topic Re: SetGridField in Cortex XSOAR Discussions

SetGridField

speddireddy — Mon, 26 Sep 2022 16:52:28 GMT

How can I map keys (query, network.cidr, network.country) to a table? I'm trying with below command, is not working for CIDR & Country.

!SetGridField context_path="Whois.IP" grid_id="whoisipinfo" overwrite="true" columns="IP Address,CIDR,Country" keys="query, network.cidr, network.country"

Whois.IP
{
"asn_registry": "apnic",
"entities": [
"IRT-APNICRANDNET-AU",
"ORG-ARAD1-AP",
"AR302-AP"
],
"raw": null,
"query": "1.1.1.1",
"network": {
"ip_version": "v4",
"raw": null,
"handle": "1.1.1.0 - 1.1.1.255",
"name": "APNIC-LABS",
"end_address": "1.1.1.255",
"status": [
"active"
],
"remarks": [
{
"description": "APNIC and Cloudflare DNS Resolver project\nRouted globally by AS13335/Cloudflare\nResearch prefix for APNIC Labs",
"links": null,
"title": "description"
},
{
"description": "---------------\nAll Cloudflare abuse reporting can be done via\nresolver-abuse@cloudflare.com\n---------------",
"links": null,
"title": "remarks"
}
],
"cidr": "1.1.1.0/24",
"country": "AU",
"start_address": "1.1.1.0",
"events": [
{
"action": "registration",
"actor": null,
"timestamp": "2011-08-10T23:12:35Z"
},
{
"action": "last changed",
"actor": null,
"timestamp": "2020-07-15T13:10:57Z"
}
],
}
}

Re: SetGridField

jfernandes1 — Wed, 28 Sep 2022 04:06:33 GMT

Hi @speddireddy,

I noticed a couple of issues with the command you ran.

- The column parameter need the machine name of the grid field key. So it would look like this columns="ipaddress,cidr,country"

- For the keys parameter, the dot notation is not supported. You cannot specify sub keys. You'll need to flatten the context before using the setGridField command

If the above solution does not work in your case, you can try passing each key like below.

!setIncident whoisipinfo="{\"ipaddress\" : \"${Whois.IP.query}\" , \"cidr\" : \"${Whois.IP.network.cidr}\", \"country\" : \"${Whois.IP.network.country}\"}"

Re: SetGridField

speddireddy — Wed, 28 Sep 2022 14:44:03 GMT

Hi @jfernandes1

Thanks for your response.

I see it working when I use column header name under column parameter. How can I flatten the context on playbook?
And How should i pass each key in playbook task with setIncident?

Re: SetGridField

jfernandes1 — Thu, 29 Sep 2022 01:05:42 GMT

Hi @speddireddy

You'll need to write a custom automation to flatten the object.

As provided in my previous response, you'll need to pass the keys like below.

!setIncident whoisipinfo="{\"ipaddress\" : \"${Whois.IP.query}\" , \"cidr\" : \"${Whois.IP.network.cidr}\", \"country\" : \"${Whois.IP.network.country}\"}

Re: SetGridField

Honza_Linhart — Sun, 26 Mar 2023 19:18:55 GMT

Hi @speddireddy,

there is a way how to do it using different automation: https://xsoar.pan.dev/docs/reference/scripts/grid-field-setup

Hope it helps.

Jan