Automate changes to alert fields using timer scripts - Administrator Guide - Cortex XSIAM - Cortex

Automate changes to alert fields using timer scripts - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product

Cortex XSIAM

Creation date

2024-02-26

Last date published

2024-04-25

Create timer scripts

Abstract

Create scripts that perform specific actions in Cortex XSIAM when a timer field times out.

When you create your scripts, the following arguments are automatically added, in addition to the basic elements provided with every script (for example, current investigation and current alert):

field: The current triggered timer field object (contains: name, cliName, threshold and more.).

fieldValue: The current triggered timer field's value. For example the startDate.

The following table lists the different properties in the SLA timer field value:

Property	Type	Description
`dueDate`	Date	The date the timer is due.
`breachTriggered`	Boolean	Whether the timer has timed out.
`sla`	INT (in minutes)	The time period for this timer. This is the value that you defined in the Timer field.
`endDate`	Date	The date the timer completed.
`lastPauseDate`	Date	The last date the timer was paused.
`startDate`	Date	The date at which the timer was started.
`accumulatedPause`	INT (in seconds)	The total number of seconds that the timer was in a paused state.
`totalDuration`	INT (in seconds)	The total number of seconds that the timer was running. This property is populated after the timer is stopped.
`slaStatus`	INT	Represents the Cortex XSIAM timerstatus. Values are: `-1`: The timer has not been set. `0`: The timer is within the allotted range. `1`: The timer is below the defined risk threshold. `2`: The timer has timed out.
`runStatus`	String	Represents the current status of the timer. Values are: `idle` `running` `paused` `ended`