Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Error: DB Version '##' and Insert version '##' do not match for id: ##### on bucket [] [incidents] (15)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Error: DB Version '##' and Insert version '##' do not match for id: ##### on bucket [] [incidents] (15)

L2 Linker

I have a trigger script automation that updates the linked incidents of an incident.  The update works, but then it produces the following error and refuses to update the field that triggered the automation.

 

DZerkle_0-1614912375236.png

 

 

The script works fine if I run it from the command line.  It's only when a triggered script runs that there's a problem.

 

Here's a sample that causes a problem.  If I comment this line out, the field updates just fine.

 

demisto.executeCommand("setIncident", {'id':child_case_id, "customFields":"{\"False Positive\":\"True\"}"})

 

 

Anyone know what's going on and to fix this?

1 accepted solution

Accepted Solutions

It looks like the checkbox is only there for version 6.1.

 

The workaround is to leave out the 'id':child_case_id  in the setIncident command and leave out the "incidentId":child_case_id  in the linkIncidents command.  This will default to using the current incident.

 

It may be that you have to use the ID, as is the case with the linkIncidents command.  In this case, triggered scripts need to use demisto.investigation()['id'] to get the incident ID.  They can't use demisto.incidents()[0]['id'].

View solution in original post

19 REPLIES 19

L3 Networker

Hello,

 

I assume this a field-change-triggered script? What do you have selected for the ""Run triggered script after incident is modified"?

ABurt_0-1614937584774.png

 

You will not need to specify the "CustomFields" in the setIncident command either. You can use the system name for the field. In your case it would (most likely) be:

 

demisto.executeCommand("setIncident", {"id":child_case_id, "falsepositive":True})

 

 

Regards


Adam

I don't even have that checkbox.  Where is it?  We're running 6.0.

DZerkle_0-1614958757707.png

 

It looks like the checkbox is only there for version 6.1.

 

The workaround is to leave out the 'id':child_case_id  in the setIncident command and leave out the "incidentId":child_case_id  in the linkIncidents command.  This will default to using the current incident.

 

It may be that you have to use the ID, as is the case with the linkIncidents command.  In this case, triggered scripts need to use demisto.investigation()['id'] to get the incident ID.  They can't use demisto.incidents()[0]['id'].

The solution above turns out to be only partial.  Leaving out the incidentId field for the linkIncidents command causes the command to do nothing.  Putting it back in re-generates the DB version errors.  Running the trigger script from the command line works perfectly.

 

So, I don't have a way to modify linked cases in a triggered script in 6.0.  Anyone know?

If you leave out the "id" field in the setIncident command, it will execute within the current incident (it assumes the current incident is the id).

 

Is the script executing from within an existing incident, or is the script attemping to update a different incident?

We just upgraded to 6.1, so I revisited this matter.  It's not much better.

 

The DB Version errors no longer appear.

 

If I leave "Run triggered script after case is modified" unchecked, the triggered script correctly updates other fields with the setIncident command.

 

If I check that box, the other fields do not update, even though the war room says that they're updated.

 

Whether I check that box or not, and no matter how it is called, the linkIncidents command does nothing when run from a triggered script.  It works as expected if run from a script launched by a button or the command line. 

 

Can you confirm the above?  The docs mention nothing about linking incidents from triggered scripts.

The automatoin script that you have created to link the incidents, can you confirm who it is running as? By default it's "limited user".

 

This may be affecting the outcome.

It was set to "limited user".  I tried setting it to "DBot".  No change in behavior resulted.

 

I have the exact same script triggered by a button and triggered by a field change.  It works fine when triggered by the button.

Can you post the contents of the script?

The script is pretty unremarkable, except that it's called by a wrapper script that processes the "new" argument.  The same wrapper is attached to the (correctly working) button, which fills the "new" argument with the field value.

 

The behavior is consistently reproducible.  At this point, I'm looking for confirmation:  Is it expected behavior that scripts triggered by a field change can't modify linked cases?  If so, a documentation update and feature idea would be in order.  If not, a bug fix is in order.

 

Of course, if you have a workaround better than "Use a button to trigger the script", that would be great!

