- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
12-21-2023 01:01 AM - edited 12-21-2023 01:08 AM
Hi,
TLDR: How can i write an automation that returns the incident team of multiple investigation ids (1,2,[...]) without needing to run the automation manually in each investigation.
I want to create an automation to send an E-Mail to all users in the incident team of the current incident, as well as all linked incidents.
To achieve this for a single incident, i can use the demisto.investigation() function to extract the users in the incident team of the current investigation via the 'users' key.
To map the the usernames to their configured e-mail also quite easy using the default getUserByUsername automation.
To get a list of all the linked incidents is also not a problem because the data is stored in the normal incident context.
The problem im facing right now is, that demisto.investigation() dosn't seem to allow an investigation id to be provided to query another investigation and not the one currently opened, so i would have to run the automation in each investigation manually.
Does anyone have an idea or a solution on how to work around that?
01-12-2024 09:03 AM
I spent a good amount of looking into this. Oddly enough, team members associated to incidents are not easily accessible. The only place that I found the list was using API call.
You will need to setup an integration instance for Core REST API
The URL will be POST https://hostname:443/investigations/search
In the body of the request, you will need this JSON
01-11-2024 02:38 PM
This is going to be a bit complicated so hopefully I can explain the process I would take to accomplish your goal.
From your explanation, my understanding is that there is one incident that is linked to multiple incidents, and you want to create a list of users for all of incidents.
The first part of automation is to get a list of incident IDs that you want to find users for. For this, I would run this in the automation:
res = demisto.executeCommand("getIncidents", {"id": 1})
incident = res[0]["Contents"]['data'][0]['linkedIncidents']
This should return a list of linked incident IDs.
Then you can loop through each incident running demisto.executeCommand("getIncidents", {"id": x}) and get user for each incident with res[0]["Contents"]['data'][0]['owner']
The last step is to send out an email from the same automation using demisto.executeCommand('send-mail') and specify parameters of the command.
Hope this helps!
01-12-2024 04:14 AM
Hi @ysato
Your Solution would provide me only with the "Owners" of all the linked Incidents which is not exactly what i want.
The user list i'm interested in, is the list of users Including Owner and Participants. Pretty much the contents of the default "Team Members" Layout section but for all linked incidents. For a single incident this list can be retrieved by running
demisto.investigation()['users']
The problem i encountered is, that (as far as i know) the participants of an investigation are only stored in the investigation data and demisto.investigation() dosn't accept any arguments (not like demisto.incidents(incidents=None)) so i don't know (if possible) how to access the investigation data of multiple incidents in a single automation
01-12-2024 09:03 AM
I spent a good amount of looking into this. Oddly enough, team members associated to incidents are not easily accessible. The only place that I found the list was using API call.
You will need to setup an integration instance for Core REST API
The URL will be POST https://hostname:443/investigations/search
In the body of the request, you will need this JSON
01-15-2024 05:51 AM
Hi @ysato ,
Thank you for the idea to utilize the API.
Below is my solution to use in an automation in case anyone encounters a similar issue 🙂
import json
INVESTIGATION_IDS = ["1234","2345"]
api_result = demisto.executeCommand("core-api-post", {"uri":"/investigations/search", "body":"{\"filter\":{\"andOp\":true,\"id\":"+json.dumps(INVESTIGATION_IDS) +"}}"})
users = set()
for investigation in api_result[0]['Contents']['response']['data']:
print(investigation)
for user in demisto.get(investigation, "users"):
users.add(user)
demisto.results(users)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!