topic Re: How to Find and update existing incidents through Integration in Cortex XSOAR Discussions

How to Find and update existing incidents through Integration

sudhesub — Thu, 24 Nov 2022 06:15:22 GMT

Hi,

We are providing partner integration for our product and this is the requirement.

My product # generates/creates 'Cases' which are pulled in as incidents using fetchIncidents call. It might be possible that sometimes a 'Case' in our product gets updated and gets pulled in XSOAR again. The custom attribute used here is caseId

Now I have more than one incident but with same caseId which is not desirable.

What we want to do is to pull the particular incident from XSOAR based on the custom attribute (caseId) and update it rather than creating new incident. And we need to do it during fetchIncidents itself.

I asked this question on Slack and I was suggested with this

demisto.execute_command("SearchIncidentsV2", {"query": $QUERY})

demisto.execute_command("setIncident", {"id": $ID, $CUSTOM_FIELD_NAME: $CUSTOM_FIELD_VALUE})

The problem with above scripts is that we can't run them from integration.

Re: How to Find and update existing incidents through Integration

MBeauchamp2 — Mon, 28 Nov 2022 16:07:29 GMT

This sounds like a perfect use case for a preprocessing rule. In this case make sure you've mapped the Case ID from the external system to an XSOAR field (Event ID is a good option), and then use a preprocessing rule to drop new cases for which an existing XSOAR Incident with the same Case ID already exists.

We have a video on preprocessing on our XSOAR Engineer Training Series:

https://live.paloaltonetworks.com/t5/cortex-xsoar-how-to-videos/cortex-xsoar-how-to-customer-success-engineering-training-video/ta-p/484604

Here are the docs on preprocessing:

https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-9/cortex-xsoar-admin/incidents/incident-management/incident-de-duplication/creating-pre-process-rules-for-incidents

https://xsoar.pan.dev/docs/incidents/incident-pre-processing

Re: How to Find and update existing incidents through Integration

MBeauchamp2 — Mon, 28 Nov 2022 16:09:38 GMT

You won't be able to do the update during the fetch Incidents call, it simply doesn't work that way.

I'd do a preprocessing rule, if you need to update the existing one, you can run those 2 commands you mentioned as part of a preprocessing script which is another option on a preprocessing rule.

Re: How to Find and update existing incidents through Integration

sudhesub — Tue, 29 Nov 2022 06:10:57 GMT

Thanks for you reply.

I am not able to open the video. It says Access Denied. Is there some other video or other location than what is mentioned above?

Re: How to Find and update existing incidents through Integration

ekatsenelson — Mon, 29 May 2023 15:08:50 GMT

Mirroring

https://xsoar.pan.dev/docs/integrations/mirroring_integration