 

incident = demisto.incidents()[0]

new_parent_case_id = demisto.args()["parent"]
child_case_id = demisto.args().get("child", "")
if child_case_id == "":
    child_case_id = incident.get("id", "Error")

# Remove any existing links on the child (current) case
old_linked_incidents_list = incident.get('linkedIncidents', [])
if old_linked_incidents_list:
    old_linked_incidents = ",".join(old_linked_incidents_list)
    # This line does nothing when this script is triggered by a field change
    # It works fine when this script is triggered by a button
    # Removing the "incidentId" argument changes nothing
    # Changing the "run as" parameter to DBot changes nothing
    demisto.executeCommand("linkIncidents", {"incidentId":child_case_id, "linkedIncidentIDs":old_linked_incidents, "action": "unlink"})

# Create new false positive parent, if requested
if new_parent_case_id == "Create":
    parent_name = "PARENT: " + demisto.incidents()[0]['name']
    resp = demisto.executeCommand("createNewCase", {
        "name": parent_name,
        "type": "False Positive Parent",
        "severity": "low",
        "roles": "##Redacted##"
    })

    if isError(resp[0]):
        demisto.results('Error while creating the new false positive parent case: ' + str(resp))
        sys.exit(0)

    new_parent_case_id = None
    if (resp[0] and resp[0]["EntryContext"] and 'CreatedIncidentID' in resp[0]["EntryContext"] ):
        new_parent_case_id = resp[0]["EntryContext"]['CreatedIncidentID']
    else:
        demisto.results(f'Failed to find the new incident id from create case request')

    # Update the False Postive Parent field to show the new parent
    # Note that this may trigger a field-change script, so it's important to avoid looping around
    # However, the problem with the linked incidents happens even when this branch of code is not executed
    resp = demisto.executeCommand('setIncident', {
            'falsepositiveparent': "{} {}".format(new_parent_case_id, parent_name)
    })

# Link to the False Positive Parent
if new_parent_case_id != "None":
    # Link to the parent case
    # This line does nothing then this script is triggered by a field change
    demisto.executeCommand('linkIncidents', {"incidentId":child_case_id, "linkedIncidentIDs":new_parent_case_id})

    # Mark the child case as a stalled false positive
    # This line works fine when this script is triggered by a field change
    resp = demisto.executeCommand('setIncident', {
            'id': child_case_id,
            'stalled': True,
            'falsepositive': True
    })
    if isError(resp[0]):
        demisto.results('Failed updating existing case with false positive attributes: ' + str(resp))
        sys.exit(0)

demisto.results("Attempted to attach child false positive case {} to parent case {}".format(child_case_id, new_parent_case_id))

 

Here's the wrapper:

 

new_field_value = demisto.args()["new"]

new_parent_case_id = new_field_value.split(" ")[0]

# Execute the update
demisto.executeCommand("AddChildToParent", {"parent":new_parent_case_id})
demisto.results("Attempted to attach child false positive case to parent case {}".format(new_parent_case_id))

 

Hi! Sorry for teh long delay.

 

You can carry out the whole process using a single drop down menu:

 

 

I had created:


  • A field named "False Positive Parent"
  • The field was a "single select" field with the values: "None,Create New..."
  • It is set to "Run triggered script after incident is modified"
  • It has a script a field display script called "populateParent" (described below)
  • It has a field value change script called "setLinkedIncident" (described below)

 

"populateParent" is:

 

args = demisto.args()
field = args.get('field', {})
options = field.get('selectValues', [])
all_incidents = [f"{x['name']} - {x['id']}" for x in demisto.executeCommand("getIncidents", {"query": "-status:Closed and type:\"False Positive Parent\""})[0]['Contents']['data']] + options
demisto.results({"hidden": False, "options": all_incidents})

 

 

"setLinkedIncident" is:

 

args = demisto.args()
new = args.get('new', None)
old = args.get('old', None)
incident = demisto.incident()
incident_id = incident.get('investigationId')
incident_name = incident.get('name', '')
custom_fields = incident.get('CustomFields', {})
linked_incidents = incident.get('linkedIncidents', [])


# Remove existing linked incidents0
if new == "None" or old != "None" and linked_incidents:
    demisto.executeCommand("linkIncidents", {"incidentId": incident_id, "linkedIncidentIDs": ",".join(linked_incidents), "action": "unlink"})

