Pre Processing script for dropping multiple similar incidents

ymaslovski — Thu, 10 Apr 2025 08:51:50 GMT

Hi Team,

I need to find a way to drop similar events (by eventnames field) from QRadar when they are mirrored in in XSOAR by using a pre process rule

I have checked for a native approach in Cortex Xsoar to do it but it seems that
Pre-processing rules in XSOAR cannot natively count similar incidents based on a dynamic field like "eventnames over a time window.

So I have created a script to do it for me but it doesn't seem to be working as expected (disregard the indentation in the body - can't properly copy it here)

I have put some fail safe check because in XSOAR it says"In order for the script to be dropped, script must return false"

Here is the Script:

"""
Pre-processing script to drop newly mirrored in 'Qradar Generic' incidents
if 5 or more similar incidents with the same event name exist in the last 20 minutes.
"""

def should_drop_incident(incident):
incident_type = incident.get('type')
current_id = incident.get('id')

eventnames = incident.get('eventnames', [])
if isinstance(eventnames, list):
description = eventnames[0].strip() if eventnames else ''
else:
description = str(eventnames).strip()

if incident_type != 'Qradar Generic' or not description:
return True # keep it

query = f'type:"Qradar Generic" and eventnames:"{description}" and created:>=\"20 minutes ago\"'

populate_fields = ['id', 'eventnames']
res = demisto.executeCommand('GetIncidentsByQuery', {
'query': query,
'pageSize': 100,
'populateFields': ','.join(populate_fields)
})

if isError(res[0]):
return_results({"Error": res[0].get("Contents", "Unknown error")})
return True # fail-safe: keep incident

contents = res[0].get('Contents', '')
if isinstance(contents, str):
try:
incidents = json.loads(contents)
except Exception as e:
return_results({"ParseError": str(e)})
return True # fail-safe: keep incident
else:
incidents = contents.get('data', []) if isinstance(contents, dict) else []

matched_ids = [i.get('id') for i in incidents if isinstance(i, dict) and i.get('id') != current_id]
matching_count = len(matched_ids)

return matching_count < 5 # True = keep, False = drop

# Run main logic
drop_incident = should_drop_incident(demisto.incidents()[0])
return_results(drop_incident)

I will appreciate any tips on this or another way to achieve similar effect in XSoar

Thanks

Yuri

topic Pre Processing script for dropping multiple similar incidents in Cortex XSOAR Discussions

Pre Processing script for dropping multiple similar incidents