Dynamic Section using Context

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Dynamic Section using Context

L1 Bithead

I was wondering how we can add splunk results into Incident layout. Possibly a CSV file or markdown.

 

We use splunk to search our email logs to see other recipients who got phishing email. Wanted to display that in the Incident layout.

 

Any advise is highly appreciated. Thank you.

1 accepted solution

Accepted Solutions

L4 Transporter

Dynamic sections won't display a file to be downloaded, it's more displaying in a markdown table for review via the XSOAR UI.

 

If you want a file then you could use the ExportToCSV automation to export it, and then in the layout there is a Incident Files or Incident Attachments section that they could grab it from.

 

Or you could tag the file entry in the war room (Details Tab on the Task) and use the War Room Entries section to display entries with that tag.  

 

View solution in original post

3 REPLIES 3

L4 Transporter

Assuming you've run the search and the results are in context (usually under Splunk.Result), then yes you can use a dynamic section on your Incident layout to display the results in Markdown format.

 

Those are a type of automation, and there is a super awesome training video that explains how to write your own (video 19):

https://live.paloaltonetworks.com/t5/cortex-xsoar-how-to-videos/cortex-xsoar-how-to-customer-success...

 

There are also some useful examples of dynamic sections in the Case Management Pack that you can use as a reference: (CaseMgmtAnalystTools, CaseMgmtDisplayLabels, CaseMgmtResponseProcess) - https://cortex.marketplace.pan.dev/marketplace/details/CaseManagementGeneric/

 

 

@MBeauchamp2 Thank you.

 

I found the results. Would I be able to attach the file in the layout? After exporting to CSV?

L4 Transporter

Dynamic sections won't display a file to be downloaded, it's more displaying in a markdown table for review via the XSOAR UI.

 

If you want a file then you could use the ExportToCSV automation to export it, and then in the layout there is a Incident Files or Incident Attachments section that they could grab it from.

 

Or you could tag the file entry in the war room (Details Tab on the Task) and use the War Room Entries section to display entries with that tag.  

 

  • 1 accepted solution
  • 1550 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!