https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/xsoar-getincidents-command/m-p/540868#M2084 <P>Hi community,&nbsp;</P> <P>&nbsp;</P> <P>I've been making great use of custom scripts to extract reporting metrics that wouldn't have been possible with the built in widgets. But something I've noticed recently is that querying incidents seems to be causing huge spikes in CPU and memory usage. Most of my scripts are querying the previous months worth of incidents, which is only ~2000 incidents.&nbsp;<BR /><BR />Even though I'm doing some processing (parsing datetimes, iterating over lists and dictionaries), I can't see why it should be so resource hungry. The demand of the script itself should be trivial.&nbsp;</P> <P>&nbsp;</P> <P>The only thing I can think of that might explain the resource drain is executing commands in the scripts. The documentation around that is almost non-existent, but I did find <A href="https://paulbenoit.com/posts/searching-in-xsoar" target="_self">this blog post</A>&nbsp;which suggests that if I pass queries to the getIncidents command, it will ignore the from and to date fields and instead query incident across&nbsp;<EM>all time</EM> which sounds ridiculous, but if true, might explain why my queries are so hungry.&nbsp;<BR /><BR />Does anyone have a good understanding of how the getIncidents command works under the hood?</P> <P>&nbsp;</P> <P>Anyone had some experience scripting queries that has some pointers about performance?&nbsp;<BR />&nbsp;</P> Wed, 03 May 2023 05:52:07 GMT callumbaillie527 2023-05-03T05:52:07Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/xsoar-getincidents-command/m-p/540868#M2084 <P>Hi community,&nbsp;</P> <P>&nbsp;</P> <P>I've been making great use of custom scripts to extract reporting metrics that wouldn't have been possible with the built in widgets. But something I've noticed recently is that querying incidents seems to be causing huge spikes in CPU and memory usage. Most of my scripts are querying the previous months worth of incidents, which is only ~2000 incidents.&nbsp;<BR /><BR />Even though I'm doing some processing (parsing datetimes, iterating over lists and dictionaries), I can't see why it should be so resource hungry. The demand of the script itself should be trivial.&nbsp;</P> <P>&nbsp;</P> <P>The only thing I can think of that might explain the resource drain is executing commands in the scripts. The documentation around that is almost non-existent, but I did find <A href="https://paulbenoit.com/posts/searching-in-xsoar" target="_self">this blog post</A>&nbsp;which suggests that if I pass queries to the getIncidents command, it will ignore the from and to date fields and instead query incident across&nbsp;<EM>all time</EM> which sounds ridiculous, but if true, might explain why my queries are so hungry.&nbsp;<BR /><BR />Does anyone have a good understanding of how the getIncidents command works under the hood?</P> <P>&nbsp;</P> <P>Anyone had some experience scripting queries that has some pointers about performance?&nbsp;<BR />&nbsp;</P> Wed, 03 May 2023 05:52:07 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/xsoar-getincidents-command/m-p/540868#M2084 callumbaillie527 2023-05-03T05:52:07Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/xsoar-getincidents-command/m-p/540932#M2088 <P>If you aren't specifying a date range in the from date and to date, then it does default to all time.&nbsp; This is likely the cause of the resource consumption particularly if you have more than 12 months of Incident data on your system.</P> <P>&nbsp;</P> <P>As you call it, the easiest fix is to tighten your query by adding those arguments.</P> <P>&nbsp;</P> <P>This OOTB script uses the getIncidents command and has alot of different options:</P> <P><A href="https://xsoar.pan.dev/docs/reference/scripts/search-incidents-summary" target="_blank">https://xsoar.pan.dev/docs/reference/scripts/search-incidents-summary</A></P> <P>&nbsp;</P> <P>Basically the getIncidents subscribes to the rules of searching in XSOAR as described here, not sure if there is any better document:</P> <P><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/How-to-Search" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/How-to-Search</A></P> <P>&nbsp;</P> Wed, 03 May 2023 15:54:20 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/xsoar-getincidents-command/m-p/540932#M2088 MBeauchamp2 2023-05-03T15:54:20Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/xsoar-getincidents-command/m-p/541172#M2094 <P>Thanks for pointing me toward those other scripts. I'm experimenting with the different options to get an idea on the performance.&nbsp;&nbsp;</P> Fri, 05 May 2023 07:18:21 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/xsoar-getincidents-command/m-p/541172#M2094 callumbaillie527 2023-05-05T07:18:21Z