Built-in filter and commands - Use the built in Get Entries filter, task complete command, and reopen investigation command. - Developer Guide - Cortex XSIAM - Cortex

Abstract

Use the built in Get Entries filter, task complete command, and reopen investigation command.

Use the following built-in elements to facilitate your investigation and response.

When building a script, you can fetch entries from an incident. If you do not specify the incident ID number, the script fetches from the current incident. You can create a filter to limit the search results.

Filter	Description
pageSize	The number of entries to return.
lastId	Return entries starting from the specified entry ID and backward.
firstID	Return entries starting from the specified entry ID and forward.
selectedEntryID	Return entries before and after the specified entry ID.
categories	Return entries with the specified categories (array). {commandAndResults, playbookTaskResult, playbookTaskStartAndDone, playbookErrors, justFound, deleted, incidentInfo, chats, evidence, notes, attachments}
tags	Return entries with the specified tags (array).
users	Return entries with the specified users (array).
tagsAndOperator	Return entries that include all specified tags.
fromTime	Return entries from this time and forward.
parentID	The ID of the parent entry.

Example: Grab all entries that have been marked as a note

res = demisto.executeCommand("getEntries", {"filter": {"categories": ["notes"]}})
demisto.results(str(res))

Response

[{
        u 'Category': u 'Builtin',
        u 'ModuleName': u 'InnerServicesModule',
        u 'System': u '',
        u 'Note': True,
        u 'Version': 2,
        u 'ReadableContentsFormat': u '',
        u 'Type': 1,
        u 'Metadata': {
            u 'reputationSize': 0,
            u 'startDate': u '0001-01-01T00:00:00Z',
            u 'recurrent': False,
            u 'sortValues': None,
            u 'file': u '',
            u 'retryTime': u '0001-01-01T00:00:00Z',
            u 'previousAllReadWrite': False,
            u 'endingDate': u '0001-01-01T00:00:00Z',
            u 'id': u '96@42646',
            u 'contents': u '',
            u 'cronView': False,
            u 'category': u 'chat',
            u 'note': True,
            u 'isTodo': False,
            u 'format': u 'markdown',
            u 'system': u '',
            u 'mirrored': False,
            u 'hasRole': False,
            u 'pinned': False,
            u 'instance': u 'Builtin',
            u 'version': 2,
            u 'parentId': u '',
            u 'type': 1,
            u 'brand': u 'Builtin',
            u 'timezoneOffset': 0,
            u 'scheduled': False,
            u 'parentEntryTruncated': False,
            u 'previousRoles': None,
            u 'allRead': False,
            u 'allReadWrite': False,
            u 'incidentCreationTime': u '0001-01-01T00:00:00Z',
            u 'ShardID': 0,
            u 'reputations': None,
            u 'user': u 'admin',
            u 'taskId': u '',
            u 'parentContent': u '!getEntries filter="{\\"categories\\":[\\"notes\\"]}"',
            u 'fileMetadata': None,
            u 'tags': None,
            u 'tagsRaw': None,
            u 'errorSource': u '',
            u 'entryTask': None,
            u 'roles': None,
            u 'created': u '2021-03-08T18:47:47.786120529Z',
            u 'IndicatorTimeline': None,
            u 'modified': u '2021-03-08T18:47:51.032485206Z',
            u 'times': 0,
            u 'investigationId': u '42646',
            u 'dbotCreatedBy': u 'admin',
            u 'playbookId': u '',
            u 'contentsSize': 14,
            u 'previousAllRead': False,
            u 'fileID': u ''
        },
        u 'ContentsFormat': u 'markdown',
        u 'Tags': None,
        u 'Brand': u 'Builtin',
        u 'HumanReadable': None,
        u 'ID': u '96@42646',
        u 'FileID': u '',
        u 'IgnoreAutoExtract': False,
        u 'IndicatorTimeline': None,
        u 'Evidence': False,
        u 'EntryContext': None,
        u 'Contents': u 'This is a note',
        u 'File': u '',
        u 'EvidenceID': u '',
        u 'FileMetadata': None,
        u 'ImportantEntryContext': None
    }
]

Use this command to mark a playbook task as completed. For example, you might need to include the taskComplete command in a SLA breach script, to close a task and force the playbook to continue running after the SLA has been breached. You can also use the taskComplete command to add an action button in an incident layout, that can be used to mark a specific playbook task as complete.

Argument	Description
id	Specify the task ID or tag to complete.
parentPlaybookID	Parent playbook task ID, limits task identification by tags to this sub-playbook only.
incdientId	Incident ID this task belongs to. Defaults to current incident.
comment	Task completion comment.
input	Conditional task completion selection.
allowSkipped	Allow performing actions on skipped tasks (default is Yes).
isAutoRun	When set to `True`, the task is executed. Default is `False`. Relevant only for script/playbook tasks. When set to `False`, the task is completed immediately.
args	Set only if `isAutoRun=true`. Passing input arguments to the task script/playbook for execution. The args must be JSON format where the key is the name of the script/command/playbook argument name. Example: `{"ARG_NAME":"ARG_VALUE"}`

Use this command to reopen a closed incident. For example, you can use the reopenInvestigation command to add an action button in the incident layout that can reopen a closed incident and take a specific action, such as rerunning the incident's playbook. You can also include the reopenInvestigation command in a loop in a script to reopen multiple incidents.

Argument	Description
id	Which incident to reopen. If no incident ID is provided, the current incident is reopened.

Built-in filter and commands - Use the built in Get Entries filter, task complete command, and reopen investigation command. - Developer Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Developer Guide

Example: Grab all entries that have been marked as a note