Rule Actions for Pre-Process Rules - Administrator Guide - 6.9 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
6.9
Creation date
2022-09-29
Last date published
2024-06-20
End_of_Life
EoL
Category
Administrator Guide
Abstract

Rule actions when creating pre-process rules in Cortex XSOAR.

The following table describes the rule action for pre-process rules.

Option

Description

Section 3

Drop

Drops the incoming incident and no incident is created.

None

Close

Closes the incoming incident.

None

Drop and update

Drops the incoming event, and updates the Dropped Duplicate Incidents table of the existing incident that you define. In addition, a War Room entry is created. If an existing incident matching the defined criteria is not found, an incident is created for the incoming event.

Update

  1. Determine if you want to update the newest or oldest incident within a time range.

  2. Select the incident you want to update together with the value.

Link

Creates an entry in the Linked Incidents table of the existing incident to which you link.

Link to

  1. Determine if you want to link to the oldest or newest incident within a time range.

  2. Select the incident you want to update together with the value.

Link and close

Creates an entry in the Linked Incidents table of the existing incident to which you link, and closes the incoming incident. If an existing incident matching the defined criteria is not found, an incident is created for the incoming event.

Link to

  1. Determine if you want to link to the oldest or newest incident within a time range.

  2. Select the incident you want to update together with the value.

Run a script

Select an automation to run on the incoming incident. When you create a script, you need to add the preProcessing tag for the script to appear in the list of available scripts.

Note

Pre-Process rules that use system-based automations such as GetIncidentsByQuery, by default, are run according to the defined role (Limited User). For example, if the GetIncidentsByQuery automation runs with the Limited User role, it also runs with the Limited User role in the Pre-Process rule. You can change the default by either detaching the automation and updating the RunAs field such as DbotRole, or create a wrapper automation with the required role set in the RunAs field. The wrapper automation calls the system-based automation. The system-based when called by the wrapper automation runs with the role assigned to the wrapper automation.

Pre-processing automations can access sensitive incident data. As best practice, we recommend assigning a Role for the pre-processing script to allow only trusted users to edit it.

Choose a script

From the dropdown list, select the script to run on the incoming incident. Only scripts that were tagged preProcessing appear in the drop-down list.