Indicator layout customization - Administrator Guide - Threat Intel Management Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2024-06-20
Category
Administrator Guide
Solution
Cloud
Abstract

Customize an indicator layout for an indicator type in Cortex XSOAR. View the layout in the indicator Summary and Quick View.

Each indicator type has a unique set of data relevant to that specific indicator type, including layouts. It is important to display the most relevant data for users. Each out-of-the-box indicator comes with a layout. You can customize almost every aspect of the layout, including which tabs appear, in which order they appear, who has permission to view the tabs, what information appears, and how it is displayed.

You can see which indicator type uses the indicator layout in the Types tab under Settings & InfoSettingsObject SetupIndicators. The indicator layout name appears in the Layout column.

You can customize the display information including fields for existing indicators, by modifying the sections and fields for the following views:

Section

Description

Indicator Summary

You can customize almost every aspect of the layout, including which tabs appear, the order they appear, and who has permission. In each field or tab, you can add filters by clicking the eye icon, which enables you to add conditions that show specific fields or tabs relevant to the indicator.

You can add a script in the indicator layout, such as a mapping script, which determines where an IP address originates and displays it on a map.

Note

Only available if you have a TIM license.

Quick View

Add, edit, and delete sections, fields, and filters in the Quick View section from an incident.

"New"/"Edit" form

Add, edit, and delete fields and buttons to be displayed when creating or editing an indicator.

Note

By default, when editing a list or text values in an incident/indicator layout, the changes are not saved until you confirm your changes (clicking the checkmark icon in the value field). These icons are designed to give you additional security when updating fields in incidents and indicators.

You can change this default behavior by adding a server configuration. For more information, see Configure inline value fields.

  1. Select Settings & InfoSettingsObject SetupIndicatorsLayoutsNew Layout.

    You can see that you can customize the Indicator Summary section, Quick View, and the New/Edit form.

  2. Add a meaningful name for the layout.

  3. Customize the tabs by clicking the settings wheel icon and then doing the following:

    Note

    You can click and drag a tab to reorder the tabs.

    Action

    Description

    Rename

    You can also edit a tab’s name by clicking the tab.

    Duplicate

    Copies the existing tab.

    Delete

    Deletes the tab.

    Show empty fields

    The setting that you configure in the layout becomes the default value seen in the report for the specific tab, which can then be overridden.

    You can also set a global default value using the UI.summary.page.hide.empty.fields server configuration, which can also be overridden for a specific tab.

    Hide tab

    Hides the tab. Rather than deleting the tab, you may want to use the tab again for future use.

    Format for exporting

    Build your layout based on A4 proportions to match the format used for exporting. Selecting this option hides the tab by default, but the tab will remain available for export.

    Viewing Permissions

    Select which roles can view the tabs.

    Display Filter

    Add or view a filter applied to the tab. If the filters apply, the specific fields or tabs are shown in the layout. If the mandatory field is not shown in the layout, the user is not obliged to complete it.

  4. Do the following:

    • Drag and drop the required sections, fields, buttons, and tabs.

    • Customize sections and create buttons.

    • Add any required filters.

    • Create new tabs

  5. Repeat step 3 for the Quick View tab.

  6. In the New/Edit Form, drag and drop the required fields and buttons.

    You can also edit the Basic Information and the Custom Field sections.

  7. Save the indicator layout and add it to the indicator type.

  1. Go to Settings & InfoSettingsObject SetupIndicatorsLayouts.

  2. Click the name of the indicator type layout you want to edit.

    You are presented with the current layout, which is populated with demo data so you can see how the fields fit.

  3. If using a Content Pack Indicator Type Layout, detach or duplicate the layout.

    Note

    If you duplicate the layout, you need to update the indicator type to add the new layout.

    While an indicator layout is detached, it does not receive content pack updates. If you detach an indicator type layout, edit, and later want to receive content pack updates for that layout, we recommend you duplicate the indicator layout before reattaching the original to protect your changes from content pack updates. When detached, you can also edit the layout from the Indicator Type tab.

    1. Select the checkbox for the indicator layout you want to detach.

    2. Right-click and select Detach.

  1. Create or edit a layout.

  2. From the Sections tab in the Library, drag and drop the following sections:

    Section

    Description

    New Section

    After creating a new section, click the Fields and Buttons tab and drag and drop the fields as required.

    Cortex XSOAR out-of-the-box sections

    Out-of-the-box sections such as Expiration Status and Verdict.

    General Purpose Dynamic Section

    You can add a script in the indicator layout. For example, to assign a script that determines and displays the Geolocation of an IP address on a map. For more information, see Set up Google Maps.

    Note

    To remove or duplicate a section, select the section, click indicator-option-pointer.png and then select Duplicate, or Remove.

  3. Define the section properties, by clicking indicator-option-pointer.png and then Edit section settings.

    Tip

    Limit the number of incident fields to 50 in each section. You can create additional sections as needed.

    You can determine how a section in the layout appears in the layout. For example, you may want a section header, or configure the fields to appear in rows or as cards. If some of the field values will be very long, use rows instead of cards. If the field values are short, you might want to use cards so you can fit more fields into a section.

