Add a Custom Widget to an Alert Layout - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide
Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-18
Category
Administrator Guide
Abstract

Add any widget to a a custom alert layout.

You can add a custom or system widget to a custom alert layout.

The following example shows how to add an Indicator Widget Bar. This custom widget script shows the severity of indicators in an alert, as a bar chart.

  1. Add the Indicator Widget Bar script to Cortex XSIAM.

    1. On the Scripts page, upload the following script:

      commonfields:
  id: ee3b9604-324b-4ab5-8164-15ddf6e428ab
  version: 49
name: IndicatorWidgetBar
script: |-
  # Constants
  HIGH = 3
  SUSPICIOUS = 2
  LOW = 1
  NONE = 0

  indicators = []
  scores = {HIGH: 0, SUSPICIOUS: 0, LOW: 0, NONE: 0}
  incident_id = demisto.incidents()[0].get('id')

  foundIndicators = demisto.executeCommand("findIndicators", {"query":'investigationIDs:{}'.format(incident_id), 'size':999999})[0]['Contents']

  for indicator in foundIndicators:
      scores[indicator['score']] += 1

  data = {
    "Type": 17,
    "ContentsFormat": "bar",
    "Contents": {
      "stats": [
        {
          "data": [
            scores[HIGH]
          ],
          "groups": None,
          "name": "high",
          "label": "incident.severity.high",
          "color": "rgb(255, 23, 68)"
        },
        {
          "data": [
            scores[SUSPICIOUS]
          ],
          "groups": None,
          "name": "medium",
          "label": "incident.severity.medium",
          "color": "rgb(255, 144, 0)"
        },
        {
          "data": [
            scores[LOW]
          ],
          "groups": None,
          "name": "low",
          "label": "incident.severity.low",
          "color": "rgb(0, 205, 51)"
        },
        {
          "data": [
            scores[NONE]
          ],
          "groups": None,
          "name": "unknown",
          "label": "incident.severity.unknown",
          "color": "rgb(197, 197, 197)"
        }
      ],
      "params": {
          "layout": "horizontal"
      }
    }
  }

  demisto.results(data)
type: python
tags:
- dynamic-section
enabled: true
scripttarget: 0
subtype: python3
runonce: false
dockerimage: demisto/python3:3.7.3.286
runas: DBotWeakRole

    2. Click Save.

  2. Add the widget to an alert layout.

    1. Go to SettingsConfigurationsObject SetupAlertsLayouts.

    2. Create a new custom alert layout or right-click to open an existing custom alert layout or a detached or duplicated system layout.

    3. Drag and drop the General Purpose Dynamic Section into a layout tab.

    4. Edit the General Purpose Dynamic Section by clicking the pencil icon.

    5. Enter a name for the section and choose the automation script you uploaded in Step 1.

    6. Click Ok.