After you remedy an incident, you may want to perform additional actions on the incident, such as closing a ticket in a ticketing system such as Service Now or sending out an email, verifying all tasks are completed, etc. You can create a post-processing script to cover as many scenarios as you need.
In this example, when closing an incident we want to update automatically the owner of the incident to the user who closes it. This user is responsible for any post closure issues.
Create a script in the Automation page.
Click Upload Automation.
Upload the following script.
commonfields: id: Close Incident by User ID version: 1 contentitemexportablefields: contentitemfields: packID: "" itemVersion: "" fromServerVersion: "" toServerVersion: "" propagationLabels: - all vcShouldKeepItemLegacyProdMachine: false name: CloseIncidentbyUserID script: |- result = (demisto.args()) demisto.executeCommand("setIncident", {'owner': result['closingUserId']}) type: python tags: - post-processing enabled: true scripttarget: 0 subtype: python2 pswd: "" runonce: false runas: DBotWeakRoleEnsure that the
post-processingtag is selected.
Click Save Version.
Add the automation to the Phishing incident type.
Select → → → → → .
In the Post-process using field, select CloseIncidentbyUserID.
Click Save.
When a user closes an incident, the user who closed the incident now becomes the owner. When an incident is re-opened. the user who closed the incident will be able to keep track of reopened incidents.