Use post-processing scripts in an incident - Administrator Guide - 8 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Cloud Documentation

Product
Cortex XSOAR
Version
8
Creation date
2024-03-07
Last date published
2024-09-17
Category
Administrator Guide
Solution
Cloud
Abstract

You can set up a post-processing script to run after an incident has been remediated, but before the incident is closed in Cortex XSOAR

Post-processing scripts perform actions on an incident after it is remediated but before it is closed by an analyst or automatically in a script or playbook. For example, after remediating an incident, an analyst may want to perform additional actions on the incident, such as closing a ticket in a ticketing system, sending an email, or preventing an incident from being closed without an assigned owner. You can create a post-processing script to cover these scenarios.

The following content packs include post-processing scripts:

  • Common Scripts: Includes the GenerateInvestigationSummaryReport script, which generates a report when an investigation is closed.

  • Case Management - Generic: Includes the CloseLinkedIncidentsPostProcessing, which closes any linked incidents when the incident is closed.

You can search for post-processing scripts on the Scripts page by using the Tags filter and typing post-processing.

You need to create a post-process script and then add the script to the incident type.

Example 5. 

For an example of creating post-processing scripts that prevent an incident from being closed without an assigned user or the close notes not being filed out correctly, together with a Service Now example, see the following video:


Create a post-processing script

  1. Select ScriptsNew Script.

  2. Type a name for the post-processing script and click Save.

  3. In the Tags field, from the dropdown list select post-processing.

  4. Add arguments as required.

    Argument

    Description

    closed

    The incident closed time.

    status

    The status of the incident

    openDuration

    The open incident duration between the created and closed dates.

    closeNotes

    The close notes of the incident

    ClosingUserId

    The username of the user who closed the incident, or DBot if the incident was closed by DBot (for example, through a playbook).

    closeReason

    The close reason for the incident.

    N/a

    Any other field values passed in at closure, whether through the incident close form, the CLI, or a playbook task.

  5. Save the script.

  6. Add the script to the incident type.

    Example 6. 

    The following script example requires the user to verify all To Do tasks before closing an incident. Before you start, you need to configure and enable a Cortex XSOAR REST API instance. For more information, see Core REST API.

    inc_id = demisto.incidents()[0].get('id')
    tasks = list(demisto.executeCommand("core-api-get", {"uri": "/todo/{}".format(inc_id)})[0]['Contents']['response'])
    
    if tasks:
    
        for task in tasks:
    
            if not task.get("completedBy"):
                return_error("Please complete all ToDo tasks before closing the incident")
                break

    Example 7. 

    In this example, create a post-processing script for Service Now incidents using a SNOW instance, where there are required fields to resolve and close (such as Resolution Code and Resolution Notes).

    This script works with the defaults from Service Now and resolves and closes the mirrored ticket in Service Now.

    commonfields:
      id: c8eeeb6c-3622-4bcb-897a-d183625609fd
      version: 20
    vcShouldKeepItemLegacyProdMachine: false
    name: ServiceNowCloseIncidentTicket
    script: |-
      # return the args and incident details to the war room, useful for seeing what you have available to you
      # args can be called with demisto.args().get('argname')
    
      # debugging
      # demisto.results(demisto.args())
      # demisto.results(demisto.incident())
    
      # get the close notes and reason from the XSOAR Incident
      close_reason = demisto.args().get('closeReason')
      close_notes = demisto.args().get('closeNotes','No close notes provided')
      servicenow_sysid = demisto.incident().get("dbotMirrorId", False)
    
      # map XSOAR close reasons to Service Now close codes
      close_code_map = {
          "False Positive":"Not Solved (Not Reproducible)",
          "Resolved":"Solved (Permanently)",
          "Other":"Solved (Work Around)",
          "Duplicate":"Solved (Work Around)"
      }
    
      close_code = close_code_map.get(close_reason,"Solved (Work Arounnd")
    
      # handle if there is no service now sys_id, resolve and close snow ticket
      if servicenow_sysid:
          demisto.results(demisto.executeCommand("servicenow-update-ticket", {"id":servicenow_sysid,"close_code":close_code,"state":6,"close_notes":close_notes}))
          demisto.results(demisto.executeCommand("servicenow-update-ticket", {"id":servicenow_sysid,"state":7}))
    
      else:
          demisto.results("No ServiceNow sys_id found, doing nothing...")
    type: python
    tags:
    - post-processing
    - training
    comment: Post processing script to resolve and close Service Now tickets if the XSOAR
      Incident is closed.
    enabled: true
    scripttarget: 0
    subtype: python3
    timeout: 80ns
    pswd: ""
    runonce: false
    dockerimage: demisto/python:1.3-alpine
    runas: Administrator
    

    Note

    If there is an additional custom argument defined for a post-processing script, arguments such as closeNotes, closeReason, closed, and openDuration, are not available in the demisto.args() dictionary. In this case, there are two options:

    1. Remove the additional custom argument from Script settings and instead add it as a field on the Close Form for the incident type. This results in the additional argument being passed to the post-processing script.

    2. Manually add the default system arguments such as closeNotes, closeReason, closed, and openDuration to the Script settings, in addition to the custom argument. If not added, the code example above close_notes = demisto.args().get('closeNotes','No close notes provided') always returns "No close notes provided".


  7. Add the post-processing script to the incident type.

    1. Go to Settings & InfoSettingsObject SetupIncidentsTypes.

    2. Click the incident type you want to add the post-processing script.

    3. In the Post process using field, from the drop-down, select the script.

    4. Save the incident type.

    After you add a post-processing script to the incident type, the incident type will use the post-processing script.

Note

If a post-processing script returns an error, the incident does not close.