Automation Output In Indicator or Incident Layout

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Automation Output In Indicator or Incident Layout

L1 Bithead

Dear all,

 

We have an issue about visulazating the outputs of indicator enrichment via using virus total ( vt-passive-dns-data).

 

To be more specific I am going to share our indicator layout and what we are expecting. As its given in the first screenshot we are using nearly default indicator layout.

 

However to provide more precise information to analyst team we want to illustratre passive dns records ( which is under Virus Total's relations tab) via command :

!vt-passive-dns-data ip=8.8.8.8

 

Command execution in CLI provides a table output as its given in the screen shot. 

 

Main question is that, is it possible to add automation's result/output to the indicator layout for which data taken from an incident

 

 

 

 

 

 

 

UmutAK_0-1662462438500.png

2 REPLIES 2

L1 Bithead

Output's screen shot from the task is given below. I want to see that table on the layout.

UmutAK_0-1662465658019.png

 

L3 Networker

@UmutAK , 


You can achieve this by creating a custom indicator field (https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-9/cortex-xsoar-admin/manage-indicators/under...) and adding that field to your IP indicator layout (https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-9/cortex-xsoar-admin/incidents/customize-inc...). Since the data will be displayed in a tabular format, you can use a field of either of these two types: grid field or markdown. For this example we will be using a markdown as it is easier to work with.  

 

Once you have the field in your indicator layout, it can be populated in few different ways, i.e. using an enhancement scripts, using a button in the layout, using reputation scripts. For this example and for simplicity, we will use a button in the indicator layout that will trigger our script. On how to add a button to the layout -> (https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-9/cortex-xsoar-admin/manage-indicators/under...).

The script will basically get the data from the integration command (vt-passive-dns-data), format it in a table (using tableToMarkdown built-in function) and populate the field using setIndicator built in command. 


Find below a sample script to do this, as well as a screenshot of the layout.  

 

  • 2251 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!