https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/drop-and-update-but-not-create-pre-processing/m-p/569754#M2913 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/320837">@AFamera</a>,</P> <P>&nbsp;</P> <P>Drop and Update by design creates an incident from the incoming event if the comparison criteria with the existing incident is not met.&nbsp;</P> <P><BR />For a complex logic like this, I would recommend using a script to cover all the options. You can take a look at some out of the box sample scripts by navigating to Automations and searching for <STRONG>tags: preProcessing</STRONG>. Please note that pre-processing script should always return <STRONG>True</STRONG> (if the incident will be created based on matching criteria) or <STRONG>False</STRONG> (if the incident will be dropped).<BR />From within the script, you can access your incoming event details to create your logic and make the decision and also update your existing incidents (Bitsight grade changes).<BR />&nbsp;</P> Wed, 13 Dec 2023 17:45:18 GMT AbelSantamarina 2023-12-13T17:45:18Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/drop-and-update-but-not-create-pre-processing/m-p/563971#M2796 <P>Hi,</P> <P>&nbsp;</P> <P>I am trying to write some preprocessing rules to report on and update BitSight incidents. I only want to create incidents that have a grade of 'BAD' or 'WARN'. I do want to capture, however, when a given incident's grade is updated within BitSight to 'GOOD', because that will let me know the issue is resolved. I wrote my pre-processing rules in the following order:</P> <P>&nbsp;</P> <P>1. Drop and Update incidents with the same rolled up id</P> <P>2. Drop incidents that do not affect the BitSight rating</P> <P>3. Drop incidents that are not BAD/WARN</P> <P>&nbsp;</P> <P>My thought process was that, if an incident already exists in Xsoar, and it's grade is updated in BitSight, I want to capture the new grade in the Xsoar incident when the integration fetches it. If it does not exits Xsoar, then I only want to create incidents that affect our score and have a poor grade. The "Drop and Update" function, however, will create an incident if the criteria is not met (unlike the "Drop" function, which just skips to the next rule). <STRONG>Is there a way to do a "Drop and Update" in the pre-processing step without having it create an incident if the criteria isn't met?</STRONG></P> <P>&nbsp;</P> <P>Thank you!</P> Wed, 01 Nov 2023 23:52:19 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/drop-and-update-but-not-create-pre-processing/m-p/563971#M2796 AFamera 2023-11-01T23:52:19Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/drop-and-update-but-not-create-pre-processing/m-p/569754#M2913 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/320837">@AFamera</a>,</P> <P>&nbsp;</P> <P>Drop and Update by design creates an incident from the incoming event if the comparison criteria with the existing incident is not met.&nbsp;</P> <P><BR />For a complex logic like this, I would recommend using a script to cover all the options. You can take a look at some out of the box sample scripts by navigating to Automations and searching for <STRONG>tags: preProcessing</STRONG>. Please note that pre-processing script should always return <STRONG>True</STRONG> (if the incident will be created based on matching criteria) or <STRONG>False</STRONG> (if the incident will be dropped).<BR />From within the script, you can access your incoming event details to create your logic and make the decision and also update your existing incidents (Bitsight grade changes).<BR />&nbsp;</P> Wed, 13 Dec 2023 17:45:18 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/drop-and-update-but-not-create-pre-processing/m-p/569754#M2913 AbelSantamarina 2023-12-13T17:45:18Z