Create dynamic fields - Administrator Guide - 8.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR On-prem Documentation

Product
Cortex XSOAR
Version
8.5
Creation date
2024-03-10
Last date published
2024-11-28
Category
Administrator Guide
Solution
On-prem
Abstract

Create dynamic incident fields using an automation script. Create conditional fields.

Dynamic fields can display different data depending on the field value. You can control which fields display in an incident layout, new/edit, and close forms, and which values display for single-select and multi-select fields. You create a script on the Scripts page and then add the script to a field. Scripts support JavaScript, Python, and PowerShell.

Dynamic fields are useful in the following scenarios:

  • You want specific values to appear in a field when the value of another field is different. For example, if the value in the Owner field is Admin, the values in the assignee field should be Jane, Joe, or Bob. If the value in the Owner field is anything else, the values in the assignee field should be Mark, Jack, or Christine.

  • You can use display scripts to change the value displayed in single-select or multi-select fields in the layout. The field displays a list of options, but when selected, the field may show a different value in the layout than the one selected. For example, in a single-select field, select an incident from a list of incident names, but the field is populated with the incident ID (not the name) of the related incident.

  • When assigning an incident to a user, you want to see only relevant data according to the user’s role.

  1. Create a script.

    1. Go to the Scripts page and select New Script.

    2. Give the script a descriptive name.

    3. Enter a useful description.

    4. Under Tags, select field-display.

      This tag must be applied for the script to be available in the field you want to add the script.

    5. Write the script.

      Cortex XSOAR comes out-of-the-box with the hideFieldsOnNewIncident field-display script, which hides the incident field for new incidents, but appears when editing an incident.

      The field script contains the following.

      Name

      Description

      demisto.incidents

      The incident in which this script is running.

      field

      The field attributes. Add metadata to the field, such as cliName, type, select values, etc. For example, [‘field’] [‘cliName’] is the machine learning name of the field.

      formType

      Enables Cortex XSOAR to process the script in the new, edit, close incident forms. For example, you may want the field to appear in the close form and not in the edit form.

      incident.get (‘field’)

      The field within the incident. For example, incident.get.(‘owner’) retrieves the owner field. If you create a custom field, you need to change this to CustomFields. For example, for the incidentclassification custom field, type:

      if incident.get('CustomFields').get('incidentclassification') .

      demisto.results

      The results to return.

      currentUser

      Specifies the current user. For example, if you want the script to check on a role assigned to user and display the appropriate output, type the following:

      demisto.executeCommand("getUserByUsername", {"username": demisto.args()["currentUser"] })

      Add the information that you want to display according to the user roles.

  2. Create an incident field.

    1. Select Settings & InfoSettingsObject SetupIncidentsIncident FieldsNew.

      If you want to add the script to an existing field, select the field and click Edit.

    2. Under Field Type, select the field type. For example, Single select.

    3. Under Field Name, enter a descriptive name.

    4. Under the Attributes tab, in the Field display script field, select the script you created in step 1.

    5. Complete the remaining field definitions Save the field.

The following example shows how to create a script for the Assignee field, which shows different values depending on the values in the Owner field. If the Owner is defined as admin, and the list of available assignees includes one group. If the Owner is defined as anything else, the list of available assignees includes a different group.

  1. In the Scripts page, copy the hideFieldsOnNewIncident and name it changeAsigneesPerOwner.

  2. In the Description field, enter the following:

    Changes values available in the Assignees field based on the person defined as the owner.

  3. Under Tags, add the field-display tag.

  4. For the script, type the following:

    incident = demisto.incidents()[0]
    field = demisto.args()['field']['cliName']
    if incident.get('owner') == 'admin':
    	demisto.results({'hidden': False, 'options': ['jane','joe', 'bob']})
    else:
    	demisto.results({'hidden': False, 'options': ['mark','jack', 'christine']})

    where

    • demisto.incidents is the incident in which the script is running.

    • incident.get(‘owner’) is the field within the incident.

    • demisto.results tells us whether to hide the field or not, and which values should appear in the field. When the owner field is Admin, the values are Jane, Joe, Bob. When the ownerowner is anyone else, the values are Mark, Jack, Christine.

  5. Select Settings & InfoSettingsObject SetupIncidentsIncident FieldsNew .

    • Name the field Assign To:.

      The Values field in the Basic Settings tab has been left blank because we hard-coded the values in our script.

    • Under the Attributes tab, in the Field display script field, select the changeAsigneesPerOwner script we created above.

    • Fill in the rest of the field definitions as desired and click Save.

  6. Add the field to an incident layout.

  7. Create an incident to see what happens when the Owner is set to Admin and when the Owner is set to anything else.

In this example, you need to hide a field in the new incident form but display the field when editing the form. You also set field values for a multi-select field in the case of an existing incident.

Before you begin, download the GDPR content pack.

In this example, use the hideFieldsOnNewIncident out-of-the-box script.

incident = demisto.incidents()[0]
field = demisto.args()['field']
formType = demisto.args()['formType']
if incident["id"] == "":
	# This is a new incident, hide the field    
	demisto.results({"hidden": True, "options": []})
else:    
	# This is an existing incident, we want to show the field, to know which values to display    
	options = []
	# The field type includes the word select, such as Single select or Multi select
	if "Select" in demisto.get(field, "type"):
		# take the options from the field definition
		options = demisto.get(field, "selectValues")
	demisto.results({"hidden": False, "options": options})
  1. Go to Settings & InfoSettingsObject SetupIncidentsIncident Fields.

  2. Select the Malicious Cause (if the cause is a malicious attack) field and click Edit.

  3. Under the Field display script field, select the hideFieldsOnNewIncident script and click Save.

  4. Go to the Incidents page and click New Incident.

  5. Under the Type field, select GDPR DataBreach.

    Scroll down and note that under Mandatory Information, there is no Malicious Cause field.

  6. Click Create New Incident to save the incident.

  7. Select the incident you just created and click Edit.

    Scroll down to the Mandatory Information section and note that the Malicious Cause field appears and the options for the field are retrieved from the initial field definition.