Examples of using scripts in incident layouts - Administrator Guide - 8.5 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR On-prem Documentation

Product
Cortex XSOAR
Version
8.5
Creation date
2024-03-10
Last date published
2024-10-06
Category
Administrator Guide
Solution
On-prem
Abstract

Examples of using scripts in incident layouts in Cortex XSOAR.

The following are examples of scripts that are supported in incident layouts:

A valid result for a chart widget is a list of groups. Each group points to a single entity. For example, in bar charts, each group is a bar. A group consists of the following:

  • Name: A string.

  • Data: An array of integers.

  • Color: A string representing a color that will be used as a default color for that group. It can be the name of the color, a hexadecimal representation of the color, or an RGB color value (optional).

  • Groups: A nested list of groups (optional).

Horizontal bar

In this example, create a script in Python that displays a horizontal bar of the indicators by severity.

After you have uploaded the script and created the widget, you can add the widget to an incident layout. The following widget displays:

vertical-bar-graph.png
Vertical bar

In this example, create a script in Python that displays a vertical bar of the indicators by severity.

After you have uploaded the script and created the widget, you can add the widget to an incident layout. The following widget displays:

horizontal-bar-graph3.png
Stacked bar

In this example, create a script in Python that displays a stacked bar showing the successes and failures on specific dates.

After you have uploaded the script and created the widget, you can add the widget to an incident layout. The following widget displays:

horizontal-bar-graph2.png
Line chart

In this example, we create a JavaScript that displays how many GitHub issues were created each week for Content, Documentation, and Platform in a line chart.

After you have uploaded the script and created the widget, you can add the widget to an incident layout. The following widget displays:

widget-line.png

In this example, create a script in Python that queries and returns a pie chart.

data = {
    "Type": 17,
    "ContentsFormat": "pie",
    "Contents": {
      "stats": [
        {
          "data": [
            1
          ],
          "groups": None,
          "name": "high",
          "label": "incident.severity.high",
          "color": "rgb(255, 23, 68)"
        },
        {
          "data": [
            1
          ],
          "groups": None,
          "name": "medium",
          "label": "incident.severity.medium",
          "color": "rgb(255, 144, 0)"
        },
        {
          "data": [
            2
          ],
          "groups": None,
          "name": "low",
          "label": "incident.severity.low",
          "color": "rgb(0, 205, 51)"
        },
        {
          "data": [
            8
          ],
          "groups": None,
          "name": "unknown",
          "label": "incident.severity.unknown",
          "color": "rgb(197, 197, 197)"
        }
      ],
      "params": {
          "layout": "horizontal"
      }
    }
  }

  demisto.results(data)

After you have uploaded the script and created the widget, you can add the widget to an incident layout. The following widget displays indicator severity as a pie chart:

pie-chart.png

In this example, create a script in Python that queries and returns a time duration (specified in seconds), and displays the data as a countdown clock.

 data = {
    "Type": 17,
    "ContentsFormat": "duration",
    "Contents": {
      "stats": 60 * (30 + 10 * 60 + 3 * 60 * 24),
      "params": {
          "layout": "horizontal",
          "name": "Lala",
          "sign": "@",
          "colors": {
            "items": {
              "#00CD33": {
                "value": 10
              },
              "#FAC100": {
                "value": 20
              },
              "green": {
                "value": 40
              }
            }
          },
        "type": "above"
      }
    }
  }

  demisto.results(data)

After you have uploaded the script and created the widget, you can add the widget to an incident layout. The following widget displays the time duration:

duration.png

This example shows how to create a single item widget that displays a number.

 data = {
    "Type": 17,
    "ContentsFormat": "number",
    "Contents": {
      "stats": 53,
      "params": {
          "layout": "horizontal",
          "name": "Lala",
          "sign": "@",
          "colors": {
            "items": {
              "#00CD33": {
                "value": 10
              },
              "#FAC100": {
                "value": 20
              },
              "green": {
                "value": 40
              }
            }
          },
        "type": "above"
      }
    }
  }

  demisto.results(data)

After you have uploaded the script and created the widget, you can add the widget to an incident layout. The following widget displays:

number.png

This example shows how to create a single-item widget that displays a number trend.

data = {
    "Type": 17,
    "ContentsFormat": "number",
    "Contents": {
      "stats": { "prevSum": 53, "currSum": 60 },
      "params": {
          "layout": "horizontal",
          "name": "Lala",
          "sign": "@",
          "colors": {
            "items": {
              "#00CD33": {
                "value": 10
              },
              "#FAC100": {
                "value": 20
              },
              "green": {
                "value": 40
              }
            }
          },
        "type": "above"
      }
    }
  }

  demisto.results(data)

After you have uploaded the script and created the widget, you can add the widget to an incident layout. The following widget displays:

number-trend.png

This example shows how to add note information to an incident layout using a script through the API.

  1. Install the Cortex REST API content pack and add a Core REST API instance.

  2. Go to the Scripts page and add the following script:

    commonfields:
      id: ShowLastNoteUserAndDate
      version: -1
    name: ShowLastNoteUserAndDate
    script: |2
    
      function getLastNote(incidentID) {
          var body = {pageSize:1,categories:['notes']};
          var res = executeCommand('demisto-api-post', {uri:'/investigation/' + incidentID, body: body});
          if (isError(res[0])) {
              throw 'demisto-api-post failed for incidnet #'+incidentID+'\nbody is ' + JSON.stringify(body) + '\n' + JSON.stringify(res);
          }
          if (!res[0].Contents.response.entries) {
              return null;
          }
          var notes = res[0].Contents.response.entries;
          var lastNote = notes[notes.length-1];
          return lastNote;
      }
    
      lastNote = getLastNote(incidents[0].id);
    
      if (lastNote) {
          md = `#### Update by ${lastNote.user} on ${lastNote.modified.split('T')[0]}\n`;
          md += `\n---\n`;
          md += lastNote.contents + '\n';
    
          return { ContentsFormat: formats.markdown, Type: entryTypes.note, Contents: md } ;
      } else {
          return 'N/A';
      }
    type: javascript
    tags:
    - dynamic-section
    enabled: true
    scripttarget: 0
    runonce: false
    runas: DBotWeakRole
    
  3. Add the script to the layout and then add the layout to the incident type.

  4. Go to the incident to view the note information.

    You can see note information, containing the last user and date.

    incident-note.png