Need help on this XSOAR Weird behavior on preprocessing scripts

M.Wang287346 — Fri, 27 Feb 2026 22:46:22 GMT

Hi All!

I developed a preprocessing script and it's working fine in our dev xsoar environment but not working in prod for some reason.

By looking at the log in detail, i found some nuances that i can't explain.
Both prod and dev run the same code and i am sure the data is there in prod as well
Here is the comparison. this is the log from prod:

2026-02-27 21:44:16.1898 debug Accepted module: InnerServicesModule, brand: Builtin (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/module.go:162) 2026-02-27 21:44:16.1904 debug Searching incidents for dbotMirrorId:6864136729 [from: 0001-01-01T00:00:00Z to: 0001-01-01T00:00:00Z] (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/repo/logicalRepo/incident.go:228) 2026-02-27 21:44:16.1905 debug incident find query &{Match:6864136729 FieldVal:dbotMirrorId Analyzer: BoostVal:<nil> Prefix:0 Fuzziness:0 Operator:0} (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/repo/logicalRepo/incident.go:264) 2026-02-27 21:44:16.1905 debug Find restricted investigations: Took 215ns (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/util/executils/system.go:67) 2026-02-27 21:44:16.2002 debug Filtering restricted investigations against user DBot (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/repoDB/elasticRepo/investigation.go:437) 2026-02-27 21:44:16.2167 debug dockerCodeLoop for script: SearchIncidentsV2 ended.: Took 32.750592ms (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/util/executils/system.go:67) 2026-02-27 21:44:16.2170 debug Docker Code Run for script: SearchIncidentsV2 ended.: Took 34.023879ms (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/util/executils/system.go:67) 2026-02-27 21:44:16.2171 debug SearchIncidentsV2 Done (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/ser

This is the log from dev instance which is working well:

2026-02-27 22:17:51.8953 debug Started docker code loop for SearchIncidentsV2 (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:817) 2026-02-27 22:17:51.8961 debug (SearchIncidentsV2) pack id = Base, pack version = 1.41.64 (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983) 2026-02-27 22:17:51.8988 debug (SearchIncidentsV2) pack id = Tiktok, pack version = 1.0.0 (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983) 2026-02-27 22:17:51.8998 debug (SearchIncidentsV2) pack id = CommonScripts, pack version = 1.20.82 (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983) 2026-02-27 22:17:51.9030 debug Going to execute command: getIncidents (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/module.go:139) 2026-02-27 22:17:51.9033 debug Accepted module: InnerServicesModule, brand: Builtin (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/module.go:162) 2026-02-27 22:17:51.9042 debug Searching incidents for dbotMirrorId:6864136729 [from: 2026-01-28T22:17:51Z to: 0001-01-01T00:00:00Z] (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/repo/logicalRepo/incident.go:228) 2026-02-27 22:17:51.9044 debug incident find query &{Conjuncts:[0xc1f7773c20 0xc02b4ba060] BoostVal:<nil> queryStringMode:false} (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/repo/logicalRepo/incident.go:264) 2026-02-27 22:17:51.9044 debug Find restricted investigations: Took 190ns (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/util/executils/system.go:67) 2026-02-27 22:17:51.9699 debug (SearchIncidentsV2) Amount of incidents before filtering = 21 with args {'fromdate': '2026-01-28T22:17:51.902237', 'limit': '100', 'query': 'dbotMirrorId:6864136729'} before pagination (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983) 2026-02-27 22:17:51.9701 debug (SearchIncidentsV2) incident_id='1273324', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983) 2026-02-27 22:17:51.9704 debug (SearchIncidentsV2) incident_id='1273323', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983) 2026-02-27 22:17:51.9706 debug (SearchIncidentsV2) incident_id='1272692', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983) 2026-02-27 22:17:51.9707 debug (SearchIncidentsV2) incident_id='1272690', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983) 2026-02-27 22:17:51.9709 debug (SearchIncidentsV2) incident_id='1272688', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983) 2026-02-27 22:17:51.9711 debug (SearchIncidentsV2) incident_id='1272679', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983) 2026-02-27 22:17:51.9712 debug (SearchIncidentsV2) incident_id='1272675', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983) 2026-02-27 22:17:51.9714 debug (SearchIncidentsV2) incident_id='1272611', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983) 2026-02-27 22:17:51.9716 debug (SearchIncidentsV2) incident_id='1272608', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983) 2026-02-27 22:17:51.9717 debug (SearchIncidentsV2) incident_id='1272603', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983) 2026-02-27 22:17:51.9719 debug (SearchIncidentsV2) incident_id='1272599', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983) 2026-02-27 22:17:51.9721 debug (SearchIncidentsV2) incident_id='1272593', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983) 2026-02-27 22:17:51.9722 debug (SearchIncidentsV2) incident_id='1272589', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983) 2026-02-27 22:17:51.9724 debug (SearchIncidentsV2) incident_id='1272586', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983) 2026-02-27 22:17:51.9725 debug (SearchIncidentsV2) incident_id='1272583', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983) 2026-02-27 22:17:51.9727 debug (SearchIncidentsV2) incident_id='1272579', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983) 2026-02-27 22:17:51.9728 debug (SearchIncidentsV2) incident_id='1272576', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983) 2026-02-27 22:17:51.9730 debug (SearchIncidentsV2) incident_id='1272573', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983) 2026-02-27 22:17:51.9731 debug (SearchIncidentsV2) incident_id='1272567', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983) 2026-02-27 22:17:51.9733 debug (SearchIncidentsV2) incident_id='1272564', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983) 2026-02-27 22:17:51.9735 debug (SearchIncidentsV2) incident_id='1272557', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983) 2026-02-27 22:17:51.9739 debug (SearchIncidentsV2) Amount of incidents after filtering = 21 before pagination (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983) 2026-02-27 22:17:51.9741 info (SearchIncidentsV2) Setting todate argument to be 2026-02-27T20:31:39.665915978Z to avoid duplications (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:979) 2026-02-27 22:17:51.9823 debug (SearchIncidentsV2) amount of all the incidents that were found 21 (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983) 2026-02-27 22:17:52.0610 debug dockerCodeLoop for script: SearchIncidentsV2 ended.: Took 165.693347ms (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/util/executils/system.go:67) 2026-02-27 22:17:52.0614 debug Docker Code Run for script: SearchIncidentsV2 ended.: Took 166.841068ms (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/util/executils/system.go:67) 2026-02-27 22:17:52.0614 debug SearchIncidentsV2 Done (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/x

