06-20-2023 02:10 AM - edited 06-20-2023 02:22 AM
Hi all,
I want to mark the Cortex XDR incident coming into XSOAR as TP or FP with preprocessing. Does preprocessing allow this (run a script)? Or does it only do drop processing?
06-20-2023 03:51 AM
Hi @YilmazDincer ,
The script will only drop processing if it returns false. What do you mean by marking them?
06-20-2023 03:59 AM
Hi @gyldz ,
For example, there will be a condition and if it matches that condition, it will execute the command I show below. This command closes the incident in xdr (marked FP or TP)
pseudo code:
def condition():
"pseudo"
if condition:
demisto.executeCommand('xdr-update-incident', {'incidentid': x, 'status': 'TP'})
else:
demisto.result(True) ## if it doesn't match, don't it.
'This code is pseudo'
06-20-2023 07:20 AM
Hi,
You can do that. You do not have to return a False results. I tested the below one and it works fine. so you can change according to your needs.
try:
result = "FP"
if results == "FP":
demisto.executeCommand("send-notification", {"channel" :"xsoar-implementation", "message" : "FP alert"})
else:
demise.results(True)
except:
demise.results(True)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
