Configure threat intel report layouts. Add automation script based content to an indicator in Cortex XSOAR. Add a script in the layout.
Each out-of-the-box threat intel type comes with its own associated layout. You can customize almost every aspect of the layout, including which tabs appear, in which order they appear, who has permissions to view the tabs, and which information appears and how it is displayed.
Out-of-the-box and custom report types appear in the
→ tab. The name of the layout for the out-of-the-box reports appears in the → tab.To customize the layout of an out-of-the-box report, you can do any of the following:
Duplicate and edit the report layout, and then edit the report type to add the new layout.
Detach the layout and edit it.
While a report layout is detached, it does not receive content pack updates. If you detach a report type layout, make edits, and later want to receive content pack updates for that layout, we recommend you duplicate the report layout before reattaching the original, to protect your changes from content pack updates.
Create a new layout, detach the report type, and then edit the report type to add the new layout.
The following procedure describes how to create a new layout, but you can follow similar steps to customize an existing layout (using the guidelines mentioned above).
Go to
→ → → .Click to add a New Layout
Customize the tabs.
If relevant, create a New tab.
Edit a tab’s name by clicking the tab.
Click and drag a tab to reorder the tabs.
Click the cog wheel icon and then configure any of the following options:
Rename
Duplicate
Delete
Hide Empty Fields
The setting that you configure in the layout becomes the default value seen in the report for the specific tab, which can then be overridden. You can also set a global default value using the
UI.summary.page.hide.empty.fields
server configuration, which can also be overridden for a specific tab.Hide Tab
Format for exporting
Build your layout based on A4 proportions to match the format used for exporting. Selecting this option hides the tab by default, but the tab will remain available for export.
Viewing Permissions
When clicking Viewing permissions, select which roles can view the tabs.
Display Filter
Enables you to add or view a filter applied to the tab. If the filters apply, the specific fields or tabs are shown in the layout. If the mandatory field is not shown in the layout, the user is not obliged to complete it.
Add sections to the layout.
From the Library section, in the Cortex XSOAR Sections drag and drop the required sections as follows:
Section
Description
New Section
After creating a new section, click the Fields and Buttons tab and drag and drop the fields as required.
General Purpose Dynamic Section
Enables you to Add a Script in the Threat Intel Report Layout.
Relationships
Enables you to manually create a relationship between the report and an indicator.
Define the section properties.
You can determine how a section appears in the layout. For example, does the section include the section header? You can also configure the fields to appear in rows or as cards. For example, if you know that some of the field values will be very long, you are better off using rows. If you know that the field values are short, you might want to use cards so you can fit more fields in a section.
Select the section, click and then click Edit section settings.
Edit the section as required and click OK.
Click the Save or Save Version.
Remove or duplicate a section, select the section, click and select the relevant option.
Add the layout to the report type.
Go to
→ → → .Select the report type and click Edit.
In the Layout field, from the dropdown list, add the customized layout.
If the layout you created was for a new report type that was based on an out-of-the-box threat intel report type, you can contribute it to Marketplace.
Go to the Marketplace page and click Contribute Content on the Contributions tab. From the dropdown menu, select Layouts, Add the new report type you want to contribute to Marketplace, and click Save and Contribute.
Complete the information in the Contribute form and click Contribute.
Add a Script in the Threat Intel Report Layout
You can add content to threat intel report layouts, based on an automation script. You need to add the General Purpose Dynamic Section when editing layouts.
The General Purpose Dynamic Section allows you to configure a section in a layout tab from an automation script. The automation can return a simple text, markdown, or an HTML, the results of which appear in General Purpose Dynamic Section. You can add any required information from an automation. Before you begin, you need to create an automation script.
The following is an example of a script that can be added. This script can be used to add a button to the layout that sets a threat intel report as published.
def publish(): now_utc = datetime.now(timezone.utc) object = demisto.args('object') object_id = object.get('id') roles = execute_command('getRoles', {}) execute_command( 'setThreatIntelReport', { 'id': object_id, 'xsoarReadOnlyRoles': demisto.dt( roles, 'DemistoRoles.name' ), 'reportstatus': 'Published', 'published': now_utc.isoformat(), }, ) demisto.results('ok') if __name__ in ('__main__', '__builtin__', 'builtins'): publish()
Edit the relevant threat intel report layout.
Drag and drop the General Purpose Dynamic Section onto the page.
Select the General Purpose Dynamic Section, click and then Edit section settings.
In the Name and Description fields, add a meaningful name and a description for the dynamic section that explains what the script displays.
In the Automation script field, from the dropdown list, select the script that returns data for the dynamic section.
Note
Only automations to which you have added the general-dynamic-section tag appear in the dropdown list.
Click OK.