topic Re: Incident Parent-Child Relationship in Cortex XSOAR Discussions

Incident Parent-Child Relationship

alan.chan — Mon, 21 Oct 2024 22:08:58 GMT

I'm looking to establish a hierarchical relationship for linking incidents in XSOAR, specifically a parent-child structure. Currently, the platform allows for linking incidents without hierarchy and creating child incidents under a parent ticket. However, it does not permit linking existing incidents as children.

Is there a way to add existing incidents as child tickets under a parent ticket so that when the parent ticket is closed, all associated child incidents are also closed (similar to how ServiceNow handles parent-child incidents)? Would I need to create custom scripts and playbooks to achieve this functionality, or is there a native solution available?

I appreciate any insights or suggestions!

Re: Incident Parent-Child Relationship

AbelSantamarina — Wed, 30 Oct 2024 17:30:21 GMT

@alan.chan , there is a built-in parent-child hierarchy available in XSOAR, with the option to create child Investigations with the command !addChildInvestigation. However, I would not recommend this option as it is very limited. It is intended to be used if you need to run other playbooks and tasks in parallel within the same incident and to conduct parallel investigations with separate evidence and war-room.

Outside of that, unfortunately, there is no built-in parent-child hierarchy available for linked incidents. However, we can add in a relatively simple manner this functionality to incidents by:
1. Create a custom incident field that tags the incident as Parent or Child, let's call it incidenthierarchy.
2. Create the child incidents from the parent incident, specifying the incidenthierarchy field as Child accordingly. Link them to the parent once created e.g.:
!createNewIncident name="Test Child1" incidenthierarchy=Child type=Unclassified
!linkIncidents incidentId=${incident.id} linkedIncidentIDs=${CreatedIncidentID}

3. Configure a post-processing script that closes all linked incidents when the parent is closed, and sets the close code and close notes the same as the parent (see attached script).

Let me know if you have any questions.

Abel

Re: Incident Parent-Child Relationship

alan.chan — Wed, 30 Oct 2024 19:35:51 GMT

This is how I have it set up. Thanks!

Re: Incident Parent-Child Relationship

AbelSantamarina — Thu, 31 Oct 2024 13:18:19 GMT

@alan.chan, if you are satisfied with our response, please accept the response as solution to acknowledge that the answer to your question has been provided and help others find the information faster.
Thank you for your collaboration.