07-25-2023 02:24 AM
Hello!
During incident investigations, it would be useful if certain Context Data fields (if they have a value) are written to the incident layout and you don't have to search for the value in the Context.
My question would be, how can I make it so that the contents of the context data fields associated with the incident are written to the incident layout?
Example:
For a pishing incident I always want to see what URL values were. I need to filter the URL values by several criteria and I want to see the values of custom field e.g. Filtered_URL_List Context Data field on the incident layout.
Thanks in advance.
07-25-2023 03:25 AM - edited 07-25-2023 03:26 AM
Hi @szordominik,
def main():
try:
incident = demisto.incidents()
query = incident[0].get('id', {})
context=demisto.executeCommand("getContext", {"id":query})[0].get("Contents").get("context").get(" Filtered_URL_List Context")
header = 'URLs'
command_results = CommandResults(readable_output=tableToMarkdown("URL Results", context, headers=header))
return_results(command_results)
except Exception as ex:
return_error(f'Failed to execute the command. Error: {str(ex)}')
if __name__ in ('__main__', '__builtin__', 'builtins'):
main()
07-27-2023 02:43 AM - edited 07-27-2023 02:46 AM
Thank you!!!
I have one more question, can you give me an example of what the code would look like if I want the following format?
What I haven't been able to do yet is to create 2 columns in the same table format and the first column would contain the data type (burned in code) and the second column would contain the data itself (variable).
for example:
sender email address | abc@abc.com
some data type | data
etc..
and what other formatting options are there besides tableToMarkdown? Can you help me with this for example by sending documentations?
Thanks in advance.
07-27-2023 05:32 AM
Hi,
You can implement something like below
data = [{"type":"sender_address", "value":"abc@abc.com"},{"type":"IP", "value":"1.1.1.1"},{"type":"receipent", "value":"xyz@abc.com"}]
table_data = []
for item in data:
table_data.append({
'type': item['type'],
'value': item['value']
})
results= CommandResults(
outputs_prefix='ExampleTable',
# outputs={'TypeValueTable': table_data},
readable_output=tableToMarkdown('Example Table', table_data))
return_results(results)
For CommandResults return capabilities you can check the below link:
https://xsoar.pan.dev/docs/integrations/context-and-outputs
07-31-2023 05:07 AM
Thank you!
One last question.
How can I put clickable data/links on this dynamic sections layout field?
When I open the Context Data database there all data can be copied by click + for example if I use a reputational 3rd party integration then the link to the generated file or url is also clickable/ or one click copyable. PL: Virustotal
So the question would be how would you display the possibly multiple lines/ long links efficiently?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