Here is the script

import json def main(): incident = demisto.incidents()[0] ticket_number = incident.get('CustomFields', {}).get('ticketnumber') if ticket_number: query = f'dbotMirrorId:{ticket_number}' res = demisto.executeCommand('SearchIncidentsV2', {'query': query, 'fromDate': '30 days ago'}) demisto.info(f"INCOMING PRE-PROCESS SearchIncidentsV2_1 indent length: {len(res)}") demisto.info(f"INCOMING PRE-PROCESS SearchIncidentsV2_1 indent: {json.dumps(res, indent=4)}") if res and res[0].get('Contents', {}): return_results(False) return return_results(True) if __name__ in ('__main__', '__builtin__', 'builtins'): main()

As you can see the script is just running `SearchIncidentsV2` command.

When i compare the log between prod and dev, i found a line that only exist in prod

`2026-02-27 21:44:16.2002 debug Filtering restricted investigations against user DBot`
I am thinking there is might be some configuration in prod that differ from dev for more restricted permission that cause the filtering other than that i don't know what else can explain the difference.
I manually triggered the same command in prod playground, it also worked well.

I also set the Roles to Adminitrator and Run as Administrator doesn't work
I get stuck on this problem for a week and hope someone could shed some lights on it!

Re: Need help on this XSOAR Weird behavior on preprocessing scripts

harry067brook — Tue, 17 Mar 2026 09:03:10 GMT

Hello,

If you set it to "Run as Administrator," pre-processing scripts run under the DBot user context. If the incidents you're searching for are in a restricted incident type or a specific "Team" that the DB user doesn't have explicit access to in your Prod environment, the results will come back empty every time.

topic Re: Need help on this XSOAR Weird behavior on preprocessing scripts in Cortex XSOAR Discussions

Need help on this XSOAR Weird behavior on preprocessing scripts

Re: Need help on this XSOAR Weird behavior on preprocessing scripts