I would like to be able to have columns in data tables that are not visible in the GUI.
This would be helpful for holding information that isn't particularly useful for whoever is working the incident, but would be useful for automation. An example of such a field would be some kind of ID like an event ID.
My particular use case would be this:
Most of our Incidents in Resilient are created from QRadar offenses. It's possible for our QRadar offenses to continue to collect more events/flows after the offense is created (and therefore it's already in Resilient). We continuously push the event_count and flow_count fields from QRadar and have a rule to trigger a task that alerts the analyst that their QRadar data is out of sync and they need to repull it (an action we created). Currently, in this action, we have to clear the data table and then replace the whole data table with the information we retrieve from QRadar. This could an issue if the analyst changes anything in the data table, it will get erased and that data will be lost. My solution would be to check the event IDs of the row to determine if it's in the data table already or not. I could add the eventID column to the data table but having fields that the analyst doesn't need clutters up the GUI. I would prefer to have this as a hidden column/field in the data table.