Customize an Indicator Type Layout - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
8
Creation date
2023-11-02
Last date published
2024-02-21
Category
Administrator Guide
Abstract

Customize Indicator layouts for each indicator type in Cortex XSOAR.

Each out-of-the-box indicator comes with its own layout. You can customize almost every aspect of the layout, including which tabs appear, in which order they appear, who has permissions to view the tabs, what information appears and how it is displayed.

You can see which indicator type uses the indicator layout in the Types tab (Settings & InfoSettingsObject SetupIndicators). The indicator layout name appears in the Layout column.

Content Pack Indicator Layouts

Out-of-the-box content pack indicator layouts display a locked icon, which means to edit the layout, you need to do one of the following:

  • Duplicate an indicator layout. You need to edit the indicator type to add the new layout.

  • Detach the layout. While an indicator layout is detached, it does not receive content pack updates. If you detach an indicator type layout, make edits, and later want to receive content pack updates for that layout, we recommend you duplicate the indicator layout before reattaching the original, to protect your changes from content pack updates.

Indicator Layout Builder

You can customize the display information including fields for existing indicators, by modifying the sections and fields for the following views:

  • Indicator Summary

    You can customize almost every aspect of the layout, including which tabs appear, the order they appear, who has permissions, etc. In each field or tab you can add filters by clicking on the eye icon, which enables you to add conditions that show specific fields or tabs relevant for the indicator.

    You can add a script in the indicator layout, such as a mapping script, which determines where an IP address originates and displays it on a map.

  • Quick View

    Add, edit, delete sections, fields, and filters in the Quick View section.

  • "New"/"Edit" Form

    Add, edit, and delete fields and buttons to be displayed when creating or editing an indicator.

  1. Go to Settings & InfoSettingsObject SetupIndicatorsLayouts.

  2. (Content Pack Indicator Type Layout) Detach the indicator layout.

    Right-click the indicator layout you want to detach and click Detach.

  3. Right-click the name of the indicator type layout and click Edit.

    You are presented with the current layout, which is populated with demo data so you can see how the fields fit.

  4. In the Indicator Summary tab, customize the tabs.

    1. Drag and drop the tab to reorder the tabs.

    2. Configure the tabs by clicking the settings cog wheel icon next to the Summary tab name and then select one of the following options.

      • Rename

      • Duplicate

      • Delete

      • Show Empty Fields

        The setting that you configure in the layout becomes the default value seen in the indicator for the specific tab, which can then be overridden.

      • Hide tab

      • Format for exporting

        Build your layout based on A4 proportions to match the format used for exporting. Selecting this option hides the tab by default, but the tab will remain available for export.

      • Viewing Permissions

        Select which roles can view the tabs.

      • Display Filter

        Enables you to add or view a filter applied to the tab. If the filters apply, the specific fields or tabs are shown in the layout. If the mandatory field is not shown in the layout, the user is not obliged to complete it.

  5. Add sections to the layout.

    1. From the Sections tab in the Library, drag and drop the sections as follows:

      Section

      Description

      New Section

      After creating a new section, click the Fields and Buttons tab and drag and drop the fields as required.

      Cortex XSOAR out-of-the-box sections

      Out-of-the-box sections such as Expiration Status, Verdict, etc.

      General Purpose Dynamic Section

      Enables you to Add a Script in the Indicator Layout. For example, assign a script that determines and displays the Geo location of an IP address on a map. You can Set up Google Maps in Cortex XSOAR SaaS to use map automations.

    2. Define the section properties, by clicking indicator-option-pointer.png and then Edit section settings.

      You can determine how a section in the layout appears in the layout. For example, whether the section include the section header. You can also configure the fields to appear in rows or as cards. For example, if you know that some of the field values will be very long, you are better off using rows. If you know that the field values are short, you might want to use cards so you can fit more fields in a section.

    3. To remove or duplicate a section, select the section, click indicator-option-pointer.png and then select Duplicate or Remove.

  6. Drag and drop fields, and add any filters as required.

  7. Add any custom buttons.

    To add a custom button, create a script and then add New Button to the indicator layout and choose the script, as described in the example below. These buttons can simplify and assist an analyst in carrying out various tasks. For example, you can create a button to run an enrichment script on an identified indicator.

    For fields (script arguments) that are optional, you can define whether to show them to analysts when they click on buttons. To expose an optional field, select the Ask User checkbox next to the script argument/s in the button settings page.

    Note

    When creating a script for use in an indicator layout, the indicator-action-button tag must be assigned for the script to be available for custom buttons.

    In the following example we want to create a button which adds the indicator to a Hunt incident type, so the Threat Intel team can review it.

    1. Save the following script as a Python file on your computer. On the Settings page, click the upload automation icon and upload the file.

      commonfields:
        id: d3716514-4c2b-453c-8072-4fd4807bca0a
        version: 30
      vcShouldKeepItemLegacyProdMachine: false
      name: newIncidentFromIndicator
      script: |+
        from pprint import pformat
      
        args = demisto.args()
      
        fields = {}
        fields['type'] = args['type']
        fields['details'] = args['indicator']['value']
        fields['name'] = args['type'] + " for " + args['indicator']['value']
      
        res = demisto.executeCommand('createNewIncident', fields)
      
      
      
        newID = res[0]['EntryContext']['CreatedIncidentID']
      
        demisto.executeCommand("associateIndicatorsToIncident", {"indicatorsValues": args['indicator']['value'], "incidentId":int(newID)})
      
      
      type: python
      tags:
      - indicator-action-button
      enabled: true
      args:
      - name: type
        required: true
        description: Incident Type
      scripttarget: 0
      subtype: python3
      pswd: ""
      runonce: false
      dockerimage: demisto/python3:3.8.5.11789
      runas: DBotWeakRole
    2. Go to Settings & InfoSettingsObject SetupIndicatorsLayouts and click the relevant indicator type layout.

    3. From the Fields and Buttons tab, drag +New Button and drop into the relevant section.

    4. Click Click to configure.

    5. Enter a descriptive name for the button. For this example, we call it Pass to Threat Hunt Team.

    6. Select a color.

    7. Select the script we added above - newIncidentFromIndicator.

    8. In the type field, add Hunt.

      indicator-script-button-settings2.png
    9. Click Save.

      In the Summary tab, you can see the new button:

      indicator-button1.png

      When you view an indicator and click this button, an incident is created with the Hunt incident type.

    10. To test, go to the Threat Intel (Indicators) page, create a new indicator, and assign it to the relevant indicator type. View the indicator, click the Pass to Threat Hunt Team button, and verify that a new incident is created.

  8. Add required sections and fields in the Quick View tab.

  9. Add the layout to the indicator.

    1. Go to Settings & InfoSettingsObject SetupIndicatorsTypes.

    2. Select the indicator type and click Edit.

    3. In the Layout field, from the dropdown list, add the customized layout.

  10. (Optional) For a customized layout, you can contribute it to Marketplace.

    1. In the Layouts page, right-click the new layout and click Contribute.

    2. In the dialog box select either Save and submit your contribution or Save and download your contribution for later use, which you can view in the Contributions tab in Marketplace.

      If you select Save and submit your contribution your layout is validated and you are prompted to submit to review. You can also view your contribution in Marketplace.