This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

How to Find and update existing incidents through Integration

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to Find and update existing incidents through Integration

sudhesub
L1 Bithead

‎11-23-2022 10:15 PM

Hi,

 

We are providing partner integration for our product and this is the requirement.

My product # generates/creates 'Cases' which are pulled inCortex XSOAR  as incidents using fetchIncidents call. It might be possible that sometimes a 'Case' in our product gets updated and gets pulled in XSOAR again. The custom attribute used here is caseId

 

Now I have more than one incident but with same caseId which is not desirable.

 

What we want to do is to pull the particular incident from XSOAR based on the custom attribute (caseId) and update it rather than creating new incident. And we need to do it during fetchIncidents itself.

 

I asked this question on Slack and I was suggested with this

demisto.execute_command("SearchIncidentsV2", {"query": $QUERY})

demisto.execute_command("setIncident", {"id": $ID, $CUSTOM_FIELD_NAME: $CUSTOM_FIELD_VALUE})

 The problem with above scripts is that we can't run them from integration. 

 

 

Cortex XSOAR
Thumbnail of Cortex XSOAR
Palo Alto Networks
Cortex XSOAR
Security Operations
View on Product Page
0 Likes Likes
4 REPLIES 4

MBeauchamp2
L4 Transporter

‎11-28-2022 08:07 AM

This sounds like a perfect use case for a preprocessing rule.  In this case make sure you've mapped the Case ID from the external system to an XSOAR field (Event ID is a good option), and then use a preprocessing rule to drop new cases for which an existing XSOAR Incident with the same Case ID already exists.

 

We have a video on preprocessing on our XSOAR Engineer Training Series:

https://live.paloaltonetworks.com/t5/cortex-xsoar-how-to-videos/cortex-xsoar-how-to-customer-success...

 

Here are the docs on preprocessing:

 

https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-9/cortex-xsoar-admin/incidents/incident-mana...

https://xsoar.pan.dev/docs/incidents/incident-pre-processing

0 Likes Likes

MBeauchamp2
L4 Transporter

‎11-28-2022 08:09 AM

You won't be able to do the update during the fetch Incidents call, it simply doesn't work that way. 

 

I'd do a preprocessing rule, if you need to update the existing one, you can run those 2 commands you mentioned as part of a preprocessing script which is another option on a preprocessing rule.

0 Likes Likes

sudhesub
L1 Bithead
In response to MBeauchamp2

‎11-28-2022 10:10 PM

Thanks for you reply. 

I am not able to open the video. It says Access Denied. Is there some other video or other location than what is mentioned above?

0 Likes Likes

ekatsenelson
L0 Member

‎05-29-2023 08:08 AM

Mirroring

https://xsoar.pan.dev/docs/integrations/mirroring_integration

0 Likes Likes
  • 2459 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks