This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
Check out the new Professional Security Operations Engineer certification beta!
Log in to ask a question

HTML Widgets and Placeholder Values from Playbook Actions

Posted on 05-07-2025 12:17 PM
_eo
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Are you able to use the placeholder fields from playbook action jsonresults in the html widgets? Some examples would be to create a table of select fields from a UDM query or select fields from an EDR action? I'm able to get values like alert.product. All of this is done in a playbook view.

_eo_1-1746645380562.png

Solved Solved
0 4 288
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
ylandovskyy
Staff
In response to _eo
Reply posted on --/--/---- --:-- AM

The Predefined Widget can be modified to only return specific fields.

  // Create a new array, 'specifiedKeys', by mapping over an existing array.
  const specifiedKeys = ["entity.asset.asset_id", "entity.asset.hostname", "entity.asset.ip", "entity.asset.mac", "entity.asset.product_object_id", "entity.file", "entity.group.email_address", "entity.group.product_object_id", "entity.group.windows_sid", "entity.hostname", "entity.resource.name", "entity.resource.product_object_id", "entity.url", "entity.user.email_address", "entity.user.employee_id", "entity.user.product_object_id", "entity.user.userid", "entity.user.windows_sid", "metadata.collected_timestamp", "metadata.threat", "metadata.description", "metadata.event_timestamp", "metadata.event_type", "metadata.ingestion_labels.key", "metadata.ingestion_labels.value", "metadata.product_deployment_id", "metadata.product_event_type", "metadata.product_log_id", "metadata.product_name", "metadata.vendor_name", "network.application_protocol", "network.dns_domain", "network.dns.answers.data", "network.dns.answers.name", "network.dns.answers.type", "network.dns.questions.name", "network.dns.questions.type", "network.email.bcc", "network.email.email.cc", "network.email.from", "network.email.reply_to", "network.email.subject", "network.email.to", "network.ftp.command", "network.http.method", "network.http.referral_url", "network.http.response_code", "network.http.user_agent", "network.ip_protocol", "principal.asset_id", "principal.asset.asset_id", "principal.asset.hostname", "principal.asset.ip", "principal.asset.mac", "principal.cloud.environment", "principal.file.full_path", "principal.file.md5", "principal.file.sha1", "principal.file.sha256", "principal.hostname", "principal.ip", "principal.mac", "principal.process.command_line", "principal.process.file.full_path", "principal.process.parent_process", "principal.process.parent_process.command_line", "principal.process.parent_process.file.full_path", "principal.process.pid", "principal.process.product_specific_process_id", "principal.registry.registry_key", "principal.registry.registry_value_name", "principal.resource.attribute.cloud.project.name", "principal.resource.attribute.cloud.project.resource_subtype", "principal.resource.name", "principal.url", "principal.user.attribute.permissions.name", "principal.user.attribute.permissions.type", "principal.user.attribute.roles.description", "principal.user.attribute.roles.name", "principal.user.email_address", "principal.user.product_object_id", "principal.user.userid", "principal.user.windows_sid", "security_result.action", "security_result.category", "security_result.description", "security_result.detection_fields.key", "security_result.detection_fields.value", "security_result.summary", "security_result.threat_id", "security_result.threat_id_namespace", "security_result.threat_name", "source.asset_id", "source.asset.asset_id", "source.asset.hostname", "source.asset.ip", "source.asset.mac", "source.file.md5", "source.file.sha1", "source.file.sha256", "source.hostname", "source.ip", "source.mac", "source.process.parent_process", "source.process.product_specific_process_id", "source.user.email_address", "source.user.product_object_id", "source.user.userid", "source.user.windows_sid", "target.application", "target.asset_id", "target.asset.asset_id", "target.asset.hostname", "target.asset.ip", "target.asset.mac", "target.cloud.environment", "target.cloud.project.name", "target.file.full_path", "target.file.md5", "target.file.sha1", "target.file.sha256", "target.hostname", "target.ip", "target.mac", "target.port", "target.process.command_line", "target.process.file.full_path", "target.process.parent_process", "target.process.parent_process.command_line", "target.process.parent_process.file.full_path", "target.process.pid", "target.process.product_specific_process_id", "target.registry.registry_key", "target.registry.registry_value_name", "target.resource.name", "target.resource.resource_type", "target.user.email_address", "target.user.product_object_id", "target.user.userid", "target.user.windows_sid"].map(key => key.replace(/[\W_]/g, "").toLowerCase());

  // Set to "true" to have with specifiedKeys on initial load
  predefinedFieldsCheckbox.checked = false;

The specifiedKeys contains an array of keys that are going to be returned, when "Important UDM" checkmark is enabled in widget from UI. You can change the keys to be whatever you want.

If you want to have those "Important UDM" fields to be rendered on load, then you need to set predefinedFieldsCheckbox.checked variable set to true.

Give it a try and let me know, if it worked and solved your use case. Thanks

View solution in original post

Jump to Solution
0 Likes
4 REPLIES 4

Posted on --/--/---- --:-- AM
ylandovskyy
Staff
Reply posted on --/--/---- --:-- AM

Hey @_eo,

Placeholders work inside the HTML body. Make sure that the placeholder is valid. This action has a "predefined" OOTB widget associated with it, did you try it?

