Add Note Information Using an Automation Script - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Cortex XSOAR
Creation date
Last date published
Administrator Guide

Add note information to an incident using a script through the Cortex XSOAR REST API.

This example shows how to add note information to an incident using a script through the API. For this script to run, you need to install the Cortex REST API content pack and add a Core REST API instance. You add the script to the Scripts page and then add the script to the incident layout builder using the General Purpose Dynamic Section.

  1. Go the Scripts page and add the following script:

      id: ShowLastNoteUserAndDate
      version: -1
    name: ShowLastNoteUserAndDate
    script: |2
      function getLastNote(incidentID) {
          var body = {pageSize:1,categories:['notes']};
          var res = executeCommand('demisto-api-post', {uri:'/investigation/' + incidentID, body: body});
          if (isError(res[0])) {
              throw 'demisto-api-post failed for incidnet #'+incidentID+'\nbody is ' + JSON.stringify(body) + '\n' + JSON.stringify(res);
          if (!res[0].Contents.response.entries) {
              return null;
          var notes = res[0].Contents.response.entries;
          var lastNote = notes[notes.length-1];
          return lastNote;
      lastNote = getLastNote(incidents[0].id);
      if (lastNote) {
          md = `#### Update by ${lastNote.user} on ${lastNote.modified.split('T')[0]}\n`;
          md += `\n---\n`;
          md += lastNote.contents + '\n';
          return { ContentsFormat: formats.markdown, Type: entryTypes.note, Contents: md } ;
      } else {
          return 'N/A';
    type: javascript
    - dynamic-section
    enabled: true
    scripttarget: 0
    runonce: false
    runas: DBotWeakRole
  2. Select the incident type to add the script, by completing the steps in Add a Script to the Incident Layout.

  3. In the Automation script field, select the script added in step 1.

  4. Go to the incident that you want to view the note information.

    You can see note information, containing the last user and date.