Indicator Field Trigger Scripts

Associate Cortex XSOAR indicator fields with scripts that are triggered when the field changes.
You can associate indicator fields with trigger automation scripts that check for field changes, and then take actions based on them. These scripts can perform any action when the conditions are met. Indicator field trigger scripts allow indicators to become a proactive force within Cortex XSOAR. For example, you can:
  • Define a script that will run when the
    Verdict
    field of an indicator has changed. For example, the script will fetch all incidents related to that indicator, and take any action that is configured (reopen, change severity, etc.).
  • Define a script that will run when the
    Expiration Status
    field has changed. For example, you can define a script that will immediately update the relevant allow/block list (and not wait for the next iteration) as seen in the following script example:
    indicators = demisto.args().get('indicators') new_value = demisto.args().get('new') indicator_values = [] for indicator in indicators: current_value = indicator.get('value') indicator_values.append(current_value) if new_value == "Expired": # update allow/block list regarding expired indicators else: # update allow/block list regarding active indicators
Automations can be created in Python, PowerShell, or JavaScript in the Automation page. To use a field trigger automation, you need to add the
field-change-triggered-indicator
tag when creating the automation. You can then add the automation in the Attributes tab, when you edit or Create a Custom Indicator Field. If you did not add the tag when creating the automation, the automation will not be available for use.
Automation Arguments - Related Information
When an automation is triggered on a field, it has the following triggered field information available as arguments (args):
Argument
Description
associatedToAll
If the field is associated to all or some incidents. Value:
true
or
false
.
associatedTypes
An array of the incident types, with which the field is associated.
cliName
The name of the field when called from the command line.
description
The description of the field.
indicators
A list of indicators that had the current change.
isReadOnly
Specifies whether the field is non editable. Value:
true
or
false
.
name
The name of the field.
new
The new value of the field.
old
The old value of the field.
ownerOnly
Specifies that only the creator of the field can edit. Value:
true
or
false
.
placeholder
The placeholder text.
required
Specifies whether this is a mandatory field. Value:
true
or
false
.
selectValues
If this is a multi select type field, these are the values the field can take.
system
Whether it is a Cortex XSOAR defined field.
type
The field type.
user
The username of the user who triggered the script.
Script Limitations and Best Practices
  • Indicator field trigger scripts can be configured on:
    Verdict
    ,
    Related Incidents
    ,
    Expiration Status
    ,
    Indicator Type
    , and all custom indicator fields in the system.
  • Indicator field trigger scripts work in all TIM (Threat Intelligence Management) scenarios and workflows, except for feed ingestion.
  • Fields that may hold a list (related incidents, multi-select/tag/role type custom fields) will provide an array of the delta. For example, if a multi-select field value has changed from ["a"] to ["a", "b"], the new argument of the script will get a value of ["b"].
  • Indicator field trigger scripts run as a batch. This means that if multiple indicators were changed in the same way and are set to trigger the same action, it will happen in one batch. For example:
    1. There's a configured indicator field trigger script named
      myTriggerScript
      on the
      Verdict
      indicator field.
    2. The Threat Intel Library has two existing Malicious indicators: 1.1.1.1, 2.2.2.2.
    3. The user runs the following command
      !setIndicators indicatorsValues="1.1.1.1,2.2.2.2" verdict=Benign
      .
    4. The
      myTriggerScript
      script will run just once, with the following parameters:
      • new - "Benign"
      • old - "Malicious"
      • indicators - "[{<indicator_1.1.1.1>},{<indicator_2.2.2.2}]"
  • When writing indicator field trigger scripts, it's crucial to avoid scenarios that will call the scripts endlessly (for example, a change in field A triggers script X, which changes field B's value, which in turn calls script Y, which changes field A's value).

Recommended For You