How to set a war room entry as evidence from a single automation

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How to set a war room entry as evidence from a single automation

L3 Networker

Hi everyone,

 

The task looks simple with "markAsEvidence" but I have to run 2 tasks to get it done. Is there a way to send an entry to the war room and mark it as evidence from the same automation without having to run the automation twice. As it seems an automation can access only the initial state of the the incident that is when automation starts executing, any changes made to the incident will not be available for the same execution context.

 

 

Here, I am sending a text to the war room with "evidence" tag and after that trying to get that entry using filters.

```

return_results(CommandResults(readable_output='please find this entry', tags=['evidence']))
entries = demisto.executeCommand('GetEntries', {'tags': 'evidence'})
return_results(entries)

```

EnesOzdemir_0-1673605185180.png

 

with the next execution I try to see if it can pull the entry now

```

entries = demisto.executeCommand('GetEntries', {'tags': 'evidence'})
return_results(entries)

```

 

EnesOzdemir_1-1673605250812.png

 

 

As seen from the screenshots, I can't mark that entry as evidence because it doesn't exist for the automation unless I create another task  in the work plan only to pull tagged entries.

1 accepted solution

Accepted Solutions

L3 Networker

I found a way to mark entries as evidence by using the api

 

```

investigation_id = demisto.investigation().get('id')
res = execute_command('demisto-api-post', {'uri': 'entry', 'body': {'data':'please mark this entry as evidence', 'investigationId': investigation_id}})
entry_id = res.get('response').get('id')
execute_command('markAsEvidence', {'id': entry_id, 'description': 'myevidence'})

```

 

 

View solution in original post

3 REPLIES 3

L3 Networker

I found a way to mark entries as evidence by using the api

 

```

investigation_id = demisto.investigation().get('id')
res = execute_command('demisto-api-post', {'uri': 'entry', 'body': {'data':'please mark this entry as evidence', 'investigationId': investigation_id}})
entry_id = res.get('response').get('id')
execute_command('markAsEvidence', {'id': entry_id, 'description': 'myevidence'})

```

 

 

L5 Sessionator

Hi @EnesOzdemir, this is as designed. Incident data is not update till the automation is complete. So the entry does not exist while the automation is still running. Use the below option.

 

Mark task output as evidence. Once you call your custom automation inside a task. Go to the Advanced tab and mark the output as evidence. screenshot below.

Screen Shot 2023-01-17 at 12.09.12 pm.png

 

L0 Member

Click mark as evidence and turn off quiet mode. Results should now show in evidence board. 

  • 1 accepted solution
  • 2321 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!