topic sentinel integration, azure-sentinel-update-incident, not able to set to active in Cortex XSOAR Discussions

sentinel integration, azure-sentinel-update-incident, not able to set to active

jboyd98 — Mon, 14 Feb 2022 17:44:04 GMT

I can close an azure incident in xsoar war-room with the following:

!azure-sentinel-update-incident incident_id="xx-xxxxx-xxxxx" status="Closed" classification="Undetermined"

However when i try to re-open the incident in azure from war-room with the following i get the subsequent error:

!azure-sentinel-update-incident incident_id="xx-xxxxx-xxxxx" status="Active"

Failed to execute azure-sentinel-update-incident command. Error: [BadRequest 400] classification can only be set for incidents with status 'Closed'.

Closing a ticket in azure requires classification, where as re-opening the incident in azure "clears" the previous set classification.

It feels like there is some sequencing issue with the xsoar "update incident" command above where it's confused about wiping / not setting the classification when re-opening the ticket.

Goal is to be able to set an Azure Incident back to active status from xsoar war-room and then eventually script it to happen when a xsoar ticket is re-opened.

Any insight is appreciated, thanks Boyd

Re: sentinel integration, azure-sentinel-update-incident, not able to set to active

gfilippov — Sat, 19 Feb 2022 20:21:08 GMT

Hi,
Further instructions were sent over the support case you've opened, since this discussion board is public- let's continue the discussion over the private support case, on which logs can be shared,
thanks.

Re: sentinel integration, azure-sentinel-update-incident, not able to set to active

asawyer — Wed, 23 Feb 2022 01:05:51 GMT

Hi @jboyd98, I was unable to reproduce this issue using the latest version of the Azure Sentinel content pack (1.3.1). Please make sure you have updated the pack to the latest version.