This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Incident Parent-Child Relationship

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Incident Parent-Child Relationship

alan.chan
L1 Bithead

‎10-21-2024 03:06 PM - edited ‎10-21-2024 03:08 PM

I'm looking to establish a hierarchical relationship for linking incidents in XSOAR, specifically a parent-child structure. Currently, the platform allows for linking incidents without hierarchy and creating child incidents under a parent ticket. However, it does not permit linking existing incidents as children.

 

Is there a way to add existing incidents as child tickets under a parent ticket so that when the parent ticket is closed, all associated child incidents are also closed (similar to how ServiceNow handles parent-child incidents)? Would I need to create custom scripts and playbooks to achieve this functionality, or is there a native solution available?

 

I appreciate any insights or suggestions!

0 Likes Likes
3 REPLIES 3

AbelSantamarina
L3 Networker

‎10-30-2024 10:30 AM

@alan.chan , there is a built-in parent-child hierarchy available in XSOAR, with the option to create child Investigations with the command !addChildInvestigation. However, I would not recommend this option as it is very limited. It is intended to be used if you need to run other playbooks and tasks in parallel within the same incident and to conduct parallel investigations with separate evidence and war-room.

 

Outside of that, unfortunately, there is no built-in parent-child hierarchy available for linked incidents. However, we can add in a relatively simple manner this functionality to incidents by:
1. Create a custom incident field that tags the incident as Parent or Child, let's call it incidenthierarchy.
2. Create the child incidents from the parent incident, specifying the incidenthierarchy field as Child accordingly. Link them to the parent once created e.g.:
!createNewIncident name="Test Child1" incidenthierarchy=Child type=Unclassified
!linkIncidents incidentId=${incident.id} linkedIncidentIDs=${CreatedIncidentID}

3. Configure a post-processing script that closes all linked incidents when the parent is closed, and sets the close code and close notes the same as the parent (see attached script).

 

Let me know if you have any questions.

Abel

Preview file
57 KB
Preview file
45 KB
Preview file
25 KB
Preview file
79 KB
CloseLinkedIncidentsOnClose.zip
0 Likes Likes

alan.chan
L1 Bithead
In response to AbelSantamarina

‎10-30-2024 12:35 PM

This is how I have it set up. Thanks!

AbelSantamarina
L3 Networker
In response to alan.chan

‎10-31-2024 06:18 AM

@alan.chan, if you are satisfied with our response, please accept the response as solution to acknowledge that the answer to your question has been provided and help others find the information faster. 
Thank you for your collaboration.

0 Likes Likes
  • 430 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks