Post Processing for Incidents - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
8
Creation date
2024-09-18
Last date published
2024-11-28
Category
Administrator Guide
Solution
Cloud
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation
Abstract

You can set up a post-processing script to run after an incident has been remediated, but before the incident is closed in Cortex XSOAR.

After you remediate an incident, you may want to perform additional actions on the incident, such as closing a ticket in a ticketing system or sending out an email. You can create a post-processing script to cover these scenarios.

Note

If a post-processing script returns an error, the incident does not close.

You need to Create a Post-Processing Script and then Add a Post-Processing Script to the Incident Type.

Arguments Available in a Post-Processing Script

These arguments are available for use in the post-processing script:

  • closed - The incident closed time.

  • status

  • openDuration

  • closeNotes

  • closingUserId - The username of the user who closed the incident, or DBot if the incident was closed by DBot (for example, through a playbook).

  • closeReason

  • Any other field values passed in at closure, whether through the incident close form, the CLI, or a playbook task.