Create a Threat Intel Report layout - Administrator Guide - Threat Intel Management Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation
Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2024-04-25
Category
Administrator Guide
Solution
Cloud
Abstract

Configure threat intel report layouts. Add script-based content in the layout.

You can customize almost every aspect of the layout, including which tabs appear, in which order they appear, who has permission to view the tabs, which information appears, and how it is displayed.

In the Object SetupThreat Intel ReportsLayouts tab, you can view out-of-the-box layouts and any custom layouts. Each out-of-the-box layout is attached to the out-of-the-box Threat Intel Report types.

If you want to customize an existing layout, you can detach it without creating or duplicating another one. When a layout is detached, it does not receive content pack updates.

Tip

If you detach a layout, make edits, and later want to receive content pack updates for that layout, we recommend you duplicate the report layout before reattaching the original, to protect your changes from content pack updates.

Step 1. Create a Threat Intel Report layout

The following procedure describes how to create a new layout, but you can follow similar steps to customize an existing layout.

  1. Select Settings & InfoSettingsObject SetupThreat Intel ReportsLayoutsNew Layout.

  2. To add a description click Settings.

    (Multi-tenant only) Add or select Propagation labels. You can also view any dependencies.

  3. Customize the tabs by clicking the settings wheel icon and then doing the following:

    Note

    You can click and drag a tab to reorder the tabs.

    Action

    Description

    Rename

    You can also edit a tab’s name by clicking the tab.

    Duplicate

    Copies the existing tab.

    Delete

    Deletes the tab.

    Show empty fields

    The setting that you configure in the layout becomes the default value seen in the report for the specific tab, which can then be overridden.

    You can also set a global default value using the UI.summary.page.hide.empty.fields server configuration, which can also be overridden for a specific tab.

    Hide tab

    Hides the tab. Rather than deleting the tab, you may want to use the tab again for future use.

    Format for exporting

    Build your layout based on A4 proportions to match the format used for exporting. Selecting this option hides the tab by default, but the tab will remain available for export.

    Viewing Permissions

    Select which roles can view the tabs.

    Display Filter

    Add or view a filter applied to the tab. If the filters apply, the specific fields or tabs are shown in the layout. If the mandatory field is not shown in the layout, the user is not obliged to complete it.

  4. From the LIBRARY section, drag and drop the following sections:

    Section

    Description

    New Section

    After creating a new section, click the Fields and Buttons tab and drag and drop the fields as required.

    When hovering over a field, click the eye icon to add a filter to the field.

    General Purpose Dynamic Section

    Add a script to the layout, such as adding a script to create a button on the layout that sets a threat intel report as published. For more information, see Step 2. (Optional) Add a script to the Threat Intel Report layout.

    Relationships

    The user can manually create indicator relationships between the report and an indicator. For more information about indicator relationships, see Manage indicator relationships.

  5. Define the section properties.

    Determine how a section appears in the layout, such as name and showing the section header. In most sections, you can also configure the fields to appear in rows, or as cards, and wrap the text labels. For example, if you know that some of the field values are very long, use rows. If the field values are short, use cards so you can fit more fields in a section.

    1. Click the section, click the pencil icon, and then select Edit section settings.

    2. Edit the section as required and click OK.

    Note

    To remove or duplicate click the pencil icon in the section, and select the relevant option.

  6. If relevant, create a New tab and repeat the steps as required.

  7. When finished, save the layout.

Step 2. (Optional) Add a script to the Threat Intel Report layout

You can add content to threat intel report layouts, based on a script. You need to add the General Purpose Dynamic Section when editing layouts.

The General Purpose Dynamic Section allows you to configure a section in a layout tab from a script. The script can return text, markdown, or HTML, the results of which appear in the General Purpose Dynamic Section. You can add any required information from a script. Before you begin, you need to create a script.

The following is an example of a script that can be added. This script can be used to add a button to the layout that sets a threat intel report as published.

def publish():
    now_utc = datetime.now(timezone.utc)
    object = demisto.args('object')
    object_id = object.get('id')
    roles = execute_command('getRoles', {})

    execute_command(
        'setThreatIntelReport',
        {
            'id': object_id,
            'xsoarReadOnlyRoles': demisto.dt(
                roles, 'DemistoRoles.name'
            ),
            'reportstatus': 'Published',
            'published': now_utc.isoformat(),
        },
    )

    demisto.results('ok')


if __name__ in ('__main__', '__builtin__', 'builtins'):
    publish()

  1. Edit the relevant threat intel report layout.

  2. Drag and drop the General Purpose Dynamic Section onto the layout.

  3. Select the General Purpose Dynamic Section, click edit_pencil.png , and then Edit section settings.

  4. In the Name and Description fields, add a meaningful name and a description for the dynamic section that explains what the script displays.

  5. In the Automation script field, from the dropdown list, select the script that returns data for the dynamic section.

    Note

    Only scripts to which you have added the general-dynamic-section tag appear in the dropdown list.

  6. Click OK.

  7. Save the layout.

Step 3. Add the layout to the Threat Intel Report type

  1. Go to Settings & InfoSettingsObject SetupThreat Intel ReportsTypes.

  2. Select the report type and click Edit.

    If the report type is an out-of-the-box type from a content pack you need to detach the report. Otherwise, you need to create a new report.

  3. In the Layout field, from the dropdown list, add the customized layout.

  4. Save the report type.

  5. (Optional) If you have created a new layout (not detached), you can do the following:

    • Contribute it to Marketplace.

      1. From Marketplace , in the Contributions tab, click Contribute Content. From the dropdown menu, select Layouts, Add the new layout you want to contribute to Marketplace and click Save and Contribute.

      2. Complete the information in the Contribute form and click Contribute.

    • If using a dev/prod environment, in the development machine push the layout to the prod machine.

    • (Mutli-tenant) In the Main tenant propagate it to the child tenant.