topic Re: XSOAR Trigger off reopen incident / close incident in Cortex XSOAR Discussions

XSOAR Trigger off reopen incident / close incident

jboyd98 — Wed, 02 Feb 2022 02:06:30 GMT

Onboarding to a new company.
No post processing on incident type (azure sentinel).

When a ticket is closed on the close form, we have a custom "Azure Closure Reason" and "Classification Comment"; based on this we have a script(CloseSentinelCase) that triggers when "Azure Closure Reason" is modified. This script sets the "Close Reason" based on the logic to "Resolved" for example.

When a ticket is reopened, the "Close Reason" is not reset, it stays "Resolved", but Active; This confuses me, if there any logic we can hang off of when a ticket is reopened to execute scripts? What happens to an inicident when a ticket is "reopened". I can't find any detailed documentation.

Furthermore when the ticket is then re-closed, the "Close Reason" is then wiped, and is blanked out Note, the Azure Closure Reason is not modified so the trigger script from earlier is not called. I can not figure out what is wiping the "Close Reason". I also can't find any documentation on the close form/close incident button to show what detailed steps are happenning.

Trying to figure out specifically what's happening during re-open and close incident. Is there any logs I can look at that spell it out. I tried some of the server.logs but they weren't very easy to read.

Any help is greatly appreciated -

Thanks!

Boyd

Re: XSOAR Trigger off reopen incident / close incident

ABurt — Wed, 02 Feb 2022 09:21:35 GMT

Hi Boyd,

When the incident is re-opened the Close Reason and Close Notes retain their values. Depending on how the incident is then closed again, may wipe the values. If you are using the Close Form, the Close Reason and Close Notes are requested. If they are removed from the form the values are set to None and these are saved when the incident is then re-closed.

The best method to set these values (if they are not presented during a close form) is to use a script that has the tag "post-processing". This script (when assigned to your incident type) can then copy out the Close Reason and Close Notes from other fields and set as required.

Re: XSOAR Trigger off reopen incident / close incident

jboyd98 — Wed, 02 Feb 2022 15:48:08 GMT

Thanks Burt, working on this this morning; appreciate the response.

Re: XSOAR Trigger off reopen incident / close incident

jboyd98 — Wed, 02 Feb 2022 16:33:55 GMT

Hi @ABurt,
I created the following post processing script:

------
closeReason = demisto.incidents()[0]["closeReason"]

if closeReason:
return_results(closeReason)
return_results("Close Reason is already set and will be re-set during this post processing")
demisto.executeCommand('setIncident', {'closeReason': closeReason})

-----

I can see if i run the script in war room while the tickets open and "Close Reason" is previously set, it returns the value and also returns a message sharing that it's already set. It looks like the script itself is a success. However, when I close the ticket, the end result is the "Close Reason" is blanked out again.

Question 1. Will post processing log out to war room; I was hoping i could see my return_results to confirm the steps,but I just see a line that shows post-processing scripts are running.

Question 2. How can I identify what might be happening after the "Close Incident" is clicked on the Close Form? I looked at my fields/buttons and sorted by the column to show triggers; nothing seems to stand out. For the incident type there is no post processing, other than what I just added.

Any additional insight is appreciated, thanks again

Re: XSOAR Trigger off reopen incident / close incident

ABurt — Thu, 03 Feb 2022 12:08:24 GMT

Hello again,

By far the shortest path to a solution would be to use the "Azure Closure Reason" and "Classification Comment" in your reporting and not rely on the "Close Notes" or "Close Reason" fields at all. If you really have to use them, please read on...

The problem here, it seems, is that the incident (when closed) will have already accepted the values for Close Reason and Close Notes regardless of what is in the post-processing script. i.e. They cannot be set by the post-processing script. All other fields seem to be able to be set by the script. I am unsure whether this is a bug or by design.

The workaround (although a little long) is to not let the incident be closed by using the Actions -> Close Incident button but by providing your own button that closes the incident. So as a step by step (as an example):

1). Set the incident type to have a post processing script and use something similar to the below:

args = demisto.args() incident = demisto.incident() close_reason = incident.get('closeReason') close_notes = incident.get('closeNotes') if not close_reason or not close_notes: return_error("Please do not close this incident manually. Use the button provided in the 'Case Closure' tab")

2). Edit the layout of the incident and under the "Close" form settings, remove all fields and sections (this prevents the user manually adding Close Notes and Close Reason that do not match up with the Azure Closure Reason and Classification Comment)

3). Add a new tab called "Case Closure" in the incident layout.

4). Add a section and place a the "Azure Closure Reason" and "Classification Comment" fields. Ensure the tab has the "show empty fields" set too.

5). Set the script of the button to be something similar to:

incident = demisto.incident() incident_id = incident.get('id') custom_fields = incident.get('CustomFields') azure_close_reason = custom_fields.get('azureclosurereason') classification_comment = custom_fields.get('classificationcomment') if not azure_close_reason and not classification_comment: return_error("Please ensure you fill out the Azure Closure Reason and Classification Comment") elif not azure_close_reason: return_error("Please ensure you fill out the Azure Closure Reason") elif not classification_comment: return_error("Please ensure you fill out the Classification Comment") else: demisto.executeCommand('closeInvestigation', {'closeReason': azure_close_reason, 'closeNotes': classification_comment})

6). The script will then close the incident if the Azure Closure Reason and Classification Comment have already been populated. It will copy these values into the Close Reason and Close Notes of the incident during closure.

7). Finally, assign a "field-change-triggered" script to both the "Azure Closure Reason" and "Classification Comment" fields that has something like the following:

args = demisto.args() field = args.get('cliName') value = args.get('new') if field == "azureclosurereason": demisto.executeCommand('setIncident', {'closeReason': value}) if field == "classificationcomment": demisto.executeCommand('setIncident', {'closeNotes': value})

This sets the Close Reason and Close Notes based on those fields.

In the above, this is what happens when a user attempt to click the Actions->Close Incident:

They then have to populate the fields before using the button:

Once they are populated, and the button is clicked, it will copy the values into the Close information.

Re: XSOAR Trigger off reopen incident / close incident

jboyd98 — Thu, 03 Feb 2022 22:30:47 GMT

Thanks again @ABurt, exploring this as an option. Will circle back and let you know the outcome. Appreciate the help.