03-04-2021 07:08 PM
I have a trigger script automation that updates the linked incidents of an incident. The update works, but then it produces the following error and refuses to update the field that triggered the automation.
The script works fine if I run it from the command line. It's only when a triggered script runs that there's a problem.
Here's a sample that causes a problem. If I comment this line out, the field updates just fine.
demisto.executeCommand("setIncident", {'id':child_case_id, "customFields":"{\"False Positive\":\"True\"}"})
Anyone know what's going on and to fix this?
03-05-2021 11:28 AM - edited 03-22-2021 09:28 AM
It looks like the checkbox is only there for version 6.1.
The workaround is to leave out the 'id':child_case_id in the setIncident command and leave out the "incidentId":child_case_id in the linkIncidents command. This will default to using the current incident.
It may be that you have to use the ID, as is the case with the linkIncidents command. In this case, triggered scripts need to use demisto.investigation()['id'] to get the incident ID. They can't use demisto.incidents()[0]['id'].
03-05-2021 01:46 AM - edited 03-05-2021 02:02 AM
Hello,
I assume this a field-change-triggered script? What do you have selected for the ""Run triggered script after incident is modified"?
You will not need to specify the "CustomFields" in the setIncident command either. You can use the system name for the field. In your case it would (most likely) be:
demisto.executeCommand("setIncident", {"id":child_case_id, "falsepositive":True})
Regards
Adam
03-05-2021 07:40 AM
I don't even have that checkbox. Where is it? We're running 6.0.
03-05-2021 11:28 AM - edited 03-22-2021 09:28 AM
It looks like the checkbox is only there for version 6.1.
The workaround is to leave out the 'id':child_case_id in the setIncident command and leave out the "incidentId":child_case_id in the linkIncidents command. This will default to using the current incident.
It may be that you have to use the ID, as is the case with the linkIncidents command. In this case, triggered scripts need to use demisto.investigation()['id'] to get the incident ID. They can't use demisto.incidents()[0]['id'].
03-05-2021 04:45 PM - edited 03-05-2021 04:54 PM
The solution above turns out to be only partial. Leaving out the incidentId field for the linkIncidents command causes the command to do nothing. Putting it back in re-generates the DB version errors. Running the trigger script from the command line works perfectly.
So, I don't have a way to modify linked cases in a triggered script in 6.0. Anyone know?
03-08-2021 12:58 AM
If you leave out the "id" field in the setIncident command, it will execute within the current incident (it assumes the current incident is the id).
Is the script executing from within an existing incident, or is the script attemping to update a different incident?
03-16-2021 06:03 PM
We just upgraded to 6.1, so I revisited this matter. It's not much better.
The DB Version errors no longer appear.
If I leave "Run triggered script after case is modified" unchecked, the triggered script correctly updates other fields with the setIncident command.
If I check that box, the other fields do not update, even though the war room says that they're updated.
Whether I check that box or not, and no matter how it is called, the linkIncidents command does nothing when run from a triggered script. It works as expected if run from a script launched by a button or the command line.
Can you confirm the above? The docs mention nothing about linking incidents from triggered scripts.
03-17-2021 03:03 AM
The automatoin script that you have created to link the incidents, can you confirm who it is running as? By default it's "limited user".
This may be affecting the outcome.
03-17-2021 09:22 AM
It was set to "limited user". I tried setting it to "DBot". No change in behavior resulted.
I have the exact same script triggered by a button and triggered by a field change. It works fine when triggered by the button.
03-17-2021 09:46 AM
Can you post the contents of the script?
03-17-2021 10:19 AM
The script is pretty unremarkable, except that it's called by a wrapper script that processes the "new" argument. The same wrapper is attached to the (correctly working) button, which fills the "new" argument with the field value.
The behavior is consistently reproducible. At this point, I'm looking for confirmation: Is it expected behavior that scripts triggered by a field change can't modify linked cases? If so, a documentation update and feature idea would be in order. If not, a bug fix is in order.
