https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/using-searchincidentsv2-or-getincidentsbyquery-in-automations/m-p/551740#M2428 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/306384">@sdes</a>&nbsp;,</P> <P>If you check&nbsp;<SPAN>SearchIncidentsV2 is also calling&nbsp;GetIncidentsByQuery script and you already made it work with&nbsp;GetIncidentsByQuery. We would advise to return only the required fields to save some resources. You can use populateFields option for this purpose. You can see the use of it below.<BR /></SPAN></P> <LI-CODE lang="python">populate_fields = ["id", "labels"] res = demisto.executeCommand('GetIncidentsByQuery', { 'incidentTypes': "Cortex XDR Incident", 'populateFields': ' , '.join(populate_fields) }) if is_error(res): return_error(res) incidents = json.loads(res[0]['Contents']) demisto.results(incidents)</LI-CODE> <P><BR />I hope this answers your question.</P> <P><SPAN><BR /><BR /><BR /><BR /></SPAN></P> <P>&nbsp;</P> Mon, 31 Jul 2023 09:49:42 GMT gyldz 2023-07-31T09:49:42Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/using-searchincidentsv2-or-getincidentsbyquery-in-automations/m-p/551664#M2426 <P>Hi,</P> <P>&nbsp;</P> <P>First of all, we are using a lot of automations searching for incidents using queries often with more than 100 results.</P> <P>The scripts line looks like this:</P> <P>res = demisto.executeCommand('SearchIncidentsV2', {'query': query, 'limit': 5000})[0].get('Contents')</P> <P>It seems however the "Content" only contains 100 results even though it shows the right number of incidents</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="01.jpg" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/52353i9F75E81F84159803/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="01.jpg" alt="01.jpg" /></span></P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="02.jpg" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/52354i8660986F4E7D2452/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="02.jpg" alt="02.jpg" /></span></P> <P>To have access to the datas you have to add something like this too:</P> <P>inc_data = res[0].get('Contents').get('data')</P> <P>Still 100 results even with the limit higher</P> <P>&nbsp;</P> <P>I, however, found that not using "Contents" but "EntryContext" provides everything, the script lines are a little bit more complex:</P> <P>res = demisto.executeCommand('SearchIncidentsV2', {'query': query, 'limit': 5000})[0].get('EntryContext')</P> <P>inc_data = res.get('foundIncidents(val.id &amp;&amp; val.id == obj.id)'</P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="03.jpg" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/52355iD5CF51298C0BAD5A/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="03.jpg" alt="03.jpg" /></span></P> <P> </P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="04.jpg" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/52356iD608A57DB9A6DF22/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="04.jpg" alt="04.jpg" /></span></P> <P> </P> <P>This is not very clean.</P> <P>&nbsp;</P> <P>The only solution we have so far is by using GetIncidentsByQuery as below:</P> <P>res = json.loads(demisto.executeCommand('GetIncidentsByQuery', {'query': query, 'limit': 5000})[0].get('Contents'))</P> <P>This is working perfectly</P> <P>&nbsp;</P> <P>Is there any better solution out there?</P> <P>In this specific case we want to get similar open incidents using "name" returning incidents ID and Labels.</P> <P>&nbsp;</P> <P>Many thanks in advance.</P> <P>Sebastien</P> Sat, 29 Jul 2023 09:40:57 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/using-searchincidentsv2-or-getincidentsbyquery-in-automations/m-p/551664#M2426 sdes 2023-07-29T09:40:57Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/using-searchincidentsv2-or-getincidentsbyquery-in-automations/m-p/551740#M2428 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/306384">@sdes</a>&nbsp;,</P> <P>If you check&nbsp;<SPAN>SearchIncidentsV2 is also calling&nbsp;GetIncidentsByQuery script and you already made it work with&nbsp;GetIncidentsByQuery. We would advise to return only the required fields to save some resources. You can use populateFields option for this purpose. You can see the use of it below.<BR /></SPAN></P> <LI-CODE lang="python">populate_fields = ["id", "labels"] res = demisto.executeCommand('GetIncidentsByQuery', { 'incidentTypes': "Cortex XDR Incident", 'populateFields': ' , '.join(populate_fields) }) if is_error(res): return_error(res) incidents = json.loads(res[0]['Contents']) demisto.results(incidents)</LI-CODE> <P><BR />I hope this answers your question.</P> <P><SPAN><BR /><BR /><BR /><BR /></SPAN></P> <P>&nbsp;</P> Mon, 31 Jul 2023 09:49:42 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/using-searchincidentsv2-or-getincidentsbyquery-in-automations/m-p/551740#M2428 gyldz 2023-07-31T09:49:42Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/using-searchincidentsv2-or-getincidentsbyquery-in-automations/m-p/551741#M2429 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/287891">@gyldz</a>&nbsp;</P> <P>&nbsp;</P> <P>Thank you for your swift reply. I suppose GetIncidentByQuery is the "go to" solution.</P> <P>I will take note of the improvements you suggested.</P> <P>Thanks again.</P> <P>&nbsp;</P> <P>Best regards,</P> <P>Sebastien&nbsp;</P> Mon, 31 Jul 2023 10:04:47 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/using-searchincidentsv2-or-getincidentsbyquery-in-automations/m-p/551741#M2429 sdes 2023-07-31T10:04:47Z