Closing an incident on CortexXDR with pre-processing.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Closing an incident on CortexXDR with pre-processing.

L3 Networker

Hi all,

 

I want to mark the Cortex XDR incident coming into XSOAR as TP or FP with preprocessing. Does preprocessing allow this (run a script)? Or does it only do drop processing?

 

3 REPLIES 3

L4 Transporter

Hi @YilmazDincer ,

 

The script will only drop processing if it returns false. What do you mean by marking them?  

Hi @gyldz ,

YilmazDincer_0-1687258535890.png

For example, there will be a condition and if it matches that condition, it will execute the command I show below. This command closes the incident in xdr (marked FP or TP)
pseudo code:
     

def condition():
    "pseudo"

if condition:
    demisto.executeCommand('xdr-update-incident', {'incidentid': x, 'status': 'TP'})
else:
    demisto.result(True) ## if it doesn't match, don't it.
'This code is pseudo'

 

Hi,

 

You can do that. You do not have to return a False results. I tested the below one and it works fine. so you can change according to your needs. 

try:
    result = "FP"
    if results == "FP":
        demisto.executeCommand("send-notification", {"channel" :"xsoar-implementation", "message" : "FP alert"})
    else:
        demise.results(True)
except:
    demise.results(True)

 

  • 1331 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!