Create Dynamic Fields in Incident Forms - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide

Create dynamic incident fields using an automation script. Create conditional fields.

Dynamic fields can display different data depending on the field value. You can control which fields display in an incident form, and which values display for single-select and multi-select fields. You need to create a script in the Scripts page and then add the script to a field. Scripts support JavaScript, Python, and PowerShell.

Dynamic fields are useful in the following scenarios:

  • You want specific values to appear in a field when the value of another field is different. For example, if the value in the Owner field is Admin, the values in the assignee field should be Jane, Joe, or Bob. If the value in the Owner field is anything else, the values in the assignee field should be Mark, Jack, or Christine.

  • You can use display scripts to change the value displayed in single select or multi select fields in the layout. This means that the form would display a list of labels but when you select one of the labels, the field would be set to a value that would not necessarily be the same as the value displayed.

    For example, you need to select an incident to relate to the current incident. You select one from the list of incident names. The field is populated with the incident ID (not the name) of the related incident.

  • You want to see only relevant data according to the user’s role, when assigning an incident to a user.

  1. Create a script.

    1. Go to the Scripts page and select New Script.

    2. Give the script a descriptive name.

    3. Enter a useful description.

    4. Under Tags, from the dropdown list, select field-display.

      This tag must be applied for the script to be available to be used on the field.

    5. Write the script.

      The Common Scripts content pack includes the hideFieldsOnNewIncident script, which hides the incident field for new incidents, but appears when editing an incident. To see how to chang ethe owner field dynamically, go to Change Field Values Dynamically.

      The field script contains the following.




      The incident in which this script is running.


      The field attributes. Add metadata to the field, such as cliName, type, select values, etc. For example, [‘field’] [‘cliName’] is the machine learning name of the field.


      Enables Cortex XSOAR to process the script in the new, edit, close incident forms. For example, you may want the field to appear in the close form and not in the edit form.

      incident.get (‘field’)

      The field within the incident. For example, incident.get.(‘owner’) retrieves the owner field. If you create a custom field, you need to change this to CustomFields. For example, for the incidentclassification custom field, type:

      if incident.get('CustomFields').get('incidentclassification') .


      The results to return.


      Specifies the current user. For example, if you want the script to check on a role assigned to user and display the appropriate output, type the following:

      demisto.executeCommand("getUserByUsername", {"username": demisto.args()["currentUser"] })

      Add the information that you want to display according to the user roles.

  2. Create a new field.

    1. Select Settings & InfoSettingsObject SetupIncidentsIncident Fields+New.

      If you want to add the script to an existing field, select the field and click Edit.

    2. Under Field Type, select the field type. For example, Single select.

    3. Under Field Name, enter a descriptive name.

    4. Under the Attributes tab, in the Field display script field, select the script you created in step 1.

    5. Complete the remaining field definitions Save the field.

Change Field Values Dynamically

The following example shows how to create a script for the Assignee field, which shows different values depending on the values in the Owner field. If the Owner is defined as ‘admin’, the list of available assignees includes one group. If the Owner is defined as anything else, the list of available assignees includes a different group.

  1. In the Scripts page, copy the hideFieldsOnNewIncident and name it changeAsigneesPerOwner.

  2. In the Description field, enter the following:

    Changes values available in the Assignees field based on the person defined as the owner.

  3. Under Tags, add the field-display tag.

  4. For the script, type the following:

    incident = demisto.incidents()[0]
    field = demisto.args()['field']['cliName']
    if incident.get('owner') == 'admin':
    	demisto.results({'hidden': False, 'options': ['jane','joe', 'bob']})
    	demisto.results({'hidden': False, 'options': ['mark','jack', 'christine']})


    • demisto.incidents is the incident in which the script is running.

    • incident.get(‘owner’) is the field within the incident.

    • demisto.results tells us whether to hide the field or not, and which values should appear in the field. When the owner field is Admin, the values are Jane, Joe, Bob. When the ownerowner is anyone else, the values are Mark, Jack, Christine.

