Create dynamic incident fields using an automation script. Create conditional fields.
Dynamic fields can display different data depending on the field value. You can control which fields display in an incident form, and which values display for single-select and multi-select fields. You need to create an automation script in the Automation page and then add the automation to a field. Scripts support JavaScript, Python, and PowerShell.
Dynamic fields are useful in the following scenarios:
You want specific values to appear in a field when the value of another field is different. For example, if the value in the Owner field is
Admin
, the values in the assignee field should beJane
,Joe
, orBob
. If the value in the Owner field is anything else, the values in the assignee field should beMark
,Jack
, orChristine
.You can use display scripts to change the value displayed in single select or multi select fields in the layout. This means that the form would display a list of labels but when you select one of the labels, the field would be set to a value that would not necessarily be the same as the value displayed.
For example, you need to select an incident to relate to the current incident. You select one from the list of incident names. The field is populated with the incident ID (not the name) of the related incident.
You want to see only relevant data according to the user’s role, when assigning an incident to a user.
Create an automation script.
Go to the Automation page and select New Automation.
Give the script a descriptive name.
Enter a useful description.
Under Tags, from the dropdown list, select
field-display
.This tag must be applied for the script to be available to be used on the field.
Write the automation script.
The Custom Scripts Content Pack comes out of the box with the
hideFieldsOnNewIncident
automation, which hides the incident field for new incidents, but appears when editing an incident. For examples, such as changing the owner field dynamically, see the example below.The field script contains the following.
Name
Description
demisto.incidents
The incident in which this script is running.
field
The field attributes. Add metadata to the field, such as
cliName
,type
,select values
, etc. For example,[‘field’] [‘cliName’]
is the machine learning name of the field.formType
Enables Cortex XSOAR to process the script in the
new
,edit
,close
incident forms. For example, you may want the field to appear in the close form and not in the edit form.incident.get (‘
field’)
The field within the incident. For example,
incident.get.(‘owner’)
retrieves theowner
field. If you create a custom field, you need to change this toCustomFields
. For example, for theincidentclassification
custom field, type:if incident.get('CustomFields').get('incidentclassification')
.demisto.results
The results to return.
currentUser
Specifies the current user. For example, if you want the script to check on a role assigned to user and display the appropriate output, type the following:
demisto.executeCommand("getUserByUsername", {"username": demisto.args()["currentUser"] })
Add the information that you want to display according to the user roles.
Create a new field.
Select
→ → → .If you want to add the script to an existing field, select the field and click Edit.
Under Field Type, select the field type. For example, Single select.
Under Field Name, enter a descriptive name.
Under the Attributes tab, in the Field display script field, select the script you created in step 1.
Complete the remaining field definitions and click Save.
Example - Change Field Values Dynamically
The following example shows how you would create a script for the Assignee field, which shows different values depending on the values in the Owner field. If the Owner is defined as ‘admin’, the list of available assignees will include one group of people. If the Owner is defined as anything else, the list of available assignees will include a different group of people.
In the Automations page, we copy the
hideFieldsOnNewIncident
and name itchangeAsigneesPerOwner
.In the Description field, we enter the following:
Changes values available in the Assignees field based on the person defined as the owner.
Under Tags, let’s add the
field-display
tag.For the automation, type the following script:
incident = demisto.incidents()[0] field = demisto.args()['field']['cliName'] if incident.get('owner') == 'admin': demisto.results({'hidden': False, 'options': ['jane','joe', 'bob']}) else: demisto.results({'hidden': False, 'options': ['mark','jack', 'christine']})
where
demisto.incidents
is the incident in which the script is running.incident.get(‘owner’)
is the field within the incident.demisto.results
tells us whether to hide the field or not, and which values should appear in the field. When theowner
field isAdmin
, the values areJane, Joe, Bob
. When theowner
owner is anyone else, the values areMark, Jack, Christine
.
Select
→ → → .Name the field
Assign To:
.The Values field in the Basic Settings tab has been left blank because we hard-coded the values in our script.
Under the Attributes tab, in the Field display script field, select the
changeAsigneesPerOwner
script we created above.Fill in the rest of the field definitions as desired and click Save.
Add the field to an incident layout. In this example, add the field to the Authentication incident type.
Create an incident to see what happens when the Owner is set to
Admin
and when the Owner is set to anything else.
Example - Hide Field Based on Context
In this example, we want to hide a field for a new incident form, but display the field when editing the form. We also set field values for a multi-select field in the case of an existing incident.
In this example, use the hideFieldsOnNewIncident
out-of-the-box automation.
incident = demisto.incidents()[0] field = demisto.args()['field'] formType = demisto.args()['formType'] if incident["id"] == "": # This is a new incident, hide the field demisto.results({"hidden": True, "options": []}) else: # This is an existing incident, we want to show the field, to know which values to display options = [] # The field type includes the word select, such as Single select or Multi select if "Select" in demisto.get(field, "type"): # take the options from the field definition options = demisto.get(field, "selectValues") demisto.results({"hidden": False, "options": options})
Go to
→ → .Select the
Malicious Cause
field and click Edit.Under the Field display script field, select the
hideFieldsOnNewIncident
script and click Save.Go to the Incidents page and click New Incident.
Under the Type field, select
GDPR DataBreach.
Scroll down and note that under Mandatory Information, there is no
Malicious Cause
field.Click Create New Incident to save the incident.
Select the incident you just created and click Edit.
Scroll down to the Mandatory Information section and note that the
Malicious Cause
field appears and the options for the field are retrieved from the initial field definition.
Example - Field-change-triggered with Single Select or Multi Select
Go to
→ → .Click the New Field and create a new Incident field of one of the following types:
Single select
Multi select
Click Basic Settings and in the Values section set the values you want to see in the incident layout dropdown list for this field.
Click Attributes and in Script to run when field value changes, select the automation you wrote for this script.
For example:
The following is an example of a single select automation script.
# The custom mapping made for the field mapping_dict = { 'instance1_id' : '123456', 'instance2_id' : '12340987', 'instance3_id' : '79874534', 'instance4_id' : '90927834', 'instance5_id' : '4543452', } val = demisto.args()['new'] # when the script will be triggered this field will hold the new value chosen by the user. mapped_val = mapping_dict.get(val, val) # getting the value from the map. execute_command('setIncident', {'customFields' :{'Single_select_field_example': mapped_val}}) # set the new incident mapped field
The following is an example of a multi select automation script.
mapping_dict = { 'low' : '1', 'medium' : '2', 'high' : '3', 'critical' : '4', } vals = argToList(demisto.args()['new']) # The new value from the user. mapped_list = [mapping_dict.get(v, v) for v in vals] execute_command('setIncident', {'customFields' : {'multi_select_field_example': mapped_list}})
Note
When creating the script, in the Tags section, type field-change-triggered.
Choose the name of your custom fields to replace ‘Single_select_field_example’ or ‘multi_select_field_example’ in the examples above.
Go to
→ → and add the new incident field to an existing layout or create a new layout.On the incident layout edit page, click Fields and Buttons and drag the new incident field you created to the layout.
Save the version.
In the layout display, you will see the values you set in step 3.
Select one of the values. The layout will update with the mapped value as set on the automation related to the incident field.