Export Incidents to CSV - Python Development Quick Start Guide - 6.x - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Python Development Quick Start Guide

Product
Cortex XSOAR
Version
6.x
Creation date
2023-03-22
Last date published
2023-08-31
Category
Python Development Quick Start Guide

You can create a script to export incidents to a CSV file.

This example automation exports the last week's active incidents and downloads it as a file to the War Room or Playground.

Use the basic automation template to create the following code.

  • The first step is to create the body of the request that is sent to the Cortex XSOAR REST API.  This request body queries for incidents with status:active, sorts descending on the id field, returns only incidents from the last seven days, and the set of columns to return in the CSV file.

  • The demisto.executeCommand() function posts the request to the Cortex XSOAR server and returns the name of the CSV file created as fileName.

  • The demisto.executeCommand() function downloads the CSV from the Cortex XSOAR server and saves it as part of the investigation.

  • The return_results() function and fileResult() function add the file to the War Room or Playground where a download link is presented and a user can download the file.

def main():
	try:
		reqBody = {
			'all': True,
			'filter': {
				'query': "status:active",
				'sort': [{
				'field': "id",
				'asc': False
				}],
				'period': {
				'by': "day",
				'fromValue': 7
				}
			},
			'columns': [
				"id",
				"name",
				"type",
				"severity",
				"status",
				"owner",
				"roles",
				"playbookId",
				"occurred",
				"created",
				"modified",
				"closed"
			]
		}

		fileName = demisto.executeCommand("demisto-api-post", {
			'uri': "/incident/batch/exportToCsv", 
			'body': reqBody
		})[0]['Contents']['response']

		file = demisto.executeCommand("demisto-api-get", {
			'uri': "/incident/csv/" + fileName
		})[0]['Contents']['response']

		return_results(fileResult(fileName, file))
	except Exception as ex:
		demisto.error(traceback.format_exc())
		return_error("Failed to execute REST API: " + str(ex))

if __name__ in ("__main__", "__builtin__", "builtins"):
    main()