Incident Field Trigger Scripts - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
8
Creation date
2024-09-18
Last date published
2024-11-28
Category
Administrator Guide
Solution
Cloud
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation
Abstract

Associate Cortex XSOAR incident fields with scripts that are triggered when the field changes.

Incident fields can be associated with trigger scripts that can check for field change conditions and take actions based on the change. These scripts can perform any action, such as dynamically changing the field value, notifying the responder when an incident severity has been changed, etc., when the conditions are met. For example, when using the ChangeRemediationSLAOnSevChange script, it changes the Remediation SLA of an incident, when the severity of the incident changes for any reason.

Scripts can be created in Python, PowerShell, or JavaScript in the Scripts page. To use a field trigger script, you need to add the field-change-triggered tag when creating the script. You can then add the script in the Attributes tab, when you edit or Create a Custom Incident Field. If you did not add the tag when creating the script, it cannot be added.

Cortex XSOAR comes out-of-the-box with field change scripts in the Scripts page, such as:

  • ChangeRemediationSLAOnSevChange

  • emailFieldTriggered: Changes the incident field when the email body or subject changes.

  • StopTimeToAssignOnOwnerChange: Stops the Time to Assignment SLA field, as soon as an owner was assigned to an incident.

A common use case is to create the following script that verifies that changes made by a playbook only will take place and not by a user manually.

args = demisto.args()
user = args["user"]
if user:
    demisto.executeCommand("setIncident", {args["cliName"]: args["old"]})

The script checks who made the change using the user field. The cliName argument returns the field name, so that it can be attached to multiple incident fields, and block changes to them, without the need to have a different script for each field.

Script Arguments - Related Information

When a script is triggered on a field, it has the following triggered field information available as arguments (args):

Argument

Description

associatedToAll

If the field is associated to all or some incidents. Value: true or false.

associatedTypes

An array of the incident types, with which the field is associated.

cliName

The name of the field when called from the command line.

description

The description of the field.

isReadOnly

Specifies whether the field is non editable. Value: true or false.

name

The name of the field.

new

The new value of the field.

old

The old value of the field.

ownerOnly

Specifies that only the creator of the field can edit. Value: true or false.

placeholder

The placeholder text.

required

Specifies whether this is a mandatory field. Value: true or false.

selectValues

If this is a multi select type field, these are the values the field can take.

system

Whether it is a Cortex XSOAR defined field.

type

The field type.

unmapped

Whether it is not mapped to any incident.

useAsKpi

Whether it is being used for tracking KPI on an incident page.

user

The username of the user who triggered the script.

validationRegex

Whether there is a regex associated for validation the values the field can hold.

Script Limitations

  • Trigger scripts cannot close incidents.

  • Post-processing scripts can modify an incident, but if a modified field has a trigger script, it is not called.

  • Incident modifications executed within a trigger script are only saved to the database after the modifications are completed.