Update Incident Fields From an Alert - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Administrator Guide

Product
Cortex XSIAM
Creation date
2024-07-16
Last date published
2024-10-13
Category
Administrator Guide
Abstract

The different ways to update the incident fields.

Sometimes you may want to update incident fields based on a change in the alert. For example, an analyst may want to change the severity of the incident, which contains many alerts with different severities. After investigating one of the alerts, the analyst wants to change the severity to low.

You can update the following incident fields through a playbook, script, or command:

  • manual_severity

  • starred

  • assigned_user_email

  • status

  • score

  • incident_name

  • description

Update Incident Fields Using the CLI

You can update incident fields in the Incident or Alert War Room by running the !setParentIncidentFields command. For example, to change the name of the incident to Malware, run !setParentIncidentFields incident_name=Malware.

Note

You can add multiple fields at once. For example, !setParentIncidentFields incident_name=Malware starred=true

When selecting a field, you can see available values (for enums).

Update Incident Fields Using a Playbook

When running a playbook, by default the data is added to the alert context data and alert fields. You can add this data to incident context data and incident fields, when configuring tasks in a playbook.

Caution

Users with Trigger Playbook permissions on a given alert may still be able to modify the parent incident via commands and scripts, even without full access to the incident.

In the following example, you want to star an incident in a playbook.

  1. Add the following tasks to a new or existing playbook.

    1. Create a Conditional task to check whether the parent incident fields are starred using the ${parentIncidentFields.starred} key.

      parent-incident-task.png
    2. Create a standard task using the setParentIncidentFields script to update the starred field.

      parent-incident-task2.png
    3. Create a standard task to print the value to the War Room.

      parent-incident-task3.png
  2. Run the playbook.

    In the incident context data, you can see the key starred: true. If running in an alert or an incident, after refreshing the incident, the incident is now starred.

Update Incident Fields Using a Script

In any script that runs in an alert, the data is added to the alert fields. If you want to update incident fields, in a Json file, add the setParentIncidentFields to the demisto.executeCommand function.

For example, to update the incident status to resolved, type demisto.executeCommand("setParentIncidentFields", {"status":"resolved_other"})

Note

Ensure that you have the required RBAC permission to write scripts.