  5. Select Settings & InfoSettingsObject SetupIncidentsIncident Fields+New .

    • Name the field Assign To:.

      The Values field in the Basic Settings tab has been left blank because we hard-coded the values in our script.

    • Under the Attributes tab, in the Field display script field, select the changeAsigneesPerOwner script we created above.

    • Fill in the rest of the field definitions as desired and click Save.

  6. Add the field to an incident layout. In this example, add the field to the Authentication incident type.

  7. Create an incident to see what happens when the Owner is set to Admin and when the Owner is set to anything else.

Hide a Field Based on Context

In this example, you need to hide a field for a new incident form, but display the field when editing the form. You also set field values for a multi-select field in the case of an existing incident.

In this example, use the hideFieldsOnNewIncident out-of-the-box script.

incident = demisto.incidents()[0]
field = demisto.args()['field']
formType = demisto.args()['formType']
if incident["id"] == "":
	# This is a new incident, hide the field    
	demisto.results({"hidden": True, "options": []})
	# This is an existing incident, we want to show the field, to know which values to display    
	options = []
	# The field type includes the word select, such as Single select or Multi select
	if "Select" in demisto.get(field, "type"):
		# take the options from the field definition
		options = demisto.get(field, "selectValues")
	demisto.results({"hidden": False, "options": options})
  1. Go to Settings & InfoSettingsObject SetupIncidentsIncident Fields .

  2. Select the Malicious Cause field and click Edit.

  3. Under the Field display script field, select the hideFieldsOnNewIncident script and click Save.

  4. Go to the Incidents page and click New Incident.

  5. Under the Type field, select GDPR DataBreach.

    Scroll down and note that under Mandatory Information, there is no Malicious Cause field.

  6. Click Create New Incident to save the incident.

  7. Select the incident you just created and click Edit.

    Scroll down to the Mandatory Information section and note that the Malicious Cause field appears and the options for the field are retrieved from the initial field definition.

Field-change-triggered with Single Select or Multi Select
  1. Go to Settings & InfoSettingsObject SetupIncidentIncident Fields.

  2. Click New and create a new Incident field of one of the following types:

    • Single select

    • Multi select

  3. Click Basic Settings and in the Values section set the values you want to see in the incident layout dropdown list for this field.

  4. Click Attributes and in Script to run when field value changes, select the script.

    This is an example of a single select script.

    # The custom mapping made for the field
    mapping_dict = {
    	'instance1_id' : '123456',
    	'instance2_id' : '12340987',
    	'instance3_id' : '79874534',
    	'instance4_id' : '90927834',
    	'instance5_id' : '4543452',
    val = demisto.args()['new'] # when the script will be triggered this field will hold the new value chosen by the user.
    mapped_val = mapping_dict.get(val, val)  # getting the value from the map.
    execute_command('setIncident', {'customFields' :{'Single_select_field_example': mapped_val}}) # set the new incident mapped field

    This an example of a multi select script.

    mapping_dict = {    
    	'low' : '1',
    	'medium' : '2',
    	'high' : '3',
    	'critical' : '4',
    vals = argToList(demisto.args()['new']) # The new value from the user.
    mapped_list = [mapping_dict.get(v, v) for v in vals]
    execute_command('setIncident', {'customFields' : {'multi_select_field_example': mapped_list}})


    • When creating the script, in the Tags section, type field-change-triggered.

    • Choose the name of your custom fields to replace ‘Single_select_field_example’ or ‘multi_select_field_example’ in the examples above.

  5. Go to Settings & InfoSettingsObject SetupIncidentsLayouts and add the new incident field to an existing layout or create a new layout.

  6. In the incident layout edit page, click Fields and Buttons and drag the new incident field you created to the layout.

  7. Save the version.

    In the layout display, you will see the values you set in step 3.

  8. Select one of the values. The layout will update with the mapped value as set on the script related to the incident field.