# If the user requested a new case:
if new == "Create New..." or new != "None":

    if new == "Create New...":
        new_incident = demisto.executeCommand("createNewIncident", {
            "name": f"PARENT: {incident_name}",
            "type": "False Positive Parent",
            "severity": 1
        })[0]['EntryContext']
        new_incident = new_incident.get('CreatedIncidentID', None)
        demisto.executeCommand("linkIncidents", {"incidentId": incident_id, "linkedIncidentIDs": new_incident, "action": "link"})
        new = new_incident
        demisto.executeCommand("setIncident", {"falsepositiveparent": f"PARENT: {incident_name} - {new_incident}"})
        new = new_incident
        return_results(new)
    elif new != "None":
        new = new.split(" - ")[1]
        demisto.executeCommand("linkIncidents", {"incidentId": incident_id, "linkedIncidentIDs": new, "action": "link"})

 

 

The above script doesn't contain items such as "closeInvestigation", but could easily include them.

 

I DO have trouble when using the "Create New..." option. It will create the new incident and assign it, but it won't assign the new value to the field. It has to be assigned manually again. I would suggest having a separate button that is purely used for creating a new incident, perhaps with a few more fields in there.

 

However, I can link incidents using the dropdown. I think the key here is to link the current incident to the remote incident, not the other way around.

Another complication is that triggered scripts need to use demisto.investigation()['id'] to get the incident ID.  They can't use demisto.incidents()[0]['id'].  I was able to use that ID to get linkIncidents to work.

 

My current problem is using setIncident to update fields from a trigger script.  It's fine if the user modifies the field via the GUI, but if a button script modifies the field, then the trigger script locks up when it tries to update an additional field with setIncident.  The script just hangs.  At that point, the incident is locked up, and it's not even possible to close it.

 

For the above video I used the following scripts:

 

  • False Positive Parent - Field (single select with values "None,Create New...")
  • Field Display Script set as "populateParent"
  • Field Change Script (Run triggered script after incident is modified) as "setLinkedIncident"

 

"populateParent":

args = demisto.args()
field = args.get('field', {})
options = field.get('selectValues', [])
all_incidents = [f"{x['name']} - {x['id']}" for x in demisto.executeCommand("getIncidents", {"query": "-status:Closed and type:\"False Positive Parent\""})[0]['Contents']['data']] + options
demisto.results({"hidden": False, "options": all_incidents})

(Adjust query as you see fit)

 

"setLinkedIncident":

args = demisto.args()
new = args.get('new', None)
old = args.get('old', None)
incident = demisto.incident()
incident_id = incident.get('investigationId')
incident_name = incident.get('name', '')
custom_fields = incident.get('CustomFields', {})
linked_incidents = incident.get('linkedIncidents', [])
should_close = False
parent_incident = None

# Remove existing linked incidents0
if new == "None" or old != "None" and linked_incidents:
    demisto.executeCommand("linkIncidents", {"incidentId": incident_id, "linkedIncidentIDs": ",".join(linked_incidents), "action": "unlink"})

    if new == "None":
        demisto.executeCommand("setIncident", {"closeNotes": "''", "closeReason": "''"})

# If the user requested a new case:
if new == "Create New..." or new != "None":

    if new == "Create New...":
        new_incident = demisto.executeCommand("createNewIncident", {
            "name": f"PARENT: {incident_name}",
            "type": "False Positive Parent",
            "severity": 1
        })[0]['EntryContext']
        new_incident = new_incident.get('CreatedIncidentID', None)
        demisto.executeCommand("linkIncidents", {"incidentId": incident_id, "linkedIncidentIDs": new_incident, "action": "link"})
        parent_incident = new_incident
        shoudl_close = True
    elif new != "None":
        new = new.split(" - ")[1]
        parent_incident = new
        should_close = True
        demisto.executeCommand("linkIncidents", {"incidentId": incident_id, "linkedIncidentIDs": new, "action": "link"})

if should_close:
    demisto.executeCommand("closeInvestigation", {"closeNotes": f"Parent incident {parent_incident}", "closeReason": "Duplicate"})

 

The "Create New..." I can't seem to create the incident AND set the field at the same time. I would suggest a separate button to create a new parent incident. This could then have more properties the user could manage.

 

 

This is not usual behaviour and indicates that something maybe sat in a loop in teh script somewhere.

 

Could you try and set a small timeout for the script (around 5 seconds) and see if the incident locks up for that 5 secs. If so, there is something not executing correctly in the script.

  • 1 accepted solution
  • 11631 Views
  • 19 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!