topic Re: Post-processing script to close XDR alerts from XSOAR in Mirroring Both Direction integration setting. in Cortex XSOAR Discussions

Post-processing script to close XDR alerts from XSOAR in Mirroring Both Direction integration setting.

Josep — Tue, 22 Nov 2022 17:25:40 GMT

Hello,

We are using XDR with XSOAR mirroring both direction configuration. It's working. However, incidents created on XSOAR don't close all the alerts of XDR related to the incident. So a post-script should be done to force them to close. What commands in XSOAR could make them close? How do we choose those alerts related to the incident?

Thanks for your time.

Re: Post-processing script to close XDR alerts from XSOAR in Mirroring Both Direction integration setting.

jfernandes1 — Wed, 23 Nov 2022 02:04:31 GMT

Hi @Josep, From what I see in the current command set there is no command (API) to update or close alerts. I found one for incidents - xdr-update-incident.

I would suggest creating a XDR support case to check this is possible or requires a feature request. Once Identified the XSOAR content team can update the integration.

Re: Post-processing script to close XDR alerts from XSOAR in Mirroring Both Direction integration setting.

MBeauchamp2 — Mon, 28 Nov 2022 16:17:09 GMT

There is nothing to close the alerts, but post-processing executes right before an XSOAR Incident is closed, you can use a post processing script with the xdr-update-incident command as mentioned, here is an example:

# get the close notes & reason from the XSOAR Incident
close_reason = demisto.args().get("closeReason","Resolved")
close_notes = demisto.args().get("closeNotes","No close notes provided")

# get the xdr incident id
xdrincidentid = demisto.incident().get("CustomFields",{}).get("xdrincidentid",False)

# map XSOAR close reasons to XDR close codes
close_code_map = {
"False Positive":"RESOLVED_FALSE_POSITIVE",
"Resolved":"RESOLVED_THREAT_HANDLED",
"Other":"RESOLVED_OTHER",
"Duplicate":"RESOLVED_DUPLICATE"
}

if xdrincidentid:
demisto.results(demisto.executeCommand("xdr-update-incident", {"incident_id":xdrincidentid,"status":close_code_map.get(close_reason),"resolve_comment":close_notes}))

else:
demisto.results("No XDR Incident ID found, doing nothing...")

Re: Post-processing script to close XDR alerts from XSOAR in Mirroring Both Direction integration setting.

Josep — Tue, 29 Nov 2022 10:44:37 GMT

Thanks for your reply.

We are already using "xdr-update-incident" command completely at the end of the playbook. It should do exactly the same as the post-script. However, as I said, it's not closing all the alerts.