  4. Drag and drop fields, and add any filters as required.

  5. If relevant, create a new tab and repeat the steps as required.

You can add content to the Indicator Summary tab, based on a script, by adding the script in the General Purpose Dynamic Section. The script can return simple text, markdown, or an HTML, the results of which appear in the General Purpose Dynamic Section.

You can add any required information from a script. For example:

  • Add a mapping script that determines where an IP address originates and displays it on a map.

  • Add a custom widget to the indicator page. The procedure is similar for indicators and incidents.

  • Add the FeedRelatedIndicator script from the Scripts page, which contains information about the relationship between an indicator, entity (such as malware), and other indicators (such as a MITRE ATT&K indicator), and connects externally to those indicators, if relevant.

Before you begin, you need to create a script.

Note

Ensure that you have added the dynamic-indicator-section tag, otherwise, you can't select it when adding a script

  1. Go to Settings & InfoSettingsObjects SetupIndicatorsLayouts.

  2. Click on the indicator layout you want to edit.

    The layout must either be custom content (a layout you created), a layout duplicated from a content pack layout, or a detached layout from a content pack. You cannot edit a layout that is attached. To detach an attached layout, select the indicator layout and click Detach. The layout must either be custom content (a layout you created) or a detached layout from a content pack. You cannot edit a layout that is attached.

  3. Drag and drop the General Purpose Dynamic Section onto the page.

  4. Select the General Purpose Dynamic Section, click indicator-option-pointer.png , and then click Edit section settings.

  5. In the Name and Description fields, add a meaningful name and a description for the dynamic section that explains what the script displays.

  6. In the Automation script field, select the script that returns data for the dynamic section.

  7. Click OK.

You can add existing buttons or create buttons and then drag and drop them in the layout.

To add a custom button, create a script and then add the new button to the indicator layout and choose the script, as described in the example below. These buttons can simplify and assist an analyst in carrying out various tasks. For example, you can create a button to run an enrichment script on an identified indicator.

For fields (script arguments) that are optional, you can define whether to show them to analysts when they click on buttons. To expose an optional field, select the Ask User checkbox next to the script arguments in the button settings page.

Note

When creating a script for use in an indicator layout, the indicator-action-button tag must be assigned for the script to be available for custom buttons.

In the following example, create a button that adds the indicator to a Hunt incident type so the Threat Intel team can review it.

  1. Save the following script on your computer. On the Scripts page, click the upload script icon and upload the file.

    commonfields:
      id: d3716514-4c2b-453c-8072-4fd4807bca0a
      version: 30
    vcShouldKeepItemLegacyProdMachine: false
    name: newIncidentFromIndicator
    script: |+
      from pprint import pformat
    
      args = demisto.args()
    
      fields = {}
      fields['type'] = args['type']
      fields['details'] = args['indicator']['value']
      fields['name'] = args['type'] + " for " + args['indicator']['value']
    
      res = demisto.executeCommand('createNewIncident', fields)
    
    
    
      newID = res[0]['EntryContext']['CreatedIncidentID']
    
      demisto.executeCommand("associateIndicatorsToIncident", {"indicatorsValues": args['indicator']['value'], "incidentId":int(newID)})
    
    
    type: python
    tags:
    - indicator-action-button
    enabled: true
    args:
    - name: type
      required: true
      description: Incident Type
    scripttarget: 0
    subtype: python3
    pswd: ""
    runonce: false
    dockerimage: demisto/python3:3.8.5.11789
    runas: DBotWeakRole

    When uploading to Cortex XSOAR the newIncidentFromIndicator name and the indicator-action-button is already populated.

  2. Go to Settings & InfoSettingsObject SetupIndicatorsLayouts and click the relevant indicator type layout.

  3. From the Fields and Buttons tab, drag the +New Button and drop into the relevant section.

  4. Click to configure.

  5. Enter a descriptive name for the button. For this example, we call it Send to the Threat Hunt Team.

  6. Select a color.

  7. Select the script we added above: newIncidentFromIndicator.

  8. In the Script Arguments field, under the type field, add Hunt.

    indicator-button.png
  9. Save the button.

    When you view an indicator and click this button, an incident is created with the Hunt incident type.

    To test the button, add the layout to the indicator type, go to the Threat Intel (Indicators) page, create a new indicator, and assign it to the relevant indicator type. View the indicator, click the Pass to Threat Hunt Team button, and verify that a new incident has been created.

  1. Go to Settings & InfoSettingsObject SetupIndicatorsTypes.

  2. Select the indicator type and click Edit.

  3. In the Layout field, from the dropdown list, add the customized layout.

  4. (Optional) For a customized layout, you can contribute it to the Marketplace.

    1. In the Layouts page, select the new layout and then click Contribute to Marketplace.

    2. In the dialog box select either Save and submit your contribution or Save and download your contribution for later use, which you can view in the Contributions tab in Marketplace.

      If you select Save and submit your contribution, your layout is validated and you are prompted to submit to review. You can also view your contribution in Marketplace.