Create Incident layout fields from Context Data

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Create Incident layout fields from Context Data

L1 Bithead

Hello!

During incident investigations, it would be useful if certain Context Data fields (if they have a value) are written to the incident layout and you don't have to search for the value in the Context.

My question would be, how can I make it so that the contents of the context data fields associated with the incident are written to the incident layout?

Example:
For a pishing incident I always want to see what URL values were. I need to filter the URL values by several criteria and I want to see the values of custom field e.g. Filtered_URL_List Context Data field on the incident layout.

Thanks in advance.

4 REPLIES 4

L4 Transporter

Hi @szordominik,

You can do this using dynamic sections. Please watch the below video to learn how dynamic sections work. There is also another one on Incident Layout. 

https://www.youtube.com/watch?v=j3JRo5bgerU&t=482s
https://www.youtube.com/watch?v=Ze_SI6axXj0

For your case something like below would work:
Note: please do not forget to tag the automation script as "dynamic-section"

def main():
    try:
        incident = demisto.incidents()
        query = incident[0].get('id', {})
        context=demisto.executeCommand("getContext", {"id":query})[0].get("Contents").get("context").get(" Filtered_URL_List Context")
        header = 'URLs'
        command_results = CommandResults(readable_output=tableToMarkdown("URL Results", context, headers=header))
        return_results(command_results)
    except Exception as ex:
        return_error(f'Failed to execute the command. Error: {str(ex)}')


if __name__ in ('__main__', '__builtin__', 'builtins'):
    main()
gyldz_0-1690280798262.png

 

 

Thank you!!!

I have one more question, can you give me an example of what the code would look like if I want the following format?
What I haven't been able to do yet is to create 2 columns in the same table format and the first column would contain the data type (burned in code) and the second column would contain the data itself (variable).


for example:
sender email address | abc@abc.com
some data type | data
etc..

and what other formatting options are there besides tableToMarkdown? Can you help me with this for example by sending documentations?

Thanks in advance.

L4 Transporter

Hi,

 

You can implement something like below

data = [{"type":"sender_address", "value":"abc@abc.com"},{"type":"IP", "value":"1.1.1.1"},{"type":"receipent", "value":"xyz@abc.com"}]

table_data = []

for item in data:
    table_data.append({
        'type': item['type'],
        'value': item['value']
    })

results= CommandResults(
    outputs_prefix='ExampleTable',
    # outputs={'TypeValueTable': table_data},
    readable_output=tableToMarkdown('Example Table', table_data))
return_results(results)

 

For CommandResults return capabilities you can check the below link:

https://xsoar.pan.dev/docs/integrations/context-and-outputs

Thank you!

One last question.
How can I put clickable data/links on this dynamic sections layout field?

When I open the Context Data database there all data can be copied by click + for example if I use a reputational 3rd party integration then the link to the generated file or url is also clickable/ or one click copyable. PL: Virustotal

So the question would be how would you display the possibly multiple lines/ long links efficiently?

  • 1464 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!