Of course, if you have a workaround better than "Use a button to trigger the script", that would be great!
incident = demisto.incidents()[0]
new_parent_case_id = demisto.args()["parent"]
child_case_id = demisto.args().get("child", "")
if child_case_id == "":
child_case_id = incident.get("id", "Error")
# Remove any existing links on the child (current) case
old_linked_incidents_list = incident.get('linkedIncidents', [])
if old_linked_incidents_list:
old_linked_incidents = ",".join(old_linked_incidents_list)
# This line does nothing when this script is triggered by a field change
# It works fine when this script is triggered by a button
# Removing the "incidentId" argument changes nothing
# Changing the "run as" parameter to DBot changes nothing
demisto.executeCommand("linkIncidents", {"incidentId":child_case_id, "linkedIncidentIDs":old_linked_incidents, "action": "unlink"})
# Create new false positive parent, if requested
if new_parent_case_id == "Create":
parent_name = "PARENT: " + demisto.incidents()[0]['name']
resp = demisto.executeCommand("createNewCase", {
"name": parent_name,
"type": "False Positive Parent",
"severity": "low",
"roles": "##Redacted##"
})
if isError(resp[0]):
demisto.results('Error while creating the new false positive parent case: ' + str(resp))
sys.exit(0)
new_parent_case_id = None
if (resp[0] and resp[0]["EntryContext"] and 'CreatedIncidentID' in resp[0]["EntryContext"] ):
new_parent_case_id = resp[0]["EntryContext"]['CreatedIncidentID']
else:
demisto.results(f'Failed to find the new incident id from create case request')
# Update the False Postive Parent field to show the new parent
# Note that this may trigger a field-change script, so it's important to avoid looping around
# However, the problem with the linked incidents happens even when this branch of code is not executed
resp = demisto.executeCommand('setIncident', {
'falsepositiveparent': "{} {}".format(new_parent_case_id, parent_name)
})
# Link to the False Positive Parent
if new_parent_case_id != "None":
# Link to the parent case
# This line does nothing then this script is triggered by a field change
demisto.executeCommand('linkIncidents', {"incidentId":child_case_id, "linkedIncidentIDs":new_parent_case_id})
# Mark the child case as a stalled false positive
# This line works fine when this script is triggered by a field change
resp = demisto.executeCommand('setIncident', {
'id': child_case_id,
'stalled': True,
'falsepositive': True
})
if isError(resp[0]):
demisto.results('Failed updating existing case with false positive attributes: ' + str(resp))
sys.exit(0)
demisto.results("Attempted to attach child false positive case {} to parent case {}".format(child_case_id, new_parent_case_id))
Here's the wrapper:
new_field_value = demisto.args()["new"]
new_parent_case_id = new_field_value.split(" ")[0]
# Execute the update
demisto.executeCommand("AddChildToParent", {"parent":new_parent_case_id})
demisto.results("Attempted to attach child false positive case to parent case {}".format(new_parent_case_id))
03-22-2021 08:47 AM - edited 03-22-2021 08:49 AM
Hi! Sorry for teh long delay.
You can carry out the whole process using a single drop down menu:
This is a modal window.
Beginning of dialog window. Escape will cancel and close the window.
End of dialog window.
This is a modal window. This modal can be closed by pressing the Escape key or activating the close button.
I had created:
"populateParent" is:
args = demisto.args()
field = args.get('field', {})
options = field.get('selectValues', [])
all_incidents = [f"{x['name']} - {x['id']}" for x in demisto.executeCommand("getIncidents", {"query": "-status:Closed and type:\"False Positive Parent\""})[0]['Contents']['data']] + options
demisto.results({"hidden": False, "options": all_incidents})
"setLinkedIncident" is:
args = demisto.args()
new = args.get('new', None)
old = args.get('old', None)
incident = demisto.incident()
incident_id = incident.get('investigationId')
incident_name = incident.get('name', '')
custom_fields = incident.get('CustomFields', {})
linked_incidents = incident.get('linkedIncidents', [])
# Remove existing linked incidents0
if new == "None" or old != "None" and linked_incidents:
demisto.executeCommand("linkIncidents", {"incidentId": incident_id, "linkedIncidentIDs": ",".join(linked_incidents), "action": "unlink"})
# If the user requested a new case:
if new == "Create New..." or new != "None":
if new == "Create New...":
new_incident = demisto.executeCommand("createNewIncident", {
"name": f"PARENT: {incident_name}",
"type": "False Positive Parent",
"severity": 1
})[0]['EntryContext']
new_incident = new_incident.get('CreatedIncidentID', None)
demisto.executeCommand("linkIncidents", {"incidentId": incident_id, "linkedIncidentIDs": new_incident, "action": "link"})
new = new_incident
demisto.executeCommand("setIncident", {"falsepositiveparent": f"PARENT: {incident_name} - {new_incident}"})
new = new_incident
return_results(new)
elif new != "None":
new = new.split(" - ")[1]
demisto.executeCommand("linkIncidents", {"incidentId": incident_id, "linkedIncidentIDs": new, "action": "link"})
The above script doesn't contain items such as "closeInvestigation", but could easily include them.
