Use Scripts with the Grid Field - Administrator Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-10-07
End_of_Life
EoL
Category
Administrator Guide
Abstract

Use scripts when creating grid fields for an incident. Grid field script. Manipulate and populate data in a grid field in Cortex XSOAR.

You can use scripts to manipulate and populate data in the Grid field. In this example, we will use the following scripts:

  • Automatically populate a column value when the grid is changed.

  • Create a new row in the grid manually or as part of a playbook.

Note

If you select the Lock checkbox for a column, only a script can populate the values for that column. If a column is unlocked (default), the column values can be entered manually (by users), or by a script. For a script to be available in the Script upon change drop-down menu, it must have the field-change-triggered tag.

Grid Field Script Example

In this example, the grid is a shift summary for analysts, who can add comments for the incident during their shift. We want to use a script to automatically populate the Date Logged column with the current date when a user adds a new row to the grid.

Sample script

The ShiftSummariesChange script is called with an old value and a new value. The script operates in the following phases:

  • The script gets all new rows, and sets the Date Logged field to now (current day).

  • For each existing row, if the name matches, but the findings column is not updated, the Date Logged column is also updated.

  • The Shift Summaries field is saved with the new values using the setIncident command.

var newField = args.new ? JSON.parse(args.new)  : [];
//if line(s) added, set "datelogged" to now.
if (oldField.length < newField.length) {
    // for each new line change date.    
    for(var i=oldField.length; i < newField.length; i++) {
        newField[i].datelogged = new Date ().toISOString();
    }
}
var columnName = "findings";
// for each old line if the "columnName" has changed, change date to now.
for(var i=0; i < oldField.length; i++) {
    if (newField[i] && oldField[i].fullname === newField[i].fullname &&
    oldField[i][columnName] !== newField[i][columnName]) {
        newField[i].datelogged = new Date().toISOString();
    }
}
var newVal = {};
newVal[args.cliName] = newField;
executeCommand("setIncident", newVal);
Add a Row to a Grid Using a Script

During playbook execution if a malicious finding is discovered, you want to add that finding to a grid. You can use a script in the playbook to add a new row to the grid with the malicious finding.

Sample Script

This is a Python script, which requires 2 arguments:

  • fieldCliName: the machine name for the field for which you want to add a new row.

  • Row: the new row to add the grid. This is a JSON object in lower case characters, with no white space.

fieldCliName = demisto.args().get('field')
currentValue = demisto.incidents()[0]["CustomFields"][fieldCliName];

if currentValue is None:
    currentValue = [json.loads(demisto.args().get('row'))]
else:
    currentValue.append(json.loads(demisto.args().get('row')))

val = json.dumps({ fieldCliName: currentValue })
demisto.results(demisto.executeCommand("setIncident", { 'customFields': val }))