You can create a script to export incidents to a CSV file.
This example automation exports the last week's active incidents and downloads it as a file to the War Room or Playground.
Use the basic automation template to create the following code.
The first step is to create the body of the request that is sent to the Cortex XSOAR REST API. This request body queries for incidents with
status:active
, sorts descending on theid
field, returns only incidents from the last seven days, and the set of columns to return in the CSV file.The
demisto.executeCommand()
function posts the request to the Cortex XSOAR server and returns the name of the CSV file created asfileName
.The
demisto.executeCommand()
function downloads the CSV from the Cortex XSOAR server and saves it as part of the investigation.The
return_results()
function andfileResult()
function add the file to the War Room or Playground where a download link is presented and a user can download the file.
def main(): try: reqBody = { 'all': True, 'filter': { 'query': "status:active", 'sort': [{ 'field': "id", 'asc': False }], 'period': { 'by': "day", 'fromValue': 7 } }, 'columns': [ "id", "name", "type", "severity", "status", "owner", "roles", "playbookId", "occurred", "created", "modified", "closed" ] } fileName = demisto.executeCommand("demisto-api-post", { 'uri': "/incident/batch/exportToCsv", 'body': reqBody })[0]['Contents']['response'] file = demisto.executeCommand("demisto-api-get", { 'uri': "/incident/csv/" + fileName })[0]['Contents']['response'] return_results(fileResult(fileName, file)) except Exception as ex: demisto.error(traceback.format_exc()) return_error("Failed to execute REST API: " + str(ex)) if __name__ in ("__main__", "__builtin__", "builtins"): main()