https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/xsoar-mde-malware-incident-enrichment/m-p/547627#M2276 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/289506">@anna.tirao</a>&nbsp;,&nbsp;</P> <P>&nbsp;</P> <P>In the case of the playbook&nbsp;<STRONG>MDE Malware - Incident Enrichment</STRONG>, the <SPAN><STRONG>alert_ids</STRONG>&nbsp;</SPAN>argument required for the task <SPAN><STRONG>Get full alert details</STRONG>&nbsp;</SPAN>is defined as an input in the playbook, as specified in the Playbook Triggered Header:<BR /><BR />Name:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Value:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Description:<BR />AlertID&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ${incident.externalsystemid}&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;The Microsoft Defender For Endpoint alert ID.<BR /><BR />Since this is an input argument to the playbook, this value is expected to be passed in from its parent playbook. In case no value is passed, it will take as default value whatever is stored in the incident field <STRONG>externalsystemid</STRONG>. That's what this expression&nbsp;<STRONG>${incident.externalsystemid}</STRONG> indicates in the value of this playbook input.<BR /><BR />The error message you are seeing indicates that this input is not being passed in as an argument and that the value is not set in the incident field&nbsp;<STRONG>externalsystemid</STRONG> either. To solve this issue, you will have to pass in a value on this argument or have the field&nbsp;<STRONG>externalsystemid</STRONG> populated with the AgentID before calling the subplaybook&nbsp;<STRONG>MDE Malware - Incident Enrichment</STRONG><STRONG>.</STRONG><BR /><BR />You can read more about playbook inputs and outputs in this link below:<BR /><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Playbook-Inputs-and-Outputs" target="_blank" rel="noopener">https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Playbook-Inputs-and-Outputs</A></P> Wed, 28 Jun 2023 20:48:37 GMT AbelSantamarina 2023-06-28T20:48:37Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/xsoar-mde-malware-incident-enrichment/m-p/547607#M2274 <P>I am running error trying to pull the alert_id from a Defender incident under the sub playbook MDE Malware-Incident Enrichment -&gt; Get full alert details using automation:&nbsp;<SPAN>'microsoft-atp-get-alert-by-id'.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>Error:&nbsp;</SPAN></P> <DIV class="row entry-parent"> <DIV class="floated left aligned sixteen wide mobile six wide tablet sixteen wide computer column"> <DIV class="entry-metadata"> <DIV class="entry-task-name"> <DIV class="inner-entry-task-name">&nbsp;Get full alert details:&nbsp;<SPAN>Missing argument </SPAN><STRONG style="font-family: inherit;">alert_ids</STRONG><SPAN> for script </SPAN><STRONG style="font-family: inherit;">microsoft-atp-get-alert-by-id</STRONG><SPAN> at Task </SPAN><STRONG style="font-family: inherit;">Get full alert details&nbsp;</STRONG><SPAN>- stopping playbook </SPAN><STRONG style="font-family: inherit;">Malware Investigation &amp; Response Incident Handler</STRONG><SPAN> execution. But I was able to push through when I manually enter the alert IDs but I want it auto extracted.</SPAN></DIV> </DIV> </DIV> </DIV> </DIV> Wed, 28 Jun 2023 17:04:43 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/xsoar-mde-malware-incident-enrichment/m-p/547607#M2274 anna.tirao 2023-06-28T17:04:43Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/xsoar-mde-malware-incident-enrichment/m-p/547627#M2276 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/289506">@anna.tirao</a>&nbsp;,&nbsp;</P> <P>&nbsp;</P> <P>In the case of the playbook&nbsp;<STRONG>MDE Malware - Incident Enrichment</STRONG>, the <SPAN><STRONG>alert_ids</STRONG>&nbsp;</SPAN>argument required for the task <SPAN><STRONG>Get full alert details</STRONG>&nbsp;</SPAN>is defined as an input in the playbook, as specified in the Playbook Triggered Header:<BR /><BR />Name:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Value:&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Description:<BR />AlertID&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ${incident.externalsystemid}&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;The Microsoft Defender For Endpoint alert ID.<BR /><BR />Since this is an input argument to the playbook, this value is expected to be passed in from its parent playbook. In case no value is passed, it will take as default value whatever is stored in the incident field <STRONG>externalsystemid</STRONG>. That's what this expression&nbsp;<STRONG>${incident.externalsystemid}</STRONG> indicates in the value of this playbook input.<BR /><BR />The error message you are seeing indicates that this input is not being passed in as an argument and that the value is not set in the incident field&nbsp;<STRONG>externalsystemid</STRONG> either. To solve this issue, you will have to pass in a value on this argument or have the field&nbsp;<STRONG>externalsystemid</STRONG> populated with the AgentID before calling the subplaybook&nbsp;<STRONG>MDE Malware - Incident Enrichment</STRONG><STRONG>.</STRONG><BR /><BR />You can read more about playbook inputs and outputs in this link below:<BR /><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Playbook-Inputs-and-Outputs" target="_blank" rel="noopener">https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Playbook-Inputs-and-Outputs</A></P> Wed, 28 Jun 2023 20:48:37 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/xsoar-mde-malware-incident-enrichment/m-p/547627#M2276 AbelSantamarina 2023-06-28T20:48:37Z