Scheduled Commands - Developer Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Developer Guide

Product
Cortex XSIAM
Creation date
2023-05-01
Last date published
2024-06-04
Category
Developer Guide
Abstract

Use commands to schedule the future execution of other commands in playbook tasks.

A command can schedule the future execution of another command. In playbook tasks using scheduled commands, the task does not proceed to the next task until it is done with all scheduled commands and there is no future execution scheduled. When a playbook waits for a command execution, it does not use a worker, since workers are only used at the time commands are executed.

You can use scheduled commands in a polling flow when a command cannot return the full result in a single execution (for example, when a remote process hasn't finished execution). Scheduled commands enable you to try the command again later and return the full results when available. Examples include Cortex XDRIR Endpoint Isolation and AutoFocus V2 Search Samples.

YAML prerequisite
  • Integration - in the integration YAML, under the command root, add polling: true.

  • Script - in the script YAML, in the root of the file, add polling: true

The polling_function decorator

The polling_function decorator can be used to avoid much of the code you would otherwise need to implement to write a polling function.

All functions implementing this decorator must always return a PollResult object.

Note

Args must be the first parameter in the function definition and call.