Create a Post-Processing Script - Administrator Guide - 6.6 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.6
Creation date
2022-09-29
Last date published
2024-11-12
End_of_Life
EoL
Category
Administrator Guide
Abstract

Create a post-processing script to run after a Cortex XSOAR incident has been remedied.

This procedure describes how to create a post-processing script after an incident has been remedied.

  1. Select AutomationNew Automation.

  2. Type a name for the post-processing script and click Save.

  3. In the Tags field, from the dropdown list select Post-processing.

  4. Add fields as required.

  5. Click Save.

  6. Add a Post-Processing Script to the Incident Type.

    The following script example requires the user to verify all To Do tasks before closing an incident. Before you start, you need to configure a Cortex XSOAR REST API instance.

    commonfields:
      id: c8eeeb6c-3622-4bcb-897a-d183625609fd
      version: 20
    vcShouldKeepItemLegacyProdMachine: false
    name: ServiceNowCloseIncidentTicket
    script: |-
      # return the args and incident details to the war room, useful for seeing what you have available to you
      # args can be called with demisto.args().get('argname')
    
      # debugging
      # demisto.results(demisto.args())
      # demisto.results(demisto.incident())
    
      # get the close notes and reason from the XSOAR Incident
      close_reason = demisto.args().get('closeReason')
      close_notes = demisto.args().get('closeNotes','No close notes provided')
      servicenow_sysid = demisto.incident().get("dbotMirrorId", False)
    
      # map XSOAR close reasons to Service Now close codes
      close_code_map = {
          "False Positive":"Not Solved (Not Reproducible)",
          "Resolved":"Solved (Permanently)",
          "Other":"Solved (Work Around)",
          "Duplicate":"Solved (Work Around)"
      }
    
      close_code = close_code_map.get(close_reason,"Solved (Work Arounnd")
    
      # handle if there is no service now sys_id, resolve and close snow ticket
      if servicenow_sysid:
          demisto.results(demisto.executeCommand("servicenow-update-ticket", {"id":servicenow_sysid,"close_code":close_code,"state":6,"close_notes":close_notes}))
          demisto.results(demisto.executeCommand("servicenow-update-ticket", {"id":servicenow_sysid,"state":7}))
    
      else:
          demisto.results("No ServiceNow sys_id found, doing nothing...")
    type: python
    tags:
    - post-processing
    - training
    comment: Post processing script to resolve and close Service Now tickets if the XSOAR
      Incident is closed.
    enabled: true
    scripttarget: 0
    subtype: python3
    timeout: 80ns
    pswd: ""
    runonce: false
    dockerimage: demisto/python:1.3-alpine
    runas: Administrator
    

Note

If there is an additional custom argument defined for a post-processing script, the arguments closeNotes, closeReason, closed, openDuration, etc. are not available in the demisto.args() dictionary. In this case, there are two options:

  1. Remove the additional custom argument from Script settings and instead add it as a field on the Close Form for the incident type. This results in the additional argument being passed to the post-processing script.

  2. Manually add the default system arguments of closeNotes, closeReason, closed, openDuration, etc. to the Script settings, in addition to the custom argument. If not added, the code example above close_notes = demisto.args().get('closeNotes','No close notes provided') always returns "No close notes provided".