You can set up a post-processing script to run after an incident has been remediated, but before the incident is closed in Cortex XSOAR
Post-processing scripts perform actions on an incident after it is remediated but before it is closed by an analyst or automatically in a script or playbook. For example, after remediating an incident, an analyst may want to perform additional actions on the incident, such as closing a ticket in a ticketing system, sending an email, or preventing an incident from being closed without an assigned owner. You can create a post-processing script to cover these scenarios.
The following content packs include post-processing scripts:
Common Scripts: Includes the
GenerateInvestigationSummaryReport
script, which generates a report when an investigation is closed.Case Management - Generic: Includes the
CloseLinkedIncidentsPostProcessing
, which closes any linked incidents when the incident is closed.
You can search for post-processing scripts on the Scripts page by using the Tags filter and typing post-processing
.
You need to create a post-process script and then add the script to the incident type.
For an example of creating post-processing scripts that prevent an incident from being closed without an assigned user or the close notes not being filed out correctly, together with a Service Now example, see the following video:
Create a post-processing script
Select
→ .Type a name for the post-processing script and click Save.
In the Tags field, from the dropdown list select post-processing.
Add arguments as required.
Argument
Description
closed
The incident closed time.
status
The status of the incident
openDuration
The open incident duration between the created and closed dates.
closeNotes
The close notes of the incident
ClosingUserId
The username of the user who closed the incident, or
DBot
if the incident was closed by DBot (for example, through a playbook).closeReason
The close reason for the incident.
N/a
Any other field values passed in at closure, whether through the incident close form, the CLI, or a playbook task.
Save the script.
Add the script to the incident type.
Example 6.The following script example requires the user to verify all
To Do
tasks before closing an incident. Before you start, you need to configure and enable a Cortex XSOAR REST API instance. For more information, see Core REST API.inc_id = demisto.incidents()[0].get('id') tasks = list(demisto.executeCommand("core-api-get", {"uri": "/todo/{}".format(inc_id)})[0]['Contents']['response']) if tasks: for task in tasks: if not task.get("completedBy"): return_error("Please complete all ToDo tasks before closing the incident") break
Example 7.In this example, create a post-processing script for Service Now incidents using a SNOW instance, where there are required fields to resolve and close (such as Resolution Code and Resolution Notes).
This script works with the defaults from Service Now and resolves and closes the mirrored ticket in Service Now.
commonfields: id: c8eeeb6c-3622-4bcb-897a-d183625609fd version: 20 vcShouldKeepItemLegacyProdMachine: false name: ServiceNowCloseIncidentTicket script: |- # return the args and incident details to the war room, useful for seeing what you have available to you # args can be called with demisto.args().get('argname') # debugging # demisto.results(demisto.args()) # demisto.results(demisto.incident()) # get the close notes and reason from the XSOAR Incident close_reason = demisto.args().get('closeReason') close_notes = demisto.args().get('closeNotes','No close notes provided') servicenow_sysid = demisto.incident().get("dbotMirrorId", False) # map XSOAR close reasons to Service Now close codes close_code_map = { "False Positive":"Not Solved (Not Reproducible)", "Resolved":"Solved (Permanently)", "Other":"Solved (Work Around)", "Duplicate":"Solved (Work Around)" } close_code = close_code_map.get(close_reason,"Solved (Work Arounnd") # handle if there is no service now sys_id, resolve and close snow ticket if servicenow_sysid: demisto.results(demisto.executeCommand("servicenow-update-ticket", {"id":servicenow_sysid,"close_code":close_code,"state":6,"close_notes":close_notes})) demisto.results(demisto.executeCommand("servicenow-update-ticket", {"id":servicenow_sysid,"state":7})) else: demisto.results("No ServiceNow sys_id found, doing nothing...") type: python tags: - post-processing - training comment: Post processing script to resolve and close Service Now tickets if the XSOAR Incident is closed. enabled: true scripttarget: 0 subtype: python3 timeout: 80ns pswd: "" runonce: false dockerimage: demisto/python:1.3-alpine runas: Administrator
Note
If there is an additional custom argument defined for a post-processing script, arguments such as
closeNotes
,closeReason
,closed
, andopenDuration
, are not available in thedemisto.args()
dictionary. In this case, there are two options:Remove the additional custom argument from Script settings and instead add it as a field on the Close Form for the incident type. This results in the additional argument being passed to the post-processing script.
Manually add the default system arguments such as
closeNotes
,closeReason
,closed
, andopenDuration
to the Script settings, in addition to the custom argument. If not added, the code example aboveclose_notes = demisto.args().get('closeNotes','No close notes provided')
always returns "No close notes provided".
Add the post-processing script to the incident type.
Go to
→ → → → .Click the incident type you want to add the post-processing script.
In the Post process using field, from the drop-down, select the script.
Save the incident type.
After you add a post-processing script to the incident type, the incident type will use the post-processing script.
Note
If a post-processing script returns an error, the incident does not close.