I DO have trouble when using the "Create New..." option. It will create the new incident and assign it, but it won't assign the new value to the field. It has to be assigned manually again. I would suggest having a separate button that is purely used for creating a new incident, perhaps with a few more fields in there.
However, I can link incidents using the dropdown. I think the key here is to link the current incident to the remote incident, not the other way around.
03-22-2021 09:26 AM - edited 03-22-2021 09:40 AM
Another complication is that triggered scripts need to use demisto.investigation()['id'] to get the incident ID. They can't use demisto.incidents()[0]['id']. I was able to use that ID to get linkIncidents to work.
My current problem is using setIncident to update fields from a trigger script. It's fine if the user modifies the field via the GUI, but if a button script modifies the field, then the trigger script locks up when it tries to update an additional field with setIncident. The script just hangs. At that point, the incident is locked up, and it's not even possible to close it.
03-22-2021 10:59 AM
This is a modal window.
Beginning of dialog window. Escape will cancel and close the window.
End of dialog window.
This is a modal window. This modal can be closed by pressing the Escape key or activating the close button.
For the above video I used the following scripts:
"populateParent":
args = demisto.args()
field = args.get('field', {})
options = field.get('selectValues', [])
all_incidents = [f"{x['name']} - {x['id']}" for x in demisto.executeCommand("getIncidents", {"query": "-status:Closed and type:\"False Positive Parent\""})[0]['Contents']['data']] + options
demisto.results({"hidden": False, "options": all_incidents})(Adjust query as you see fit)
"setLinkedIncident":
args = demisto.args()
new = args.get('new', None)
old = args.get('old', None)
incident = demisto.incident()
incident_id = incident.get('investigationId')
incident_name = incident.get('name', '')
custom_fields = incident.get('CustomFields', {})
linked_incidents = incident.get('linkedIncidents', [])
should_close = False
parent_incident = None
# Remove existing linked incidents0
if new == "None" or old != "None" and linked_incidents:
demisto.executeCommand("linkIncidents", {"incidentId": incident_id, "linkedIncidentIDs": ",".join(linked_incidents), "action": "unlink"})
if new == "None":
demisto.executeCommand("setIncident", {"closeNotes": "''", "closeReason": "''"})
# If the user requested a new case:
if new == "Create New..." or new != "None":
if new == "Create New...":
new_incident = demisto.executeCommand("createNewIncident", {
"name": f"PARENT: {incident_name}",
"type": "False Positive Parent",
"severity": 1
})[0]['EntryContext']
new_incident = new_incident.get('CreatedIncidentID', None)
demisto.executeCommand("linkIncidents", {"incidentId": incident_id, "linkedIncidentIDs": new_incident, "action": "link"})
parent_incident = new_incident
shoudl_close = True
elif new != "None":
new = new.split(" - ")[1]
parent_incident = new
should_close = True
demisto.executeCommand("linkIncidents", {"incidentId": incident_id, "linkedIncidentIDs": new, "action": "link"})
if should_close:
demisto.executeCommand("closeInvestigation", {"closeNotes": f"Parent incident {parent_incident}", "closeReason": "Duplicate"})
The "Create New..." I can't seem to create the incident AND set the field at the same time. I would suggest a separate button to create a new parent incident. This could then have more properties the user could manage.
03-22-2021 11:01 AM
This is not usual behaviour and indicates that something maybe sat in a loop in teh script somewhere.
Could you try and set a small timeout for the script (around 5 seconds) and see if the incident locks up for that 5 secs. If so, there is something not executing correctly in the script.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
