How to Find and update existing incidents through Integration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to Find and update existing incidents through Integration

L1 Bithead

Hi,

 

We are providing partner integration for our product and this is the requirement.

My product # generates/creates 'Cases' which are pulled inCortex XSOAR  as incidents using fetchIncidents call. It might be possible that sometimes a 'Case' in our product gets updated and gets pulled in XSOAR again. The custom attribute used here is caseId

 

Now I have more than one incident but with same caseId which is not desirable.

 

What we want to do is to pull the particular incident from XSOAR based on the custom attribute (caseId) and update it rather than creating new incident. And we need to do it during fetchIncidents itself.

 

I asked this question on Slack and I was suggested with this

demisto.execute_command("SearchIncidentsV2", {"query": $QUERY})

demisto.execute_command("setIncident", {"id": $ID, $CUSTOM_FIELD_NAME: $CUSTOM_FIELD_VALUE})

 The problem with above scripts is that we can't run them from integration. 

 

 

4 REPLIES 4

L4 Transporter

This sounds like a perfect use case for a preprocessing rule.  In this case make sure you've mapped the Case ID from the external system to an XSOAR field (Event ID is a good option), and then use a preprocessing rule to drop new cases for which an existing XSOAR Incident with the same Case ID already exists.

 

We have a video on preprocessing on our XSOAR Engineer Training Series:

https://live.paloaltonetworks.com/t5/cortex-xsoar-how-to-videos/cortex-xsoar-how-to-customer-success...

 

Here are the docs on preprocessing:

 

https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-9/cortex-xsoar-admin/incidents/incident-mana...

https://xsoar.pan.dev/docs/incidents/incident-pre-processing

L4 Transporter

You won't be able to do the update during the fetch Incidents call, it simply doesn't work that way. 

 

I'd do a preprocessing rule, if you need to update the existing one, you can run those 2 commands you mentioned as part of a preprocessing script which is another option on a preprocessing rule.

Thanks for you reply. 

I am not able to open the video. It says Access Denied. Is there some other video or other location than what is mentioned above?

L0 Member
  • 1678 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!