SetGridField

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

SetGridField

L0 Member

How can I map keys (query, network.cidr, network.country) to a table? I'm trying with below command, is not working for CIDR & Country.

!SetGridField context_path="Whois.IP" grid_id="whoisipinfo" overwrite="true" columns="IP Address,CIDR,Country" keys="query, network.cidr, network.country"

Whois.IP
{
"asn_registry": "apnic",
"entities": [
"IRT-APNICRANDNET-AU",
"ORG-ARAD1-AP",
"AR302-AP"
],
"raw": null,
"query": "1.1.1.1",
"network": {
"ip_version": "v4",
"raw": null,
"handle": "1.1.1.0 - 1.1.1.255",
"name": "APNIC-LABS",
"end_address": "1.1.1.255",
"status": [
"active"
],
"remarks": [
{
"description": "APNIC and Cloudflare DNS Resolver project\nRouted globally by AS13335/Cloudflare\nResearch prefix for APNIC Labs",
"links": null,
"title": "description"
},
{
"description": "---------------\nAll Cloudflare abuse reporting can be done via\nresolver-abuse@cloudflare.com\n---------------",
"links": null,
"title": "remarks"
}
],
"cidr": "1.1.1.0/24",
"country": "AU",
"start_address": "1.1.1.0",
"events": [
{
"action": "registration",
"actor": null,
"timestamp": "2011-08-10T23:12:35Z"
},
{
"action": "last changed",
"actor": null,
"timestamp": "2020-07-15T13:10:57Z"
}
],
}
}

4 REPLIES 4

L5 Sessionator

Hi @speddireddy,

 

I noticed a couple of issues with the command you ran. 

 - The column parameter need the machine name of the grid field key. So it would look like this columns="ipaddress,cidr,country"

 - For the keys parameter, the dot notation is not supported. You cannot specify sub keys. You'll need to flatten the context before using the setGridField command

 

If the above solution does not work in your case, you can try passing each key like below.

!setIncident whoisipinfo="{\"ipaddress\" : \"${Whois.IP.query}\" , \"cidr\" : \"${Whois.IP.network.cidr}\", \"country\" : \"${Whois.IP.network.country}\"}"

 

 

 

 

 

Hi @jfernandes1 

Thanks for your response.

I see it working when I use column header name under column parameter. How can I flatten the context on playbook?
And How should i pass each key in playbook task with setIncident?

L5 Sessionator

Hi @speddireddy 

You'll need to write a custom automation to flatten the object. 

 

As provided in my previous response, you'll need to pass the keys like below. 

!setIncident whoisipinfo="{\"ipaddress\" : \"${Whois.IP.query}\" , \"cidr\" : \"${Whois.IP.network.cidr}\", \"country\" : \"${Whois.IP.network.country}\"}

L2 Linker

Hi @speddireddy,

there is a way how to do it using different automation: https://xsoar.pan.dev/docs/reference/scripts/grid-field-setup

Hope it helps.

Jan

  • 1938 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!