignees will include a different group of people.

  1. In the Automations page, we copy the hideFieldsOnNewIncident and name it changeAsigneesPerOwner.

  2. In the Description field, we enter the following:

    Changes values available in the Assignees field based on the person defined as the owner.

  3. Under Tags, let’s add the field-display tag.

  4. For the automation, type the following script:

    incident = demisto.incidents()[0]
    field = demisto.args()['field']['cliName']
    if incident.get('owner') == 'admin':
    	demisto.results({'hidden': False, 'options': ['jane','joe', 'bob']})
    else:
    	demisto.results({'hidden': False, 'options': ['mark','jack', 'christine']})

    where

    • demisto.incidents is the incident in which the script is running.

    • incident.get(‘owner’) is the field within the incident.

    • demisto.results tells us whether to hide the field or not, and which values should appear in the field. When the owner field is Admin, the values are Jane, Joe, Bob. When the ownerowner is anyone else, the values are Mark, Jack, Christine.

  5. Select Settings → Advanced → Fields → +New Field.

    • Name the field Assign To:.

      The Values field in the Basic Settings tab has been left blank because we hard-coded the values in our script.

    • Under the Attributes tab, in the Field display script field, select the changeAsigneesPerOwner script we created above.

    • Fill in the rest of the field definitions as desired and click Save.

      Create-Dynamic-Fields.png
  6. Add the field to an incident layout. In this example, add the field to the Authentication incident type.

  7. Create an incident to see what happens when the Owner is set to Admin and when the Owner is set to anything else.

    Dynamic-Field-Values.png
Example - Hide Field based on Context

In this example, we want to hide a field for a new incident form, but display the field when editing the form. We also set field values for a multi-select field in the case of an existing incident.

In this example, use the hideFieldsOnNewIncident out-of-the-box automation.

incident = demisto.incidents()[0]
field = demisto.args()['field']
formType = demisto.args()['formType']
if incident["id"] == "":
	# This is a new incident, hide the field    
	demisto.results({"hidden": True, "options": []})
else:    
	# This is an existing incident, we want to show the field, to know which values to display    
	options = []
	# The field type includes the word select, such as Single select or Multi select
	if "Select" in demisto.get(field, "type"):
		# take the options from the field definition
		options = demisto.get(field, "selectValues")
	demisto.results({"hidden": False, "options": options})
  1. Go to Settings → Advanced → Fields.

  2. Select the Malicious Cause field and click Edit.

  3. Under the Field display script field, select the hideFieldsOnNewIncident script and click Save.

  4. Go to the Incidents page and click New Incident.

  5. Under the Type field, select GDPR DataBreach.

    Scroll down and note that under Mandatory Information, there is no Malicious Cause field.

  6. Click Create New Incident to save the incident.

  7. Select the incident you just created and click Edit.

    Scroll down to the Mandatory Information section and note that the Malicious Cause field appears and the options for the field are retrieved from the initial field definition.

    Dynamic-Hide-Fields.png
Example - Field-change-triggered with Single Select or Multi Select
  1. Go to Settings → OBJECTS SETUP → Incident Fields.

  2. Click the New Field and create a new Incident field of one of the following types:

    • Single select

    • Multi select

  3. Click Basic Settings and in the Values section set the values you want to see in the incident layout dropdown list for this field.

    new-incident-field.png
  4. Click Attributes and in Script to run when field value changes, select the automation you wrote for this script.

    For example:

    The following is an example of a single select automation script.

    # The custom mapping made for the field
    mapping_dict = {
    	'instance1_id' : '123456',
    	'instance2_id' : '12340987',
    	'instance3_id' : '79874534',
    	'instance4_id' : '90927834',
    	'instance5_id' : '4543452',
    }    
    	
    val = demisto.args()['new'] # when the script will be triggered this field will hold the new value chosen by the user.
    mapped_val = mapping_dict.get(val, val)  # getting the value from the map.
    execute_command('setIncident', {'customFields' :{'Single_select_field_example': mapped_val}}) # set the new incident mapped field

    The following is an example of a multi select automation script.

    mapping_dict = {    
    	'low' : '1',
    	'medium' : '2',
    	'high' : '3',
    	'critical' : '4',
    }
    	
    vals = argToList(demisto.args()['new']) # The new value from the user.
    mapped_list = [mapping_dict.get(v, v) for v in vals]
    execute_command('setIncident', {'customFields' : {'multi_select_field_example': mapped_list}})

    Note

    When creating the script, in the Tags section, type field-change-triggered.

    Note

    Choose the name of your custom fields to replace ‘Single_select_field_example’ or ‘multi_select_field_example’ in the examples above.

  5. Go to Settings → OBJECTS SETUP → Layouts and add the new incident field to an existing layout or create a new layout.

  6. On the incident layout edit page, click Fields and Buttons and drag the new incident field you created to the layout.

  7. Save the version.

    In the layout display, you will see the values you set in step 3.

    new-section.png
  8. Select one of the values. The layout will update with the mapped value as set on the automation related to the incident field.