Associate Cortex XSOAR incident fields with scripts that are triggered when the field changes using field change scripts and trigger automation scripts.
Incident fields can be associated with trigger automation scripts that can check for field change conditions and take actions based on the change. These scripts can perform any action, such as dynamically changing the field value, notifying the responder when an incident severity has been changed, etc., when the conditions are met. For example, when using the ChangeRemediationSLAOnSevChange
automation, it changes the Remediation SLA of an incident, when the severity of the incident changes for any reason.
Automations can be created in Python, PowerShell, or JavaScript in the Automation page. To use a field trigger automation, you need to add the field-change-triggered tag when creating the automation. You can then add the automation in the Attributes tab, when you edit or Create a Custom Incident Field. If you did not add the tag when creating the automation, it cannot be added.
Cortex XSOAR comes out-of-the-box with field change scripts in the Automation page, such as:
ChangeRemediationSLAOnSevChange
emailFieldTriggered
: Changes the incident field when the email body or subject changes.StopTimeToAssignOnOwnerChange
: Stops the Time to Assignment SLA field, as soon as an owner was assigned to an incident.
A common use case is to create the following automation that verifies that changes made by a playbook only will take place and not by a user manually.
args = demisto.args() user = args["user"] if user: demisto.executeCommand("setIncident", {args["cliName"]: args["old"]})
The automation checks who made the change using the user
field. The cliName
argument returns the field name, so that it can be attached to multiple incident fields, and block changes to them, without the need to have a different automation for each field.
Automation Arguments - Related Information
When an automation is triggered on a field, it has the following triggered field information available as arguments (args):
Argument | Description |
---|---|
| If the field is associated to all or some incidents. Value: |
| An array of the incident types, with which the field is associated. |
| The name of the field when called from the command line. |
| The description of the field. |
| Specifies whether the field is non editable. Value: |
| The name of the field. |
| The new value of the field. |
| The old value of the field. |
| Specifies that only the creator of the field can edit. Value: |
| The placeholder text. |
| Specifies whether this is a mandatory field. Value: |
| If this is a multi select type field, these are the values the field can take. |
| Whether it is a Cortex XSOAR defined field. |
| The field type. |
| Whether it is not mapped to any incident. |
| Whether it is being used for tracking KPI on an incident page. |
| The username of the user who triggered the script. |
| Whether there is a regex associated for validation the values the field can hold. |
Script Limitations
Trigger scripts cannot close incidents.
Post-processing scripts can modify an incident, but if a modified field has a trigger script, it is not called.
Incident modifications executed within a trigger script are only saved to the database after the modifications are completed.