Create a post-processing automation script to run after a Cortex XSOAR incident has been remedied.
This procedure describes how to create a post-processing script after an incident has been remedied.
Select → .
Type a name for the post-processing script and click Save.
In the Tags field, from the dropdown list select Post-processing.
Add fields as required.
Click Save.
The following script example requires the user to verify all To Do tasks before closing an incident. Before you start, you need to configure and enable a Cortex XSOAR REST API instance.
inc_id = demisto.incidents()[0].get('id')
tasks = list(demisto.executeCommand("core-api-get", {"uri": "/todo/{}".format(inc_id)})[0]['Contents']['response'])
if tasks:
for task in tasks:
if not task.get("completedBy"):
return_error("Please complete all ToDo tasks before closing the incident")
breakIn this example, we create post processing script for Service Now incidents using a SNOW instance, where there are required fields to resolve and close (such as Resolution Code, Resolution Notes, etc.).
This script works with the defaults from Service Now and resolves and closes the mirrored ticket in Service Now.
commonfields:
id: c8eeeb6c-3622-4bcb-897a-d183625609fd
version: 20
vcShouldKeepItemLegacyProdMachine: false
name: ServiceNowCloseIncidentTicket
script: |-
# return the args and incident details to the war room, useful for seeing what you have available to you
# args can be called with demisto.args().get('argname')
# debugging
# demisto.results(demisto.args())
# demisto.results(demisto.incident())
# get the close notes and reason from the XSOAR Incident
close_reason = demisto.args().get('closeReason')
close_notes = demisto.args().get('closeNotes','No close notes provided')
servicenow_sysid = demisto.incident().get("dbotMirrorId", False)
# map XSOAR close reasons to Service Now close codes
close_code_map = {
"False Positive":"Not Solved (Not Reproducible)",
"Resolved":"Solved (Permanently)",
"Other":"Solved (Work Around)",
"Duplicate":"Solved (Work Around)"
}
close_code = close_code_map.get(close_reason,"Solved (Work Arounnd")
# handle if there is no service now sys_id, resolve and close snow ticket
if servicenow_sysid:
demisto.results(demisto.executeCommand("servicenow-update-ticket", {"id":servicenow_sysid,"close_code":close_code,"state":6,"close_notes":close_notes}))
demisto.results(demisto.executeCommand("servicenow-update-ticket", {"id":servicenow_sysid,"state":7}))
else:
demisto.results("No ServiceNow sys_id found, doing nothing...")
type: python
tags:
- post-processing
- training
comment: Post processing script to resolve and close Service Now tickets if the XSOAR
Incident is closed.
enabled: true
scripttarget: 0
subtype: python3
timeout: 80ns
pswd: ""
runonce: false
dockerimage: demisto/python:1.3-alpine
runas: AdministratorNote
If there is an additional custom argument defined for a post-processing script, the arguments closeNotes, closeReason, closed, openDuration, etc. are not available in the demisto.args() dictionary. In this case, there are two options:
Remove the additional custom argument from Script settings and instead add it as a field on the Close Form for the incident type. This results in the additional argument being passed to the post-processing script.
Manually add the default system arguments of
closeNotes,closeReason,closed,openDuration, etc. to the Script settings, in addition to the custom argument. If not added, the code example aboveclose_notes = demisto.args().get('closeNotes','No close notes provided')always returns "No close notes provided".