IncidentFields

Returns a dict of all incident fields that exist in the system.

python · Common Scripts

Source

import demistomock as demisto
from CommonServerPython import *


def build_field_context_data(field):
    field_context_data = {
        "name": field["name"],
        "shortName": field["cliName"],
        "type": field["type"],
        "associatedToAll": field["associatedToAll"],
    }

    if not field_context_data["associatedToAll"]:
        if len(field.get("associatedTypes") or []) != 0:
            field_context_data["associatedTypes"] = field["associatedTypes"]
        else:
            field_context_data["associatedTypes"] = None
    else:
        field_context_data["associatedTypes"] = "all"

    return field_context_data


def main():
    # get incident fields
    res = demisto.executeCommand("core-api-get", {"uri": "/incidentfields"})
    if is_error(res):
        return_error(res[0]["Contents"])

    fields = res[0]["Contents"]["response"]

    # 'fields' contains non-incident fields (evidence and indicator), as well, so let's make a version
    #  containing only incident fields
    incident_fields = [field for field in fields if field["id"].startswith("incident_")]

    # get arguments
    args = demisto.args()

    exclude_system_fields = False
    if "exclude_system_fields" in args and argToBoolean(args["exclude_system_fields"]):
        exclude_system_fields = True

    use_short_name = False
    if "short_names" in args and argToBoolean(args["short_names"]):
        use_short_name = True

    # build a dict of all field and their associated case types
    output_fields = {}
    for field in incident_fields:
        if exclude_system_fields and field["system"]:
            continue

        field_name = field["name"]
        if use_short_name:
            field_name = field["cliName"]

        output_fields[field_name] = build_field_context_data(field)

    # output results
    demisto.results(output_fields)


if __name__ in ["__builtin__", "builtins"]:
    main()

README

Returns a dict of all incident fields that exist in the system.

Script Data


Name Description
Script Type python3
Cortex XSOAR Version 5.0.0

Dependencies


This script uses the following commands and scripts.

  • core-api-get

Inputs


Argument Name Description
exclude_system_fields Whether to only return non-system fields. If “true”, will only output non-system fields. The default value is “false”.
short_names Whether to shorten the incident field names. If “true”, will cause output to use shortened field names. The default value is “true”.

Outputs


There are no outputs for this script.

Script Examples

Example command

!IncidentFields exclude_system_fields="false" short_names="true"

Context Example

{}

Human Readable Output

{
   "accountgroups": {
       "associatedToAll": false,
       "associatedTypes": [
           "Brute Force"
       ],
       "name": "Account Groups",
       "shortName": "accountgroups",
       "type": "shortText"
   },
   "accountid": {
       "associatedToAll": false,
       "associatedTypes": [
           "Prisma Cloud",
           "GCP Compute Engine Misconfiguration",
           "AWS CloudTrail Misconfiguration",
           "AWS IAM Policy Misconfiguration",
           "AWS EC2 Instance Misconfiguration"
       ],
       "name": "Account ID",
       "shortName": "accountid",
       "type": "shortText"
   },
   "accountname": {
       "associatedToAll": false,
       "associatedTypes": [
           "Prisma Cloud",
           "GCP Compute Engine Misconfiguration",
           "AWS CloudTrail Misconfiguration",
           "AWS IAM Policy Misconfiguration",
           "AWS EC2 Instance Misconfiguration",
           "Microsoft CAS Alert",
           "CrowdStrike Falcon Detection"
       ],
       "name": "Account Name",
       "shortName": "accountname",
       "type": "shortText"
   },
   "acquisitionhire": {
       "associatedToAll": false,
       "associatedTypes": [
           "IAM - AD User Activation"
       ],
       "name": "Acquisition Hire",
       "shortName": "acquisitionhire",
       "type": "shortText"
   },
   "activedirectoryaccountstatus": {
       "associatedToAll": false,
       "associatedTypes": [
           "Employee Offboarding"
       ],
       "name": "Active Directory Account Status",
       "shortName": "activedirectoryaccountstatus",
       "type": "singleSelect"
   },
   "activedirectorydisplayname": {
       "associatedToAll": false,
       "associatedTypes": [
           "Employee Offboarding"
       ],
       "name": "Active Directory Display Name",
       "shortName": "activedirectorydisplayname",
       "type": "shortText"
   },
   "activedirectorypasswordstatus": {
       "associatedToAll": false,
       "associatedTypes": [
           "Employee Offboarding"
       ],
       "name": "Active Directory Password Status",
       "shortName": "activedirectorypasswordstatus",
       "type": "singleSelect"
   },
   "agentid": {
       "associatedToAll": true,
       "associatedTypes": "all",
       "name": "Agent ID",
       "shortName": "agentid",
       "type": "shortText"
   },
   "agentsid": {
       "associatedToAll": true,
       "associatedTypes": "all",
       "name": "Agents ID",
       "shortName": "agentsid",
       "type": "multiSelect"
   },
   "agentversion": {
       "associatedToAll": true,
       "associatedTypes": "all",
       "name": "Agent Version",
       "shortName": "agentversion",
       "type": "multiSelect"
   },

Troubleshooting

Multi-tenant environments should be configured with the Cortex Rest API instance when using this
automation. Make sure the Use tenant parameter (in the Cortex Rest API integration) is checked
to ensure that API calls are made to the current tenant instead of the master tenant.