Rule actions when creating pre-process rules in Cortex XSOAR.
The following table describes the rule action for pre-process rules.
Option | Description | Section 3 |
---|---|---|
Drop | Drops the incoming incident and no incident is created. | None |
Close | Closes the incoming incident. | None |
Drop and update | Drops the incoming event, and updates the Dropped Duplicate Incidents table of the existing incident that you define. In addition, a War Room entry is created. If an existing incident matching the defined criteria is not found, an incident is created for the incoming event. | Update
|
Link | Creates an entry in the Linked Incidents table of the existing incident to which you link. | Link to
|
Link and close | Creates an entry in the Linked Incidents table of the existing incident to which you link, and closes the incoming incident. If an existing incident matching the defined criteria is not found, an incident is created for the incoming event. | Link to
|
Run a script | Select an automation to run on the incoming incident. When you create a script, you need to add the preProcessing tag for the script to appear in the list of available scripts. NotePre-Process rules that use system-based automations such as Pre-processing automations can access sensitive incident data. As best practice, we recommend assigning a Role for the pre-processing script to allow only trusted users to edit it. | Choose a script From the dropdown list, select the script to run on the incoming incident. Only scripts that were tagged preProcessing appear in the drop-down list. |