Bulk Changing Incident Status from Pending to Active

michaelsysec242 — Sun, 12 Nov 2023 09:59:23 GMT

I have created an integration that produces many alerts and I have a few thousand incidents that are currently in the Pending state. The plabyook has yet to run etc. What I would like to is select the incidents from the "Incident" page and change the status for these incidents from pending to active without entering each incident manually. I haven't found any commands or scripts that can be run in the "Run Script" button on this incidents page. A problem I am also experiencing is that when an incident is pending it cant be closed through a command or by manually selecting them. This sounds very trivial.

Does anyone have an idea how to work with this?

Many Thanks

Re: Bulk Changing Incident Status from Pending to Active

MBeauchamp2 — Thu, 16 Nov 2023 15:57:32 GMT

I have no issues searching for all Incidents in pending status (status:Pending), and then selecting them from the Incident action bar and selecting close? I'm on 6.12 latest.

If you're trying to select several thousand, maybe try smaller batches, or have an automation do it in batches for you.

If you did need to investigate them, you can use the Core REST API integration to do this:

!core-api-post uri=/incident/investigate body=`{"id":"26261","version":1}`

Basically you need to pass the ID of the Incident into the id in the body.

So you'd need to write an automation to find all the Incidents, and then loop through.

HOWEVER, you MUST do this in small batches, investigating several thousand at once will kickoff the playbook, which will put an immense load on your server.

topic Re: Bulk Changing Incident Status from Pending to Active in Cortex XSOAR Discussions

Bulk Changing Incident Status from Pending to Active

Re: Bulk Changing Incident Status from Pending to Active