topic bulk close issues in Cortex XSIAM Discussions

bulk close issues

H.Eldessouki — Mon, 01 Jun 2026 10:21:30 GMT

Hello team
I have the following scenario of 16K open issues and I would like to perform mass closure of these open cases. Is there any way to do this? i tried to build a playbook which i give it the excel sheet of all the issues IDs and start bulk resolve but i have problem with it , it is very slow , i mean it takes 24 hours for just close 4K issues , so is there any other options ? like api or something ?

Re: bulk close issues

mshamamulla — Mon, 01 Jun 2026 11:09:52 GMT

Hi @H.Eldessouki

As far as I know it can be done through Cortex XSIAM Public API, Your script must send an authenticated request with the filter and the instruction to change the status to resolved (STATUS_030_RESOLVED).

We recommend engaging your Accounts team and they can assist you with the complete API request and endpoint details for scripting.

Re: bulk close issues

H.Eldessouki — Mon, 01 Jun 2026 12:02:45 GMT

thanks @mshamamulla , already made the right script and run it against the issues name and it's actually very fast ( like close more than 6 per sec ) , so it is confirmed [scripts are faster than playbooks ] and here is the script i use for anyone face the same problem :
```

def main():

page = 0

closed = 0

while True:

res = demisto.executeCommand("getIncidents", {

"query": 'name:"NAME OF THE NOISY ISSUES" and status:0',

"size": 500,

"page": page

})

incidents = res[0]["Contents"]["data"]

if not incidents:

break

for inc in incidents:

demisto.executeCommand("closeInvestigation", {

"id": inc["id"],

"reason": "False Positive",

"closeNotes": "Confirmed noise"

})

closed += 1

page += 1

return_results(f"Done. Closed {closed} incidents.")

main()```