Hi everyone,
The task looks simple with "markAsEvidence" but I have to run 2 tasks to get it done. Is there a way to send an entry to the war room and mark it as evidence from the same automation without having to run the automation twice. As it seems an automation can access only the initial state of the the incident that is when automation starts executing, any changes made to the incident will not be available for the same execution context.
Here, I am sending a text to the war room with "evidence" tag and after that trying to get that entry using filters.
```
return_results(CommandResults(readable_output='please find this entry', tags=['evidence']))
entries = demisto.executeCommand('GetEntries', {'tags': 'evidence'})
return_results(entries)
```
with the next execution I try to see if it can pull the entry now
```
entries = demisto.executeCommand('GetEntries', {'tags': 'evidence'})
return_results(entries)
```
As seen from the screenshots, I can't mark that entry as evidence because it doesn't exist for the automation unless I create another task in the work plan only to pull tagged entries.
Hi @EnesOzdemir, this is as designed. Incident data is not update till the automation is complete. So the entry does not exist while the automation is still running. Use the below option.
Mark task output as evidence. Once you call your custom automation inside a task. Go to the Advanced tab and mark the output as evidence. screenshot below.