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
_eo
Bronze 3
Bronze 3
In response to ylandovskyy
Reply posted on --/--/---- --:-- AM

I have tried the predefined wigdet but it outputs every column and I haven't been able to find a way to limit the output in the predefined widget via the udm query itself. As far as I can tell, the action takes very basic udm queries and is not able to use variable to output only certain fields.

I also found this article after making this post, Solved: Re: Playbook Views - Table HTML - Google Cloud Community, explaining to encapsulate the placeholder in [] and to use the browsers devtools to check how it is done. I haven't given this a try yet, but will later today.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
ylandovskyy
Staff
In response to _eo
Reply posted on --/--/---- --:-- AM

The Predefined Widget can be modified to only return specific fields.

  // Create a new array, 'specifiedKeys', by mapping over an existing array.
  const specifiedKeys = ["entity.asset.asset_id", "entity.asset.hostname", "entity.asset.ip", "entity.asset.mac", "entity.asset.product_object_id", "entity.file", "entity.group.email_address", "entity.group.product_object_id", "entity.group.windows_sid", "entity.hostname", "entity.resource.name", "entity.resource.product_object_id", "entity.url", "entity.user.email_address", "entity.user.employee_id", "entity.user.product_object_id", "entity.user.userid", "entity.user.windows_sid", "metadata.collected_timestamp", "metadata.threat", "metadata.description", "metadata.event_timestamp", "metadata.event_type", "metadata.ingestion_labels.key", "metadata.ingestion_labels.value", "metadata.product_deployment_id", "metadata.product_event_type", "metadata.product_log_id", "metadata.product_name", "metadata.vendor_name", "network.application_protocol", "network.dns_domain", "network.dns.answers.data", "network.dns.answers.name", "network.dns.answers.type", "network.dns.questions.name", "network.dns.questions.type", "network.email.bcc", "network.email.email.cc", "network.email.from", "network.email.reply_to", "network.email.subject", "network.email.to", "network.ftp.command", "network.http.method", "network.http.referral_url", "network.http.response_code", "network.http.user_agent", "network.ip_protocol", "principal.asset_id", "principal.asset.asset_id", "principal.asset.hostname", "principal.asset.ip", "principal.asset.mac", "principal.cloud.environment", "principal.file.full_path", "principal.file.md5", "principal.file.sha1", "principal.file.sha256", "principal.hostname", "principal.ip", "principal.mac", "principal.process.command_line", "principal.process.file.full_path", "principal.process.parent_process", "principal.process.parent_process.command_line", "principal.process.parent_process.file.full_path", "principal.process.pid", "principal.process.product_specific_process_id", "principal.registry.registry_key", "principal.registry.registry_value_name", "principal.resource.attribute.cloud.project.name", "principal.resource.attribute.cloud.project.resource_subtype", "principal.resource.name", "principal.url", "principal.user.attribute.permissions.name", "principal.user.attribute.permissions.type", "principal.user.attribute.roles.description", "principal.user.attribute.roles.name", "principal.user.email_address", "principal.user.product_object_id", "principal.user.userid", "principal.user.windows_sid", "security_result.action", "security_result.category", "security_result.description", "security_result.detection_fields.key", "security_result.detection_fields.value", "security_result.summary", "security_result.threat_id", "security_result.threat_id_namespace", "security_result.threat_name", "source.asset_id", "source.asset.asset_id", "source.asset.hostname", "source.asset.ip", "source.asset.mac", "source.file.md5", "source.file.sha1", "source.file.sha256", "source.hostname", "source.ip", "source.mac", "source.process.parent_process", "source.process.product_specific_process_id", "source.user.email_address", "source.user.product_object_id", "source.user.userid", "source.user.windows_sid", "target.application", "target.asset_id", "target.asset.asset_id", "target.asset.hostname", "target.asset.ip", "target.asset.mac", "target.cloud.environment", "target.cloud.project.name", "target.file.full_path", "target.file.md5", "target.file.sha1", "target.file.sha256", "target.hostname", "target.ip", "target.mac", "target.port", "target.process.command_line", "target.process.file.full_path", "target.process.parent_process", "target.process.parent_process.command_line", "target.process.parent_process.file.full_path", "target.process.pid", "target.process.product_specific_process_id", "target.registry.registry_key", "target.registry.registry_value_name", "target.resource.name", "target.resource.resource_type", "target.user.email_address", "target.user.product_object_id", "target.user.userid", "target.user.windows_sid"].map(key => key.replace(/[\W_]/g, "").toLowerCase());

  // Set to "true" to have with specifiedKeys on initial load
  predefinedFieldsCheckbox.checked = false;

The specifiedKeys contains an array of keys that are going to be returned, when "Important UDM" checkmark is enabled in widget from UI. You can change the keys to be whatever you want.

If you want to have those "Important UDM" fields to be rendered on load, then you need to set predefinedFieldsCheckbox.checked variable set to true.

Give it a try and let me know, if it worked and solved your use case. Thanks

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
_eo
Bronze 3
Bronze 3
In response to ylandovskyy
Reply posted on --/--/---- --:-- AM

Thanks! That is exactly what I was looking for.

Jump to Solution
0 Likes
Top Solution Authors
View all