Skip to main content

Custom Indicator

Overview#

CustomIndicator is a new helper class which can be used to create a customized indicator.

CustomIndicator Class#

  • The CustomIndicator class can get any custom name for the indicator.
  • Unlike other indicators, the CustomIndicator can have any parameters. It can be passed by the data argument, which is a dictionary where the key is the parameter name and the value is the parameter's value.
  • The CustomIndicator can have a custom context data prefix, which is passed by the prefix_str argument.
  • Functions:
    • init(self, indicator_type, value, dbot_score, params, prefix_str):

      • Description: Creates the CustomIndicator object.

      • Arguments:

        argumentDescriptiontype
        indicator_typeThe type name of the indicator.String
        valueValue of the indicator.Any
        dbot_scoreIf the custom indicator has a score, create and set a DBotScore object.DBotScore
        dataA dictionary containing all the parameter names and their values.Dict(String,Any)
        context_prefixUsed as the context path prefix.String

      • Returns: None

    • to_context(self):
      • Description: Returns the context of a customized indicator.
      • Arguments: None
      • Returns: Dict(String,Any)

How To Use#

  1. Create a DBotScore object.

    score = Common.DBotScore.GOOD
    indicator_value = 'custom_value'
    dbot_score = Common.DBotScore(
    indicator=indicator_value,
    indicator_type=DBotScoreType.CUSTOM,
    integration_name='DummyIntegration',
    score=score
    )

  2. Create a dictionary containing the parameters needed for the customized indicator.

    data = {
    'param1': 'value1',
    'param2': 'value2',
    }

  3. Create a CustomIndicator object with the parameters dictionary and the DBotScore object.

    custom_indicator = Common.CustomIndicator(
    indicator_type='MyCustomIndicator',
    dbot_score=dbot_score,
    value=indicator_value,
    data=data,
    context_prefix='custom',
    )

  4. Return the result of the command

    return CommandResults(
    readable_output='Custom Indicator result',
    outputs=result,
    outputs_prefix='Demo.CUSTOM',
    outputs_key_field='test_key_field',
    indicator=custom_indicator
    )

  5. Follow the guides below to add your new indicator type to your XSOAR instance:

    a. Create an indicator type.

    b. Create and map indicator fields.

    c. Customize the layout for your indicator.

    d. Create a regex in your indicator type, so the indicator will be enriched.

Edit this page
Last updated on
Report an Issue