This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Announcements
The Google Cloud Security Community will be in read-only mode July 16 - July 22 as we migrate platforms. 

Read more and check out our FAQ
Log in to ask a question

HTML Widgets and Placeholder Values from Playbook Actions

Posted on 05-07-2025 12:17 PM
_eo
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Are you able to use the placeholder fields from playbook action jsonresults in the html widgets? Some examples would be to create a table of select fields from a UDM query or select fields from an EDR action? I'm able to get values like alert.product. All of this is done in a playbook view.

_eo_1-1746645380562.png

Solved Solved
0 4 335
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
ylandovskyy
Staff
In response to _eo
Reply posted on --/--/---- --:-- AM

The Predefined Widget can be modified to only return specific fields.

  // Create a new array, 'specifiedKeys', by mapping over an existing array.
  const specifiedKeys = ["entity.asset.asset_id", "entity.asset.hostname", "entity.asset.ip", "entity.asset.mac", "entity.asset.product_object_id", "entity.file", "entity.group.email_address", "entity.group.product_object_id", "entity.group.windows_sid", "entity.hostname", "entity.resource.name", "entity.resource.product_object_id", "entity.url", "entity.user.email_address", "entity.user.employee_id", "entity.user.product_object_id", "entity.user.userid", "entity.user.windows_sid", "metadata.collected_timestamp", "metadata.threat", "metadata.description", "metadata.event_timestamp", "metadata.event_type", "metadata.ingestion_labels.key", "metadata.ingestion_labels.value", "metadata.product_deployment_id", "metadata.product_event_type", "metadata.product_log_id", "metadata.product_name", "metadata.vendor_name", "network.application_protocol", "network.dns_domain", "network.dns.answers.data", "network.dns.answers.name", "network.dns.answers.type", "network.dns.questions.name", "network.dns.questions.type", "network.email.bcc", "network.email.email.cc", "network.email.from", "network.email.reply_to", "network.email.subject", "network.email.to", "network.ftp.command", "network.http.method", "network.http.referral_url", "network.http.response_code", "network.http.user_agent", "network.ip_protocol", "principal.asset_id", "principal.asset.asset_id", "principal.asset.hostname", "principal.asset.ip", "principal.asset.mac", "principal.cloud.environment", "principal.file.full_path", "principal.file.md5", "principal.file.sha1", "principal.file.sha256", "principal.hostname", "principal.ip", "principal.mac", "principal.process.command_line", "principal.process.file.full_path", "principal.process.parent_process", "principal.process.parent_process.command_line", "principal.process.parent_process.file.full_path", "principal.process.pid", "principal.process.product_specific_process_id", "principal.registry.registry_key", "principal.registry.registry_value_name", "principal.resource.attribute.cloud.project.name", "principal.resource.attribute.cloud.project.resource_subtype", "principal.resource.name", "principal.url", "principal.user.attribute.permissions.name", "principal.user.attribute.permissions.type", "principal.user.attribute.roles.description", "principal.user.attribute.roles.name", "principal.user.email_address", "principal.user.product_object_id", "principal.user.userid", "principal.user.windows_sid", "security_result.action", "security_result.category", "security_result.description", "security_result.detection_fields.key", "security_result.detection_fields.value", "security_result.summary", "security_result.threat_id", "security_result.threat_id_namespace", "security_result.threat_name", "source.asset_id", "source.asset.asset_id", "source.asset.hostname", "source.asset.ip", "source.asset.mac", "source.file.md5", "source.file.sha1", "source.file.sha256", "source.hostname", "source.ip", "source.mac", "source.process.parent_process", "source.process.product_specific_process_id", "source.user.email_address", "source.user.product_object_id", "source.user.userid", "source.user.windows_sid", "target.application", "target.asset_id", "target.asset.asset_id", "target.asset.hostname", "target.asset.ip", "target.asset.mac", "target.cloud.environment", "target.cloud.project.name", "target.file.full_path", "target.file.md5", "target.file.sha1", "target.file.sha256", "target.hostname", "target.ip", "target.mac", "target.port", "target.process.command_line", "target.process.file.full_path", "target.process.parent_process", "target.process.parent_process.command_line", "target.process.parent_process.file.full_path", "target.process.pid", "target.process.product_specific_process_id", "target.registry.registry_key", "target.registry.registry_value_name", "target.resource.name", "target.resource.resource_type", "target.user.email_address", "target.user.product_object_id", "target.user.userid", "target.user.windows_sid"].map(key => key.replace(/[\W_]/g, "").toLowerCase());

  // Set to "true" to have with specifiedKeys on initial load
  predefinedFieldsCheckbox.checked = false;

The specifiedKeys contains an array of keys that are going to be returned, when "Important UDM" checkmark is enabled in widget from UI. You can change the keys to be whatever you want.

If you want to have those "Important UDM" fields to be rendered on load, then you need to set predefinedFieldsCheckbox.checked variable set to true.

Give it a try and let me know, if it worked and solved your use case. Thanks

View solution in original post

Jump to Solution
0 Likes
4 REPLIES 4
Top Solution Authors
View all