- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-06-2022 04:14 AM
Dear all,
We have an issue about visulazating the outputs of indicator enrichment via using virus total ( vt-passive-dns-data).
To be more specific I am going to share our indicator layout and what we are expecting. As its given in the first screenshot we are using nearly default indicator layout.
However to provide more precise information to analyst team we want to illustratre passive dns records ( which is under Virus Total's relations tab) via command :
!vt-passive-dns-data ip=8.8.8.8
Command execution in CLI provides a table output as its given in the screen shot.
Main question is that, is it possible to add automation's result/output to the indicator layout for which data taken from an incident
09-20-2022 09:23 AM
@UmutAK ,
You can achieve this by creating a custom indicator field (https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-9/cortex-xsoar-admin/manage-indicators/under...) and adding that field to your IP indicator layout (https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-9/cortex-xsoar-admin/incidents/customize-inc...). Since the data will be displayed in a tabular format, you can use a field of either of these two types: grid field or markdown. For this example we will be using a markdown as it is easier to work with.
Once you have the field in your indicator layout, it can be populated in few different ways, i.e. using an enhancement scripts, using a button in the layout, using reputation scripts. For this example and for simplicity, we will use a button in the indicator layout that will trigger our script. On how to add a button to the layout -> (https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-9/cortex-xsoar-admin/manage-indicators/under...).
The script will basically get the data from the integration command (vt-passive-dns-data), format it in a table (using tableToMarkdown built-in function) and populate the field using setIndicator built in command.
Find below a sample script to do this, as well as a screenshot of the layout.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!