Set an Incident Field - Python Development Quick Start Guide - 6.x - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Python Development Quick Start Guide
Product
Cortex XSOAR
Version
6.x
Creation date
2023-03-22
Last date published
2023-08-31
Category
Python Development Quick Start Guide

As part of the incident investigation process, you may need to assign incoming data to an incident field.  

This example automation sets the incident details field to a message argument passed into the script.

  1. Create an automation and use the Settings button to add a mandatory argument  message.

    cortex-xsoar-automation-setincidentfield.png

  2. Use the basic automation template to create the following code.

    The demisto.args() function accesses the argument passed to the automation. Arguments are passed as a dictionary and can be accessed by the argument name as a dictionary key.

    The demisto.executeCommand() function with the setIncident command sets the value of an incident field.  The command parameters are passed as a dictionary with the details incident field name as the key and the message value as the value.

    def main():
	try:
     	mesgValue = demisto.args()['message']
        demisto.executeCommand("setIncident", 
			{'details': mesgValue}
		)
	except Exception as ex:
		demisto.error(traceback.format_exc())
        return_error("Failed to execute setIncident: " + 
			str(ex)
		)

if __name__ in ("__main__", "__builtin__", "builtins"):
    main()

    If any exceptions occur, the demisto.error() function logs the exception traceback to the Cortex XSOAR server log and the return_error() function displays the error in the War Room.

  3. Save the completed automation and in the playground run the automation to test it.  View the context and verify the incident.details value.

    cortex-xsoar-automation-see-incident-details.png