Configure Threat Intel Report Layouts
How to configure threat intel report layouts. Add automation
script based content to an indicator in Cortex XSOAR. Add a script
in the layout.
Each out-of-the-box threat intel type
comes with its own associated layout, but there might be times where
customization is needed. You can customize almost every aspect of
the layout, including which tabs appear, in which order they appear,
who has permissions to view the tabs, and which information appears
and how it is displayed.
Out-of-the-box and custom report types appear in the tab.
The name of the layout for the out-of-the-box reports appears in
the tab.
To customize the layout of an out-of-the-box report, you can
do any of the following:
- Duplicate and edit the report layout, and then edit the report type to add the new layout.
- Detach the layout and edit it.While a report layout is detached, it does not receive Content Pack updates. If you detach a report type layout, make edits, and later want to receive Content Pack updates for that layout, we recommend you duplicate the report layout before reattaching the original, to protect your changes from Content Pack updates.
- Create a new layout, detach the report type, and then edit the report type to add the new layout.
Create a New Report Layout
The following procedure describes how to create
a new layout, but you can follow similar steps to customize an existing
layout (using the guidelines mentioned above).
- Go to .
- Click to add aNew Layout
- Customize the tabs.
- If relevant, create aNew tab.
- Edit a tab’s name by clicking the tab.
- Click and drag a tab to reorder the tabs.
- Click the cog wheel icon and then configure any of the following options:
- Rename
- Duplicate
- Delete
- Hide Empty FieldsThe setting that you configure in the layout becomes the default value seen in the report for the specific tab, which can then be overridden. You can also set a global default value using theUI.summary.page.hide.empty.fieldsserver configuration, which can also be overridden for a specific tab.
- Hide Tab
- Format for exportingBuild your layout based on A4 proportions to match the format used for exporting. Selecting this option hides the tab by default, but the tab will remain available for export.
- Viewing PermissionsWhen clicking Viewing permissions, select which roles can view the tabs.
- Display FilterEnables you to add or view a filter applied to the tab. If the filters apply, the specific fields or tabs are shown in the layout. If the mandatory field is not shown in the layout, the user is not obliged to complete it.
- Add sections to the layout.
- From the Library section, in the Cortex XSOAR Sections drag and drop the required sections as follows:SectionDescriptionNew SectionAfter creating a new section, click theFields and Buttonstab and drag and drop the fields as required.General Purpose Dynamic SectionEnables you to Add a Script in the Threat Intel Report Layout.RelationshipsEnables you to manually create a relationship between the report and an indicator.
- Define the section properties.You can determine how a section appears in the layout. For example, does the section include the section header? You can also configure the fields to appear in rows or as cards. For example, if you know that some of the field values will be very long, you are better off using rows. If you know that the field values are short, you might want to use cards so you can fit more fields in a section.
- Select the section, click
and then
click Edit section settings. - Edit the section as required and clickOK.
- Click the save button orSave Version.
- Remove or duplicate a section, select the section, click
and select the relevant
option.
- Add the layout to the report type.
- Go to .
- Select the report type and clickEdit.
- In theLayoutfield, from the drop down list, add the customized layout.
- If the layout you created was for a new report type that was based on an out-of-the-box threat intel report type, you can contribute it to Marketplace.
- In theLayoutspage, click the new report type you want to contribute to Marketplace.
- Complete the information in the Contribute form and clickContribute.
Add a Script in the Threat Intel Report Layout
You can add content to threat intel report
layouts, based on an automation script. You need to add the
General
Purpose Dynamic Section
when editing layouts.The
General
Purpose Dynamic Section
allows you to configure a section
in a layout tab from an automation script. The automation can return
a simple text, markdown, or an HTML, the results of which appear
in General Purpose Dynamic Section. You can add any required information
from an automation. Before you begin, you need to create an automation
script.The following is an example of a script that can be
added. This script can be used to add a button to the layout that
sets a threat intel report as published.
def publish(): now_utc = datetime.now(timezone.utc) object = demisto.args('object') object_id = object.get('id') roles = execute_command('getRoles', {}) execute_command( 'setThreatIntelReport', { 'id': object_id, 'xsoarReadOnlyRoles': demisto.dt( roles, 'DemistoRoles.name' ), 'reportstatus': 'Published', 'published': now_utc.isoformat(), }, ) demisto.results('ok') if __name__ in ('__main__', '__builtin__', 'builtins'): publish()
- Edit the relevant threat intel report layout.
- Drag and drop theGeneral Purpose Dynamic Sectiononto the page.
- Select the General Purpose Dynamic Section, click
and then Edit section settings.
- In theNameandDescriptionfields, add a meaningful name and a description for the dynamic section that explains what the script displays.
- In theAutomation scriptfield, from the drop down list, select the script that returns data for the dynamic section.Only automations to which you have added the general-dynamic-section tag appear in the drop down list.
- ClickOK.
