Use the built in Get Entries filter, task complete command, and reopen investigation command.
Use the following built-in elements to facilitate your investigation and response.
When building a script, you can fetch entries from an incident. If you do not specify the incident ID number, the script fetches from the current incident. You can create a filter to limit the search results.
Filter | Description |
---|---|
pageSize | The number of entries to return. |
lastId | Return entries starting from the specified entry ID and backward. |
firstID | Return entries starting from the specified entry ID and forward. |
selectedEntryID | Return entries before and after the specified entry ID. |
categories | Return entries with the specified categories (array). {commandAndResults, playbookTaskResult, playbookTaskStartAndDone, playbookErrors, justFound, deleted, incidentInfo, chats, evidence, notes, attachments} |
tags | Return entries with the specified tags (array). |
users | Return entries with the specified users (array). |
tagsAndOperator | Return entries that include all specified tags. |
fromTime | Return entries from this time and forward. |
parentID | The ID of the parent entry. |
Example: Grab all entries that have been marked as a note
res = demisto.executeCommand("getEntries", {"filter": {"categories": ["notes"]}}) demisto.results(str(res))
Response
[{ u 'Category': u 'Builtin', u 'ModuleName': u 'InnerServicesModule', u 'System': u '', u 'Note': True, u 'Version': 2, u 'ReadableContentsFormat': u '', u 'Type': 1, u 'Metadata': { u 'reputationSize': 0, u 'startDate': u '0001-01-01T00:00:00Z', u 'recurrent': False, u 'sortValues': None, u 'file': u '', u 'retryTime': u '0001-01-01T00:00:00Z', u 'previousAllReadWrite': False, u 'endingDate': u '0001-01-01T00:00:00Z', u 'id': u '96@42646', u 'contents': u '', u 'cronView': False, u 'category': u 'chat', u 'note': True, u 'isTodo': False, u 'format': u 'markdown', u 'system': u '', u 'mirrored': False, u 'hasRole': False, u 'pinned': False, u 'instance': u 'Builtin', u 'version': 2, u 'parentId': u '', u 'type': 1, u 'brand': u 'Builtin', u 'timezoneOffset': 0, u 'scheduled': False, u 'parentEntryTruncated': False, u 'previousRoles': None, u 'allRead': False, u 'allReadWrite': False, u 'incidentCreationTime': u '0001-01-01T00:00:00Z', u 'ShardID': 0, u 'reputations': None, u 'user': u 'admin', u 'taskId': u '', u 'parentContent': u '!getEntries filter="{\\"categories\\":[\\"notes\\"]}"', u 'fileMetadata': None, u 'tags': None, u 'tagsRaw': None, u 'errorSource': u '', u 'entryTask': None, u 'roles': None, u 'created': u '2021-03-08T18:47:47.786120529Z', u 'IndicatorTimeline': None, u 'modified': u '2021-03-08T18:47:51.032485206Z', u 'times': 0, u 'investigationId': u '42646', u 'dbotCreatedBy': u 'admin', u 'playbookId': u '', u 'contentsSize': 14, u 'previousAllRead': False, u 'fileID': u '' }, u 'ContentsFormat': u 'markdown', u 'Tags': None, u 'Brand': u 'Builtin', u 'HumanReadable': None, u 'ID': u '96@42646', u 'FileID': u '', u 'IgnoreAutoExtract': False, u 'IndicatorTimeline': None, u 'Evidence': False, u 'EntryContext': None, u 'Contents': u 'This is a note', u 'File': u '', u 'EvidenceID': u '', u 'FileMetadata': None, u 'ImportantEntryContext': None } ]
Use this command to mark a playbook task as completed. For example, you might need to include the taskComplete
command in a SLA breach script, to close a task and force the playbook to continue running after the SLA has been breached. You can also use the taskComplete
command to add an action button in an incident layout, that can be used to mark a specific playbook task as complete.
Argument | Description |
---|---|
id | Specify the task ID or tag to complete. |
parentPlaybookID | Parent playbook task ID, limits task identification by tags to this sub-playbook only. |
incdientId | Incident ID this task belongs to. Defaults to current incident. |
comment | Task completion comment. |
input | Conditional task completion selection. |
allowSkipped | Allow performing actions on skipped tasks (default is Yes). |
isAutoRun | When set to |
args | Set only if |
Use this command to reopen a closed incident. For example, you can use the reopenInvestigation
command to add an action button in the incident layout that can reopen a closed incident and take a specific action, such as rerunning the incident's playbook. You can also include the reopenInvestigation
command in a loop in a script to reopen multiple incidents.
Argument | Description |
---|---|
id | Which incident to reopen. If no incident ID is provided, the current incident is reopened. |