Create dynamic incident fields using an automation script. Create conditional fields.
Dynamic fields can display different data depending on the field value. You can control which fields display in an incident form, and which values display for single-select and multi-select fields. You need to create a script in the Scripts page and then add the script to a field. Scripts support JavaScript, Python, and PowerShell.
Dynamic fields are useful in the following scenarios:
You want specific values to appear in a field when the value of another field is different. For example, if the value in the Owner field is
Admin
, the values in the assignee field should beJane
,Joe
, orBob
. If the value in the Owner field is anything else, the values in the assignee field should beMark
,Jack
, orChristine
.You can use display scripts to change the value displayed in single select or multi select fields in the layout. This means that the form would display a list of labels but when you select one of the labels, the field would be set to a value that would not necessarily be the same as the value displayed.
For example, you need to select an incident to relate to the current incident. You select one from the list of incident names. The field is populated with the incident ID (not the name) of the related incident.
You want to see only relevant data according to the user’s role, when assigning an incident to a user.
Create a script.
Go to the Scripts page and select New Script.
Give the script a descriptive name.
Enter a useful description.
Under Tags, from the dropdown list, select
field-display
.This tag must be applied for the script to be available to be used on the field.
Write the script.
The Common Scripts content pack includes the
hideFieldsOnNewIncident
script, which hides the incident field for new incidents, but appears when editing an incident. To see how to chang ethe owner field dynamically, go to Change Field Values Dynamically.The field script contains the following.
Name
Description
demisto.incidents
The incident in which this script is running.
field
The field attributes. Add metadata to the field, such as
cliName
,type
,select values
, etc. For example,[‘field’] [‘cliName’]
is the machine learning name of the field.formType
Enables Cortex XSOAR to process the script in the
new
,edit
,close
incident forms. For example, you may want the field to appear in the close form and not in the edit form.incident.get (‘
field’)
The field within the incident. For example,
incident.get.(‘owner’)
retrieves theowner
field. If you create a custom field, you need to change this toCustomFields
. For example, for theincidentclassification
custom field, type:if incident.get('CustomFields').get('incidentclassification')
.demisto.results
The results to return.
currentUser
Specifies the current user. For example, if you want the script to check on a role assigned to user and display the appropriate output, type the following:
demisto.executeCommand("getUserByUsername", {"username": demisto.args()["currentUser"] })
Add the information that you want to display according to the user roles.
Create a new field.
Select
→ → → → → .If you want to add the script to an existing field, select the field and click Edit.
Under Field Type, select the field type. For example, Single select.
Under Field Name, enter a descriptive name.
Under the Attributes tab, in the Field display script field, select the script you created in step 1.
Complete the remaining field definitions Save the field.
Change Field Values Dynamically
The following example shows how to create a script for the Assignee field, which shows different values depending on the values in the Owner field. If the Owner is defined as ‘admin’, the list of available assignees includes one group. If the Owner is defined as anything else, the list of available assignees includes a different group.
In the Scripts page, copy the
hideFieldsOnNewIncident
and name itchangeAsigneesPerOwner
.In the Description field, enter the following:
Changes values available in the Assignees field based on the person defined as the owner.
Under Tags, add the
field-display
tag.For the script, type the following:
incident = demisto.incidents()[0] field = demisto.args()['field']['cliName'] if incident.get('owner') == 'admin': demisto.results({'hidden': False, 'options': ['jane','joe', 'bob']}) else: demisto.results({'hidden': False, 'options': ['mark','jack', 'christine']})
where
demisto.incidents
is the incident in which the script is running.incident.get(‘owner’)
is the field within the incident.demisto.results
tells us whether to hide the field or not, and which values should appear in the field. When theowner
field isAdmin
, the values areJane, Joe, Bob
. When theowner
owner is anyone else, the values areMark, Jack, Christine
.
Select
→ → → → → .Name the field
Assign To:
.The Values field in the Basic Settings tab has been left blank because we hard-coded the values in our script.
Under the Attributes tab, in the Field display script field, select the
changeAsigneesPerOwner
script we created above.Fill in the rest of the field definitions as desired and click Save.
Add the field to an incident layout. In this example, add the field to the Authentication incident type.
Create an incident to see what happens when the Owner is set to
Admin
and when the Owner is set to anything else.
Hide a Field Based on Context
In this example, you need to hide a field for a new incident form, but display the field when editing the form. You also set field values for a multi-select field in the case of an existing incident.
In this example, use the hideFieldsOnNewIncident
out-of-the-box script.
incident = demisto.incidents()[0] field = demisto.args()['field'] formType = demisto.args()['formType'] if incident["id"] == "": # This is a new incident, hide the field demisto.results({"hidden": True, "options": []}) else: # This is an existing incident, we want to show the field, to know which values to display options = [] # The field type includes the word select, such as Single select or Multi select if "Select" in demisto.get(field, "type"): # take the options from the field definition options = demisto.get(field, "selectValues") demisto.results({"hidden": False, "options": options})
Go to
→ → → → .Select the
Malicious Cause
field and click Edit.Under the Field display script field, select the
hideFieldsOnNewIncident
script and click Save.Go to the Incidents page and click New Incident.
Under the Type field, select
GDPR DataBreach.
Scroll down and note that under Mandatory Information, there is no
Malicious Cause
field.Click Create New Incident to save the incident.
Select the incident you just created and click Edit.
Scroll down to the Mandatory Information section and note that the
Malicious Cause
field appears and the options for the field are retrieved from the initial field definition.
Field-change-triggered with Single Select or Multi Select
Go to
→ → → → .Click New and create a new Incident field of one of the following types:
Single select
Multi select
Click Basic Settings and in the Values section set the values you want to see in the incident layout dropdown list for this field.
Click Attributes and in Script to run when field value changes, select the script.
This is an example of a single select script.
# The custom mapping made for the field mapping_dict = { 'instance1_id' : '123456', 'instance2_id' : '12340987', 'instance3_id' : '79874534', 'instance4_id' : '90927834', 'instance5_id' : '4543452', } val = demisto.args()['new'] # when the script will be triggered this field will hold the new value chosen by the user. mapped_val = mapping_dict.get(val, val) # getting the value from the map. execute_command('setIncident', {'customFields' :{'Single_select_field_example': mapped_val}}) # set the new incident mapped field
This an example of a multi select script.
mapping_dict = { 'low' : '1', 'medium' : '2', 'high' : '3', 'critical' : '4', } vals = argToList(demisto.args()['new']) # The new value from the user. mapped_list = [mapping_dict.get(v, v) for v in vals] execute_command('setIncident', {'customFields' : {'multi_select_field_example': mapped_list}})
Note
When creating the script, in the Tags section, type field-change-triggered.
Choose the name of your custom fields to replace ‘Single_select_field_example’ or ‘multi_select_field_example’ in the examples above.
Go to
→ → → → and add the new incident field to an existing layout or create a new layout.In the incident layout edit page, click Fields and Buttons and drag the new incident field you created to the layout.
Save the version.
In the layout display, you will see the values you set in step 3.
Select one of the values. The layout will update with the mapped value as set on the script related to the incident field.