Use scripts when creating grid fields for an incident. Grid field script. Manipulate and populate data in a grid field in Cortex XSOAR.
You can use scripts to manipulate and populate data in the Grid field. In this example, we will use the following scripts:
Automatically populate a column value when the grid is changed.
Create a new row in the grid manually or as part of a playbook.
Note
If you select the Lock checkbox for a column, only a script can populate the values for that column. If a column is unlocked (default), the column values can be entered manually (by users), or by a script. For a script to be available in the Script upon change drop-down menu, it must have the field-change-triggered
tag.
Grid Field Script Example
In this example, the grid is a shift summary for analysts, who can add comments for the incident during their shift. We want to use a script to automatically populate the Date Logged column with the current date when a user adds a new row to the grid.
Sample script
The ShiftSummariesChange
script is called with an old value and a new value. The script operates in the following phases:
The script gets all new rows, and sets the Date Logged field to now (current day).
For each existing row, if the name matches, but the findings column is not updated, the Date Logged column is also updated.
The Shift Summaries field is saved with the new values using the
setIncident
command.
var newField = args.new ? JSON.parse(args.new) : []; //if line(s) added, set "datelogged" to now. if (oldField.length < newField.length) { // for each new line change date. for(var i=oldField.length; i < newField.length; i++) { newField[i].datelogged = new Date ().toISOString(); } } var columnName = "findings"; // for each old line if the "columnName" has changed, change date to now. for(var i=0; i < oldField.length; i++) { if (newField[i] && oldField[i].fullname === newField[i].fullname && oldField[i][columnName] !== newField[i][columnName]) { newField[i].datelogged = new Date().toISOString(); } } var newVal = {}; newVal[args.cliName] = newField; executeCommand("setIncident", newVal);
Add a Row to a Grid Using a Script
During playbook execution if a malicious finding is discovered, you want to add that finding to a grid. You can use a script in the playbook to add a new row to the grid with the malicious finding.
Sample Script
This is a Python script, which requires 2 arguments:
fieldCliName
: the machine name for the field for which you want to add a new row.Row
: the new row to add the grid. This is a JSON object in lower case characters, with no white space.
fieldCliName = demisto.args().get('field') currentValue = demisto.incidents()[0]["CustomFields"][fieldCliName]; if currentValue is None: currentValue = [json.loads(demisto.args().get('row'))] else: currentValue.append(json.loads(demisto.args().get('row'))) val = json.dumps({ fieldCliName: currentValue }) demisto.results(demisto.executeCommand("setIncident", { 'customFields': val }))