09-26-2022 09:52 AM
How can I map keys (query, network.cidr, network.country) to a table? I'm trying with below command, is not working for CIDR & Country.
!SetGridField context_path="Whois.IP" grid_id="whoisipinfo" overwrite="true" columns="IP Address,CIDR,Country" keys="query, network.cidr, network.country"
Whois.IP
{
"asn_registry": "apnic",
"entities": [
"IRT-APNICRANDNET-AU",
"ORG-ARAD1-AP",
"AR302-AP"
],
"raw": null,
"query": "1.1.1.1",
"network": {
"ip_version": "v4",
"raw": null,
"handle": "1.1.1.0 - 1.1.1.255",
"name": "APNIC-LABS",
"end_address": "1.1.1.255",
"status": [
"active"
],
"remarks": [
{
"description": "APNIC and Cloudflare DNS Resolver project\nRouted globally by AS13335/Cloudflare\nResearch prefix for APNIC Labs",
"links": null,
"title": "description"
},
{
"description": "---------------\nAll Cloudflare abuse reporting can be done via\nresolver-abuse@cloudflare.com\n---------------",
"links": null,
"title": "remarks"
}
],
"cidr": "1.1.1.0/24",
"country": "AU",
"start_address": "1.1.1.0",
"events": [
{
"action": "registration",
"actor": null,
"timestamp": "2011-08-10T23:12:35Z"
},
{
"action": "last changed",
"actor": null,
"timestamp": "2020-07-15T13:10:57Z"
}
],
}
}
09-27-2022 09:06 PM
Hi @speddireddy,
I noticed a couple of issues with the command you ran.
- The column parameter need the machine name of the grid field key. So it would look like this columns="ipaddress,cidr,country"
- For the keys parameter, the dot notation is not supported. You cannot specify sub keys. You'll need to flatten the context before using the setGridField command
If the above solution does not work in your case, you can try passing each key like below.
!setIncident whoisipinfo="{\"ipaddress\" : \"${Whois.IP.query}\" , \"cidr\" : \"${Whois.IP.network.cidr}\", \"country\" : \"${Whois.IP.network.country}\"}"
09-28-2022 07:44 AM
Hi @jfernandes1
Thanks for your response.
I see it working when I use column header name under column parameter. How can I flatten the context on playbook?
And How should i pass each key in playbook task with setIncident?
09-28-2022 06:05 PM
Hi @speddireddy
You'll need to write a custom automation to flatten the object.
As provided in my previous response, you'll need to pass the keys like below.
!setIncident whoisipinfo="{\"ipaddress\" : \"${Whois.IP.query}\" , \"cidr\" : \"${Whois.IP.network.cidr}\", \"country\" : \"${Whois.IP.network.country}\"}
03-26-2023 10:29 AM - edited 03-26-2023 12:18 PM
Hi @speddireddy,
there is a way how to do it using different automation: https://xsoar.pan.dev/docs/reference/scripts/grid-field-setup
Hope it helps.
Jan
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
