Associate Cortex XSOAR incident fields with scripts that are triggered when the field changes.
Incident fields can be associated with trigger scripts that can check for field change conditions and take actions based on the change. These scripts can perform any action, such as dynamically changing the field value, notifying the responder when an incident severity has been changed, etc., when the conditions are met. For example, when using the ChangeRemediationSLAOnSevChange
script, it changes the Remediation SLA of an incident, when the severity of the incident changes for any reason.
Scripts can be created in Python, PowerShell, or JavaScript in the Scripts page. To use a field trigger script, you need to add the field-change-triggered tag when creating the script. You can then add the script in the Attributes tab, when you edit or Create a Custom Incident Field. If you did not add the tag when creating the script, it cannot be added.
Cortex XSOAR comes out-of-the-box with field change scripts in the Scripts page, such as:
ChangeRemediationSLAOnSevChange
emailFieldTriggered
: Changes the incident field when the email body or subject changes.StopTimeToAssignOnOwnerChange
: Stops the Time to Assignment SLA field, as soon as an owner was assigned to an incident.
A common use case is to create the following script that verifies that changes made by a playbook only will take place and not by a user manually.
args = demisto.args() user = args["user"] if user: demisto.executeCommand("setIncident", {args["cliName"]: args["old"]})
The script checks who made the change using the user
field. The cliName
argument returns the field name, so that it can be attached to multiple incident fields, and block changes to them, without the need to have a different script for each field.
Script Arguments - Related Information
When a script is triggered on a field, it has the following triggered field information available as arguments (args):
Argument | Description |
---|---|
| If the field is associated to all or some incidents. Value: |
| An array of the incident types, with which the field is associated. |
| The name of the field when called from the command line. |
| The description of the field. |
| Specifies whether the field is non editable. Value: |
| The name of the field. |
| The new value of the field. |
| The old value of the field. |
| Specifies that only the creator of the field can edit. Value: |
| The placeholder text. |
| Specifies whether this is a mandatory field. Value: |
| If this is a multi select type field, these are the values the field can take. |
| Whether it is a Cortex XSOAR defined field. |
| The field type. |
| Whether it is not mapped to any incident. |
| Whether it is being used for tracking KPI on an incident page. |
| The username of the user who triggered the script. |
| Whether there is a regex associated for validation the values the field can hold. |
Script Limitations
Trigger scripts cannot close incidents.
Post-processing scripts can modify an incident, but if a modified field has a trigger script, it is not called.
Incident modifications executed within a trigger script are only saved to the database after the modifications are completed.