xdr-get-incident command date time dispute

ZuleyhaAy — Tue, 14 Nov 2023 12:55:36 GMT

Hello everyone,

I have a script that need to get incidents from server.

incidents = execute_command(

"xdr-get-incidents",

{

"lte_creation_time": last_creation_time.split("+")[0],

"gte_creation_time": first_creation_time.split("+")[0],

"page": page,

"limit": limit,

)

I have data collection playbook which has date picker task inside it. The date taken through task feeding last_creation_time and first_creation_time variables. In the returned incident list there is dispute between taken data and incident resolved_timestamp. Server returns data in GMT time even i convert the time. For example, I picked 2023-11-13T23:59:00 but its also returning the incident created in 2023-11-14T01:08:00.

My solution is checking resolved_timestamp value with the date which taken through data collection task. But if there is a problem in my script or there is a different solution for this i want to correct.

Re: xdr-get-incident command date time dispute

yuki_sato — Thu, 04 Jan 2024 18:49:15 GMT

Hi @ZuleyhaAy

Since xdr-get-incidents do not have a parameter for specify returning incidents by resolved_timestamp, you will need to apply some type of filter after incidents are returned.

Since you are doing all of this in an automation instead of in a playbook, I think your approach would be the best way to do that.

Once all of incidents are returned by creation date, transform resolved_timestamp (UTC) field into ISO 8601 since that is date picker format, or vice versa, and only return incidents that are relevant.

topic xdr-get-incident command date time dispute in Cortex XSOAR Discussions

xdr-get-incident command date time dispute

Re: xdr-get-incident command date time dispute