Rule Actions for Pre-Process Rules - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide

Product
Cortex XSOAR
Version
8
Creation date
2024-09-18
Last date published
2024-11-12
Category
Administrator Guide
Solution
Cloud
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation
Abstract

Rule actions when creating pre-process rules. Pre-processing rules in Cortex XSOAR.

The following table describes the rule action for pre-process rules.

Option

Description

Section 3

Drop

Drops the incoming incident and no incident is created.

None

Close

Closes the incoming incident.

None

Drop and update

Drops the incoming event, and updates the Dropped Duplicate Incidents table of the existing incident that you define. In addition, a War Room entry is created. If an existing incident matching the defined criteria is not found, an incident is created for the incoming event.

Update

  1. Determine if you want to update the newest or oldest incident within a time range.

  2. Select the incident you want to update together with the value.

Link

Creates an entry in the Linked Incidents table of the existing incident to which you link.

Link to

  1. Determine if you want to link to the oldest or newest incident within a time range.

  2. Select the incident you want to update together with the value.

Link and close

Creates an entry in the Linked Incidents table of the existing incident to which you link, and closes the incoming incident. If an existing incident matching the defined criteria is not found, an incident is created for the incoming event.

Link to

  1. Determine if you want to link to the oldest or newest incident within a time range.

  2. Select the incident you want to update together with the value.

Run a script

Select a script to run on the incoming incident. When you create a script, you need to add the preProcessing tag for the script to appear in the list of available scripts.

Note

Pre-Process rules that use system-based scripts such as GetIncidentsByQuery, by default, are run according to the defined role (Limited User). For example, if the GetIncidentsByQuery script runs with the Limited User role, it also runs with the Limited User role in the Pre-Process rule. You can change the default by either detaching the script and updating the RunAs field such as DbotRole, or create a wrapper script with the required role set in the RunAs field. The wrapper script calls the system-based script. The system-based when called by the wrapper scriptruns with the role assigned to the wrapper script.

Pre-processing scripts can access sensitive incident data. As best practice, we recommend assigning a Role for the pre-processing script to allow only trusted users to edit it.

Choose a script

From the dropdown list, select the script to run on the incoming incident. Only scripts that were tagged preProcessing appear in the drop-down list.