This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

create table show incident close reason group by incident type

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

create table show incident close reason group by incident type

Go to solution
LinsongGuo
L1 Bithead

‎11-04-2021 10:51 PM

I am new to XSOAR and I am trying to create table show incident close reason group by incident type looks like below

 

 Ture positiveFalse positiveDuplicate
incident type 11211
incident type 22433
incident type 341622

I cant find any widget can do this so I try to look into the automation script but I have no idea how it going to work.

 

If anyone can give a hit on this would be great?

 

In addition, does anyone can share some good starting tutorial relate with automation scripting would be appricated

 

Regards

 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
ABurt
L3 Networker

‎11-09-2021 07:16 AM

Take a look at the automation script widgets here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/widgets/create-a-custom...

 

 

As an example for you use case (and assuming you have fields called "True Positive" and "False Positive" that are boolean (bear in mind this is pseudo code and not tested):


page = 0
size = 100

table_results = dict()

data = demisto.executeCommand("getIncidents", {"page": page, "size": size})[0]['Contents']

while data.get('data'):
    for incident in data.get('data'):
        inc_type = incident.get('type')
        custom_fields = incident.get('CustomFields')
        if inc_type not in table_results:
            table_results[inc_type] = {
                "True Positive": int(custom_fields.get('truepositive')) or 0,
                "False Positive": int(custom_fields.get('falsepositive')) or 0,
                "Duplicate": custom_fields.get('dropppedcount') or 0,
            }
        else:
            if custom_fields.get('truepositive'):
                table_results[inc_type]['True Positive'] += 1
            if custom_fields.get('falsepositive'):
                table_results[inc_type]['False Positive'] += 1
            table_results[inc_type]['Duplicate'] += incident.get('droppedcount')
    page += 1
    data = demisto.executeCommand("getIncidents", {"page": page, "size": size})[0]['Contents']

return_results = [{
    "Type": k,
    "True Positive": v.get('True Positive'),
    "False Positive": v.get('False Positive'),
    "Duplicate": v.get('Duplicate')
    } for k, v in table_results.items()]
    

return_results(return_results)

View solution in original post

(1)
2 REPLIES 2

Go to solution
kiwi
Community Team Member

‎11-09-2021 05:06 AM

Hi @LinsongGuo ,

 

In order to get better traction for this, I have moved your query to the Cortex XSOAR area.
I would recommend that you visit this area to see your discussion and others on Cortex XSOAR.

 

Cheers !

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes

Go to solution
ABurt
L3 Networker

‎11-09-2021 07:16 AM

Take a look at the automation script widgets here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-2/cortex-xsoar-admin/widgets/create-a-custom...

 

 

As an example for you use case (and assuming you have fields called "True Positive" and "False Positive" that are boolean (bear in mind this is pseudo code and not tested):


page = 0
size = 100

table_results = dict()

data = demisto.executeCommand("getIncidents", {"page": page, "size": size})[0]['Contents']

while data.get('data'):
    for incident in data.get('data'):
        inc_type = incident.get('type')
        custom_fields = incident.get('CustomFields')
        if inc_type not in table_results:
            table_results[inc_type] = {
                "True Positive": int(custom_fields.get('truepositive')) or 0,
                "False Positive": int(custom_fields.get('falsepositive')) or 0,
                "Duplicate": custom_fields.get('dropppedcount') or 0,
            }
        else:
            if custom_fields.get('truepositive'):
                table_results[inc_type]['True Positive'] += 1
            if custom_fields.get('falsepositive'):
                table_results[inc_type]['False Positive'] += 1
            table_results[inc_type]['Duplicate'] += incident.get('droppedcount')
    page += 1
    data = demisto.executeCommand("getIncidents", {"page": page, "size": size})[0]['Contents']

return_results = [{
    "Type": k,
    "True Positive": v.get('True Positive'),
    "False Positive": v.get('False Positive'),
    "Duplicate": v.get('Duplicate')
    } for k, v in table_results.items()]
    

return_results(return_results)
(1)
  • 1 accepted solution
  • 3035 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks