A common case is reputation commands, i.e. A good indicator (pun intended?) of when timeline data should be included in an entry is to look and see if the command returns a DBotScore or entities as described in our context standards documentation to the entry context. The answer is any time that a command operates on an indicator. So when should one include a timeline object in an entry returned to the war room? If not given, When returning timeline data from a Cortex XSOAR integration or automation, the value will be 'Integration Update' or 'Automation Update' accordingly. What value should be used for the 'Category' field of a timeline data object?Īny Cortex XSOAR integration command or automation that returns timeline data may include the 'Category' value. When IndicatorTimeline data is returned in an entry, the timeline section of the indicator whose value was noted in the timeline data will be updated (and is viewable in the indicator's view page in Cortex XSOAR as can be seen in the attached image). It is a dictionary (or list of dictionaries) of the following format: It is only applicable for commands that operate on indicators. The IndicatorTimeline is an optional object (available from Server version 5.5.0 and up). The argument above can be seen in the integration settings as shown below: After the command is executed, the arguments are displayed in the War Room as part of the command, for example: IndicatorsTimeline # It will be a single node in the context, and will be overwritten each command run: The retrieved next_token should be displayed in human readable output and in the context.The arguments that will be implemented are: limit, page_size and next_token.Page Tokens - In case an API supports page tokens, instead of the more common 'limit' and 'offset'/'skip' as query parameters:.Note that when a potentially large number of results may be returned, and the user wants to perform filters and/or transformers on them, we still recommend creating a wrapper script for the command for better performance. For example, if the limit value received is 250 and the maximal page size enforced by the API is 100, the command will need to perform 3 API calls (pages 1,2, and 3) to collect the 250 requested results. This implies a pagination loop mechanism will be implemented behind the scenes. In this case, the limit argument will be used to aggregate results by iterating over the necessary pages from the first page until collecting all the needed results. Automatic Pagination: - Useful when the user prefers to work with the total number of results returned from the playbook task rather than implementing a wrapper script that works with pages.If limit argument was also provided, then it will be redundant and should be ignored. To achieve this, the command will simply pass the page and page size values on to the API request. Manual Pagination: - The user wants to control the pagination on its own by using the page and page size arguments, usually as part of a wrapper script for the command.When working on a command that supports pagination (usually has API parameters like page and/or page size) with a maximal page size enforced by the API, our best practice is to create a command that will support two different use-cases with the following 3 integer arguments: Note: If the response returned is in epoch, it is a best practice to convert it to %Y-%m-%dT%H:%M:%S. You define imports and disable insecure warning at the top of the file. Python 2 is supported only for existing integrations and scripts. Python 2 vs 3 #Īll new integrations and scripts should be written in Python 3. Example Code and Templates #įor an example of a Hello World integration see HelloWorld.įor quick starts templates see Templates directory. Simple scripts may still be developed in JavaScript using the conventions provided by the default script template used in the Cortex XSOAR IDE. Our preferred development language is Python, and all new integrations and scripts should be developed in Python, which also provides a wider set of capabilities compared to the available JavaScript support. Note: Cortex XSOAR supports also JavaScript integrations and scripts. When working on small fixes and modifications to existing code, follow the conventions used in the existing code. New integrations and scripts should follow these conventions. This section outlines our code conventions. We use standardized code conventions to ensure uniformity across all Cortex XSOAR Integrations.
0 Comments
Leave a Reply. |