Configure Threat Intel Report Layouts - Threat Intel Management Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Threat Intel Management Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-03-05
End_of_Life
EoL
Category
Threat Intel Management Guide
Abstract

Configure threat intel report layouts. Add automation script based content to an indicator in Cortex XSOAR. Add a script in the layout.

Each out-of-the-box threat intel type comes with its own associated layout. You can customize almost every aspect of the layout, including which tabs appear, in which order they appear, who has permissions to view the tabs, and which information appears and how it is displayed.

Out-of-the-box and custom report types appear in the Threat Intel ReportsTypes tab. The name of the layout for the out-of-the-box reports appears in the Threat Intel ReportsLayouts tab.

To customize the layout of an out-of-the-box report, you can do any of the following:

  • Duplicate and edit the report layout, and then edit the report type to add the new layout.

  • Detach the layout and edit it.

    While a report layout is detached, it does not receive content pack updates. If you detach a report type layout, make edits, and later want to receive content pack updates for that layout, we recommend you duplicate the report layout before reattaching the original, to protect your changes from content pack updates.

  • Create a new layout, detach the report type, and then edit the report type to add the new layout.

The following procedure describes how to create a new layout, but you can follow similar steps to customize an existing layout (using the guidelines mentioned above).

  1. Go to SettingsOBJECTS SETUPThreat Intel ReportsLayouts.

  2. Click to add a New Layout

  3. Customize the tabs.

    1. If relevant, create a New tab.

    2. Edit a tab’s name by clicking the tab.

    3. Click and drag a tab to reorder the tabs.

    4. Click the cog wheel icon and then configure any of the following options:

      • Rename

      • Duplicate

      • Delete

      • Hide Empty Fields

        The setting that you configure in the layout becomes the default value seen in the report for the specific tab, which can then be overridden. You can also set a global default value using the UI.summary.page.hide.empty.fields server configuration, which can also be overridden for a specific tab.

      • Hide Tab

      • Format for exporting

        Build your layout based on A4 proportions to match the format used for exporting. Selecting this option hides the tab by default, but the tab will remain available for export.

      • Viewing Permissions

        When clicking Viewing permissions, select which roles can view the tabs.

      • Display Filter

        Enables you to add or view a filter applied to the tab. If the filters apply, the specific fields or tabs are shown in the layout. If the mandatory field is not shown in the layout, the user is not obliged to complete it.

  4. Add sections to the layout.

    1. From the Library section, in the Cortex XSOAR Sections drag and drop the required sections as follows:

      Section

      Description

      New Section

      After creating a new section, click the Fields and Buttons tab and drag and drop the fields as required.

      General Purpose Dynamic Section

      Enables you to Add a Script in the Threat Intel Report Layout.

      Relationships

      Enables you to manually create a relationship between the report and an indicator.

  5. Define the section properties.

    You can determine how a section appears in the layout. For example, does the section include the section header? You can also configure the fields to appear in rows or as cards. For example, if you know that some of the field values will be very long, you are better off using rows. If you know that the field values are short, you might want to use cards so you can fit more fields in a section.

    1. Select the section, click edit_pencil.png and then click Edit section settings.

    2. Edit the section as required and click OK.

    3. Click the Save or Save Version.

  6. Remove or duplicate a section, select the section, click edit_pencil.png and select the relevant option.

  7. Add the layout to the report type.

    1. Go to SettingsOBJECTS SETUPThreat Intel ReportsTypes.

    2. Select the report type and click Edit.

    3. In the Layout field, from the dropdown list, add the customized layout.

  8. If the layout you created was for a new report type that was based on an out-of-the-box threat intel report type, you can contribute it to Marketplace.

    1. Go to the Marketplace page and click Contribute Content on the Contributions tab. From the dropdown menu, select Layouts, Add the new report type you want to contribute to Marketplace, and click Save and Contribute.

    2. Complete the information in the Contribute form and click Contribute.

Add a Script in the Threat Intel Report Layout

You can add content to threat intel report layouts, based on an automation script. You need to add the General Purpose Dynamic Section when editing layouts.

The General Purpose Dynamic Section allows you to configure a section in a layout tab from an automation script. The automation can return a simple text, markdown, or an HTML, the results of which appear in General Purpose Dynamic Section. You can add any required information from an automation. Before you begin, you need to create an automation script.

The following is an example of a script that can be added. This script can be used to add a button to the layout that sets a threat intel report as published.

def publish():
    now_utc = datetime.now(timezone.utc)
    object = demisto.args('object')
    object_id = object.get('id')
    roles = execute_command('getRoles', {})

    execute_command(
        'setThreatIntelReport',
        {
            'id': object_id,
            'xsoarReadOnlyRoles': demisto.dt(
                roles, 'DemistoRoles.name'
            ),
            'reportstatus': 'Published',
            'published': now_utc.isoformat(),
        },
    )

    demisto.results('ok')


if __name__ in ('__main__', '__builtin__', 'builtins'):
    publish()
  1. Edit the relevant threat intel report layout.

  2. Drag and drop the General Purpose Dynamic Section onto the page.

  3. Select the General Purpose Dynamic Section, click edit_pencil.png and then Edit section settings.

  4. In the Name and Description fields, add a meaningful name and a description for the dynamic section that explains what the script displays.

  5. In the Automation script field, from the dropdown list, select the script that returns data for the dynamic section.

    Note

    Only automations to which you have added the general-dynamic-section tag appear in the dropdown list.

  6. Click OK.