Post Processing for Incidents - Administrator Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-11-05
End_of_Life
EoL
Category
Administrator Guide
Abstract

You can set up a post-processing script to run after an incident has been remediated, but before the incident is closed in Cortex XSOAR.

After you remediate an incident, you may want to perform additional actions on the incident, such as closing a ticket in a ticketing system or sending out an email. You can create a post-processing script to cover these scenarios.

Note

If a post-processing script returns an error, the incident does not close.

You need to Create a Post-Processing Script and then Add a Post-Processing Script to the Incident Type.

Arguments Available in a Post-Processing Script

These arguments are available for use in a post-processing script:

  • closed - The incident closed time.

  • status

  • openDuration

  • closeNotes

  • closingUserId - The username of the user who closed the incident, or DBot if the incident was closed by DBot (for example, through a playbook).

  • closeReason

  • Any other field values passed in at closure, whether through the incident close form, the CLI, or a playbook task.