Automation to query incident team from current and linked incidents

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Automation to query incident team from current and linked incidents

L1 Bithead

Hi,

TLDR: How can i write an automation that returns the incident team of multiple investigation ids (1,2,[...]) without needing to run the automation manually in each investigation. 

 

I want to create an automation to send an E-Mail to all users in the incident team of the current incident, as well as all linked incidents. 

To achieve this for a single incident, i can use the demisto.investigation() function to extract the users in the incident team of the current investigation via the 'users' key.

To map the the usernames to their configured e-mail also quite easy using the default getUserByUsername automation.

To get a list of all the linked incidents is also not a problem because the data is stored in the normal incident context.

 

The problem im facing right now is, that demisto.investigation() dosn't seem to allow an investigation id to be provided to query another investigation and not the one currently opened, so i would have to run the automation in each investigation manually.

 

Does anyone have an idea or a solution on how to work around that?

 

Cortex XSOAR 

1 accepted solution

Accepted Solutions

L3 Networker

Hi @Martin_Wiethan 

 

I spent a good amount of looking into this. Oddly enough, team members associated to incidents are not easily accessible. The only place that I found the list was using API call. 

You will need to setup an integration instance for Core REST API

The URL will be POST https://hostname:443/investigations/search 

In the body of the request, you will need this JSON

{
    "filter": {
        "andOp": true,
        "id": ["#","#","#",]
    }
}
The response will include "entryUsers" key that contains a list of users that is associated to the incident.
You can do all of this in one automation, and use this list of users to send out emails. 

View solution in original post

4 REPLIES 4

L3 Networker

Hi @Martin_Wiethan 

This is going to be a bit complicated so hopefully I can explain the process I would take to accomplish your goal.

From your explanation, my understanding is that there is one incident that is linked to multiple incidents, and you want to create a list of users for all of incidents.

The first part of automation is to get a list of incident IDs that you want to find users for. For this, I would run this in the automation:
res = demisto.executeCommand("getIncidents", {"id": 1})
incident = res[0]["Contents"]['data'][0]['linkedIncidents']
This should return a list of linked incident IDs.

Then you can loop through each incident running demisto.executeCommand("getIncidents", {"id": x}) and get user for each incident with res[0]["Contents"]['data'][0]['owner']

The last step is to send out an email from the same automation using demisto.executeCommand('send-mail') and specify parameters of the command.

 

Hope this helps!

Hi @ysato 

Your Solution would provide me only with the "Owners" of all the linked Incidents which is not exactly what i want. 

The user list i'm interested in, is the list of users Including Owner and Participants. Pretty much the contents of the default "Team Members" Layout section but for all linked incidents. For a single incident this list can be retrieved by running 

demisto.investigation()['users']

The problem i encountered is, that (as far as i know) the participants of an investigation are only stored in the investigation data and demisto.investigation() dosn't accept any arguments (not like demisto.incidents(incidents=None)) so i don't know (if possible) how to access the investigation data of multiple incidents in a single automation

L3 Networker

Hi @Martin_Wiethan 

 

I spent a good amount of looking into this. Oddly enough, team members associated to incidents are not easily accessible. The only place that I found the list was using API call. 

You will need to setup an integration instance for Core REST API

The URL will be POST https://hostname:443/investigations/search 

In the body of the request, you will need this JSON

{
    "filter": {
        "andOp": true,
        "id": ["#","#","#",]
    }
}
The response will include "entryUsers" key that contains a list of users that is associated to the incident.
You can do all of this in one automation, and use this list of users to send out emails. 

Hi @ysato ,

Thank you for the idea to utilize the API. 

Below is my solution to use in an automation in case anyone encounters a similar issue 🙂

 

import json

INVESTIGATION_IDS = ["1234","2345"]

api_result = demisto.executeCommand("core-api-post", {"uri":"/investigations/search", "body":"{\"filter\":{\"andOp\":true,\"id\":"+json.dumps(INVESTIGATION_IDS) +"}}"})

users = set()

for investigation in api_result[0]['Contents']['response']['data']:
    print(investigation)
    for user in demisto.get(investigation, "users"):
        users.add(user)
demisto.results(users)

 

 

  • 1 accepted solution
  • 1736 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!