Create a post-processing script to run after a Cortex XSOAR incident has been remedied.
This procedure describes how to create a post-processing script after an incident has been remedied.
Select
→ .Type a name for the post-processing script and click Save.
In the Tags field, from the dropdown list select Post-processing.
Add fields as required.
Click Save.
Add a Post-Processing Script to the Incident Type.
The following script example requires the user to verify all To Do tasks before closing an incident. Before you start, you need to configure a Cortex XSOAR REST API instance.
commonfields: id: c8eeeb6c-3622-4bcb-897a-d183625609fd version: 20 vcShouldKeepItemLegacyProdMachine: false name: ServiceNowCloseIncidentTicket script: |- # return the args and incident details to the war room, useful for seeing what you have available to you # args can be called with demisto.args().get('argname') # debugging # demisto.results(demisto.args()) # demisto.results(demisto.incident()) # get the close notes and reason from the XSOAR Incident close_reason = demisto.args().get('closeReason') close_notes = demisto.args().get('closeNotes','No close notes provided') servicenow_sysid = demisto.incident().get("dbotMirrorId", False) # map XSOAR close reasons to Service Now close codes close_code_map = { "False Positive":"Not Solved (Not Reproducible)", "Resolved":"Solved (Permanently)", "Other":"Solved (Work Around)", "Duplicate":"Solved (Work Around)" } close_code = close_code_map.get(close_reason,"Solved (Work Arounnd") # handle if there is no service now sys_id, resolve and close snow ticket if servicenow_sysid: demisto.results(demisto.executeCommand("servicenow-update-ticket", {"id":servicenow_sysid,"close_code":close_code,"state":6,"close_notes":close_notes})) demisto.results(demisto.executeCommand("servicenow-update-ticket", {"id":servicenow_sysid,"state":7})) else: demisto.results("No ServiceNow sys_id found, doing nothing...") type: python tags: - post-processing - training comment: Post processing script to resolve and close Service Now tickets if the XSOAR Incident is closed. enabled: true scripttarget: 0 subtype: python3 timeout: 80ns pswd: "" runonce: false dockerimage: demisto/python:1.3-alpine runas: Administrator
Note
If there is an additional custom argument defined for a post-processing script, the arguments closeNotes
, closeReason
, closed
, openDuration
, etc. are not available in the demisto.args() dictionary. In this case, there are two options:
Remove the additional custom argument from Script settings and instead add it as a field on the Close Form for the incident type. This results in the additional argument being passed to the post-processing script.
Manually add the default system arguments of
closeNotes
,closeReason
,closed
,openDuration
, etc. to the Script settings, in addition to the custom argument. If not added, the code example aboveclose_notes = demisto.args().get('closeNotes','No close notes provided')
always returns "No close notes provided".