Configure Threat Intel Report Layouts

How to configure threat intel report layouts. Add automation script based content to an indicator in Cortex XSOAR. Add a script in the layout.
Each out-of-the-box threat intel type comes with its own associated layout, but there might be times where customization is needed. You can customize almost every aspect of the layout, including which tabs appear, in which order they appear, who has permissions to view the tabs, and which information appears and how it is displayed.
Out-of-the-box and custom report types appear in the
Threat Intel Reports
Types
tab. The name of the layout for the out-of-the-box reports appears in the
Threat Intel Reports
Layouts
tab.
To customize the layout of an out-of-the-box report, you can do any of the following:
  • Duplicate and edit the report layout, and then edit the report type to add the new layout.
  • Detach the layout and edit it.
    While a report layout is detached, it does not receive Content Pack updates. If you detach a report type layout, make edits, and later want to receive Content Pack updates for that layout, we recommend you duplicate the report layout before reattaching the original, to protect your changes from Content Pack updates.
  • Create a new layout, detach the report type, and then edit the report type to add the new layout.

Create a New Report Layout

The following procedure describes how to create a new layout, but you can follow similar steps to customize an existing layout (using the guidelines mentioned above).
  1. Go to
    Settings
    OBJECTS SETUP
    Threat Intel Reports
    Layouts
    .
  2. Click to add a
    New Layout
  3. Customize the tabs.
    1. If relevant, create a
      New tab
      .
    2. Edit a tab’s name by clicking the tab.
    3. Click and drag a tab to reorder the tabs.
    4. Click the cog wheel icon and then configure any of the following options:
      • Rename
      • Duplicate
      • Delete
      • Hide Empty Fields
        The setting that you configure in the layout becomes the default value seen in the report for the specific tab, which can then be overridden. You can also set a global default value using the
        UI.summary.page.hide.empty.fields
        server configuration, which can also be overridden for a specific tab.
      • Hide Tab
      • Format for exporting
        Build your layout based on A4 proportions to match the format used for exporting. Selecting this option hides the tab by default, but the tab will remain available for export.
      • Viewing Permissions
        When clicking Viewing permissions, select which roles can view the tabs.
      • Display Filter
        Enables you to add or view a filter applied to the tab. If the filters apply, the specific fields or tabs are shown in the layout. If the mandatory field is not shown in the layout, the user is not obliged to complete it.
  4. Add sections to the layout.
    1. From the Library section, in the Cortex XSOAR Sections drag and drop the required sections as follows:
      Section
      Description
      New Section
      After creating a new section, click the
      Fields and Buttons
      tab and drag and drop the fields as required.
      General Purpose Dynamic Section
      Relationships
      Enables you to manually create a relationship between the report and an indicator.
  5. Define the section properties.
    You can determine how a section appears in the layout. For example, does the section include the section header? You can also configure the fields to appear in rows or as cards. For example, if you know that some of the field values will be very long, you are better off using rows. If you know that the field values are short, you might want to use cards so you can fit more fields in a section.
    1. Select the section, click and then click
      Edit section settings
      .
    2. Edit the section as required and click
      OK
      .
    3. Click the save button or
      Save Version
      .
  6. Remove or duplicate a section, select the section, click and select the relevant option.
  7. Add the layout to the report type.
    1. Go to
      Settings
      OBJECTS SETUP
      Threat Intel Reports
      Types
      .
    2. Select the report type and click
      Edit
      .
    3. In the
      Layout
      field, from the drop down list, add the customized layout.
  8. If the layout you created was for a new report type that was based on an out-of-the-box threat intel report type, you can contribute it to Marketplace.
    1. In the
      Layouts
      page, click the new report type you want to contribute to Marketplace.
    2. Complete the information in the Contribute form and click
      Contribute
      .

Add a Script in the Threat Intel Report Layout

You can add content to threat intel report layouts, based on an automation script. You need to add the
General Purpose Dynamic Section
when editing layouts.
The
General Purpose Dynamic Section
allows you to configure a section in a layout tab from an automation script. The automation can return a simple text, markdown, or an HTML, the results of which appear in General Purpose Dynamic Section. You can add any required information from an automation. Before you begin, you need to create an automation script.
The following is an example of a script that can be added. This script can be used to add a button to the layout that sets a threat intel report as published.
def publish(): now_utc = datetime.now(timezone.utc) object = demisto.args('object') object_id = object.get('id') roles = execute_command('getRoles', {}) execute_command( 'setThreatIntelReport', { 'id': object_id, 'xsoarReadOnlyRoles': demisto.dt( roles, 'DemistoRoles.name' ), 'reportstatus': 'Published', 'published': now_utc.isoformat(), }, ) demisto.results('ok') if __name__ in ('__main__', '__builtin__', 'builtins'): publish()
  1. Edit the relevant threat intel report layout.
  2. Drag and drop the
    General Purpose Dynamic Section
    onto the page.
  3. Select the General Purpose Dynamic Section, click and then
    Edit section settings
    .
  4. In the
    Name
    and
    Description
    fields, add a meaningful name and a description for the dynamic section that explains what the script displays.
  5. In the
    Automation script
    field, from the drop down list, select the script that returns data for the dynamic section.
    Only automations to which you have added the general-dynamic-section tag appear in the drop down list.
  6. Click
    OK
    .

Recommended For You