topic Re: Automation to query incident team from current and linked incidents in Cortex XSOAR Discussions

Automation to query incident team from current and linked incidents

Martin_Wiethan — Thu, 21 Dec 2023 09:08:24 GMT

Hi,

TLDR: How can i write an automation that returns the incident team of multiple investigation ids (1,2,[...]) without needing to run the automation manually in each investigation.

I want to create an automation to send an E-Mail to all users in the incident team of the current incident, as well as all linked incidents.

To achieve this for a single incident, i can use the demisto.investigation() function to extract the users in the incident team of the current investigation via the 'users' key.

To map the the usernames to their configured e-mail also quite easy using the default getUserByUsername automation.

To get a list of all the linked incidents is also not a problem because the data is stored in the normal incident context.

The problem im facing right now is, that demisto.investigation() dosn't seem to allow an investigation id to be provided to query another investigation and not the one currently opened, so i would have to run the automation in each investigation manually.

Does anyone have an idea or a solution on how to work around that?

Re: Automation to query incident team from current and linked incidents

yuki_sato — Thu, 11 Jan 2024 22:38:38 GMT

Hi @Martin_Wiethan

This is going to be a bit complicated so hopefully I can explain the process I would take to accomplish your goal.

From your explanation, my understanding is that there is one incident that is linked to multiple incidents, and you want to create a list of users for all of incidents.

The first part of automation is to get a list of incident IDs that you want to find users for. For this, I would run this in the automation:
res = demisto.executeCommand("getIncidents", {"id": 1})
incident = res[0]["Contents"]['data'][0]['linkedIncidents']
This should return a list of linked incident IDs.

Then you can loop through each incident running demisto.executeCommand("getIncidents", {"id": x}) and get user for each incident with res[0]["Contents"]['data'][0]['owner']

The last step is to send out an email from the same automation using demisto.executeCommand('send-mail') and specify parameters of the command.

Hope this helps!

Re: Automation to query incident team from current and linked incidents

Martin_Wiethan — Fri, 12 Jan 2024 12:14:39 GMT

Hi @yuki_sato

Your Solution would provide me only with the "Owners" of all the linked Incidents which is not exactly what i want.

The user list i'm interested in, is the list of users Including Owner and Participants. Pretty much the contents of the default "Team Members" Layout section but for all linked incidents. For a single incident this list can be retrieved by running

demisto.investigation()['users']

The problem i encountered is, that (as far as i know) the participants of an investigation are only stored in the investigation data and demisto.investigation() dosn't accept any arguments (not like demisto.incidents(incidents=None)) so i don't know (if possible) how to access the investigation data of multiple incidents in a single automation

Re: Automation to query incident team from current and linked incidents

yuki_sato — Fri, 12 Jan 2024 17:03:58 GMT

Hi @Martin_Wiethan

I spent a good amount of looking into this. Oddly enough, team members associated to incidents are not easily accessible. The only place that I found the list was using API call.

You will need to setup an integration instance for Core REST API

The URL will be POST https://hostname:443/investigations/search

In the body of the request, you will need this JSON

{

"filter": {

"andOp": true,

"id": ["#","#","#",]

}

The response will include "entryUsers" key that contains a list of users that is associated to the incident.

You can do all of this in one automation, and use this list of users to send out emails.

Re: Automation to query incident team from current and linked incidents

Martin_Wiethan — Mon, 15 Jan 2024 13:51:23 GMT

Hi @yuki_sato ,

Thank you for the idea to utilize the API.

Below is my solution to use in an automation in case anyone encounters a similar issue 🙂

import json INVESTIGATION_IDS = ["1234","2345"] api_result = demisto.executeCommand("core-api-post", {"uri":"/investigations/search", "body":"{\"filter\":{\"andOp\":true,\"id\":"+json.dumps(INVESTIGATION_IDS) +"}}"}) users = set() for investigation in api_result[0]['Contents']['response']['data']: print(investigation) for user in demisto.get(investigation, "users"): users.add(user) demisto.results(users)