Create a Post-Processing Script - Administrator Guide - 6.10 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.10
Creation date
2022-10-13
Last date published
2024-03-28
End_of_Life
EoL
Category
Administrator Guide
Abstract

Create a post-processing automation script to run after a Cortex XSOAR incident has been remedied.

This procedure describes how to create a post-processing script after an incident has been remedied.

  1. Select AutomationNew Automation.

  2. Type a name for the post-processing script and click Save.

  3. In the Tags field, from the dropdown list select Post-processing.

  4. Add fields as required.

  5. Click Save.

  6. Add a Post-Processing Script to the Incident Type.

The following script example requires the user to verify all To Do tasks before closing an incident. Before you start, you need to configure and enable a Cortex XSOAR REST API instance.

inc_id = demisto.incidents()[0].get('id')
tasks = list(demisto.executeCommand("core-api-get", {"uri": "/todo/{}".format(inc_id)})[0]['Contents']['response'])

if tasks:

    for task in tasks:

        if not task.get("completedBy"):
            return_error("Please complete all ToDo tasks before closing the incident")
            break

In this example, we create post processing script for Service Now incidents using a SNOW instance, where there are required fields to resolve and close (such as Resolution Code, Resolution Notes, etc.).

This script works with the defaults from Service Now and resolves and closes the mirrored ticket in Service Now.

commonfields:
  id: c8eeeb6c-3622-4bcb-897a-d183625609fd
  version: 20
vcShouldKeepItemLegacyProdMachine: false
name: ServiceNowCloseIncidentTicket
script: |-
  # return the args and incident details to the war room, useful for seeing what you have available to you
  # args can be called with demisto.args().get('argname')

  # debugging
  # demisto.results(demisto.args())
  # demisto.results(demisto.incident())

  # get the close notes and reason from the XSOAR Incident
  close_reason = demisto.args().get('closeReason')
  close_notes = demisto.args().get('closeNotes','No close notes provided')
  servicenow_sysid = demisto.incident().get("dbotMirrorId", False)

  # map XSOAR close reasons to Service Now close codes
  close_code_map = {
      "False Positive":"Not Solved (Not Reproducible)",
      "Resolved":"Solved (Permanently)",
      "Other":"Solved (Work Around)",
      "Duplicate":"Solved (Work Around)"
  }

  close_code = close_code_map.get(close_reason,"Solved (Work Arounnd")

  # handle if there is no service now sys_id, resolve and close snow ticket
  if servicenow_sysid:
      demisto.results(demisto.executeCommand("servicenow-update-ticket", {"id":servicenow_sysid,"close_code":close_code,"state":6,"close_notes":close_notes}))
      demisto.results(demisto.executeCommand("servicenow-update-ticket", {"id":servicenow_sysid,"state":7}))

  else:
      demisto.results("No ServiceNow sys_id found, doing nothing...")
type: python
tags:
- post-processing
- training
comment: Post processing script to resolve and close Service Now tickets if the XSOAR
  Incident is closed.
enabled: true
scripttarget: 0
subtype: python3
timeout: 80ns
pswd: ""
runonce: false
dockerimage: demisto/python:1.3-alpine
runas: Administrator

Note

If there is an additional custom argument defined for a post-processing script, the arguments closeNotes, closeReason, closed, openDuration, etc. are not available in the demisto.args() dictionary. In this case, there are two options:

  1. Remove the additional custom argument from Script settings and instead add it as a field on the Close Form for the incident type. This results in the additional argument being passed to the post-processing script.

  2. Manually add the default system arguments of closeNotes, closeReason, closed, openDuration, etc. to the Script settings, in addition to the custom argument. If not added, the code example above close_notes = demisto.args().get('closeNotes','No close notes provided') always returns "No close notes provided".