https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/auto-incidnet-closure/m-p/567540#M2867 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/337895">@Mohamad_1221</a>&nbsp;,</P> <P>&nbsp;</P> <P>You can run a job with 2 tasks. The first one will be SearchIncidentsV2 or SearchIncidentsSummary where you can define a query for the incidents to be closed. The output of those tasks might be huge, you can use ExtendContext and ignore the output option.ExtendContext would be something like&nbsp;FoundIncidents=Contents.data={"name":&nbsp;val.name, "id":&nbsp;val.id}. As a second task you can use closeInvestigation automation and define&nbsp;<STRONG>id&nbsp;</STRONG>field as a ${FoundIncidents.id} and other fields like close reason.</P> <P>&nbsp;</P> <P>I hope this solves your problem.&nbsp;</P> <P>&nbsp;</P> <P>Best Regards,</P> Wed, 29 Nov 2023 09:51:40 GMT gyldz 2023-11-29T09:51:40Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/auto-incidnet-closure/m-p/567154#M2864 <P>Dear Community,</P> <P>&nbsp;</P> <P>I'm looking for a way to daily automatically close all incidents with specific criteria.</P> <P>&nbsp;</P> <P>I'm trying to archive that using jobs , I'm trying to create a playbook the query incidents (with specific criteria) and whatever the query outcome I need to close those incidents.</P> <P>&nbsp;</P> <P>any suggestions on achieving that , I'm open for all suggestion.</P> <P>&nbsp;</P> <P>Thanks.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 27 Nov 2023 07:50:10 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/auto-incidnet-closure/m-p/567154#M2864 Mohamad_1221 2023-11-27T07:50:10Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/auto-incidnet-closure/m-p/567540#M2867 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/337895">@Mohamad_1221</a>&nbsp;,</P> <P>&nbsp;</P> <P>You can run a job with 2 tasks. The first one will be SearchIncidentsV2 or SearchIncidentsSummary where you can define a query for the incidents to be closed. The output of those tasks might be huge, you can use ExtendContext and ignore the output option.ExtendContext would be something like&nbsp;FoundIncidents=Contents.data={"name":&nbsp;val.name, "id":&nbsp;val.id}. As a second task you can use closeInvestigation automation and define&nbsp;<STRONG>id&nbsp;</STRONG>field as a ${FoundIncidents.id} and other fields like close reason.</P> <P>&nbsp;</P> <P>I hope this solves your problem.&nbsp;</P> <P>&nbsp;</P> <P>Best Regards,</P> Wed, 29 Nov 2023 09:51:40 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/auto-incidnet-closure/m-p/567540#M2867 gyldz 2023-11-29T09:51:40Z