Post Processing for Incidents - Administrator Guide - EoL - 6.6 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide
End of Life > EoL

You can set up a post-processing script to run after an incident has been remediated, but before the incident is closed in Cortex XSOAR.

After you remediate an incident, you may want to perform additional actions on the incident, such as closing a ticket in a ticketing system or sending out an email. You can create a post-processing script to cover these scenarios.


If a post-processing script returns an error, the incident does not close.

You need to Create a Post-Processing Script and then Add a Post-Processing Script to the Incident Type.

Arguments Available in a Post-Processing Script

These arguments are available in a post-processing script:

  • closed - The incident closed time.

  • status

  • openDuration

  • closeNotes

  • closingUserId - The username of the user who closed the incident, or DBot if the incident was closed by DBot (for example, through a playbook).

  • closeReason

  • Any other field values passed in at closure, whether through the incident close form, the CLI, or a playbook task.