Incidents Mass / Multiple "Close" button, field trigger script

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Incidents Mass / Multiple "Close" button, field trigger script

L2 Linker

Workflow:
From the Incidents page / table, select multiple incidents.

Click the "Close" button that allows closing multiple incidents at one time.
My close form comes up.  I have a field trigger script on one of the fields.

It doesn't look like that field trigger script is running for any of the incidents selected.

 

For the field trigger script, does anyone know how I would qualify in my script for each incident selected do X.

 

Thanks in advance,

Boyd

1 accepted solution

Accepted Solutions

L2 Linker

Ok, I have tried various things to get this to work. I was able to reproduce what you were seeing, with it working on a single incident but not multiple. Unfortunately that may be a bug. I noticed in the war room of each respective incident, there is an entry saying the close notes were modified, but it isn't actually modified. You are welcome to report it via support.paloaltonetworks.com

 

As far as other options, I also tried this in a post-processing script, but fields are kind of locked into a limbo state during post-processing and can't really be changed. If you attempt to set them, they just return to what they were prior to being set.

 

I unfortunately am not able to come up with any way to get this working as far as your current flow goes.

View solution in original post

7 REPLIES 7

L2 Linker

Hi Josh, I would need to double-check but I'm not sure if field-trigger scripts will work at all on incident closure. Once the incident is closed, most things lose the ability to execute. A field-trigger script wouldn't be triggered until after the fields are modified, therefore the incident would already be closed.

 

This sounds more like a case for a post-processing script: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/incidents/incident-mana...

 

Let me know if that helps.

 

-Lance

Thanks Lance - 
We do have our field change script working currently when closing a single instance.


It even works if you choose the "mass" close button and only select one record.
it's when you select two or more records; it's like it doesn't understand how to reference or loop through the incidents.

I think I would have the same question even if I created a post processing script.
The example here: https://docs.paloaltonetworks.com/cortex/cortex-xsoar/6-6/cortex-xsoar-admin/incidents/incident-mana...

 

How would I loop through for each incident since there would be more than one:

 

inc_id = demisto.incidents()[0].get('id')
 

 

L2 Linker

Update: I did test this, and I am able to get the field-trigger scripts to work even upon batch incident closure from the incidents page.

 

There is no need to change the script as it doesn't run any differently when you're closing multiple incidents. It runs from the scope of each individual incident, i.e. the script will run once per incident.

 

Perhaps there is an issue with the script logic? Maybe the concurrent runs are conflicting somehow? Would you be willing to share the script itself? Please sensor anything that would be considered sensitive to you or your organization.

<Update:  Simplified the script>

 

Thanks again, appreciate your help


We have a custom field, sentinelclosereason, in our close form.
There's a few reasons we have this, but ultimately when it changes and the incident is closed and the below script will set the system close reason and close the sentinel incident.

This works if close an individual incident directly.

Just trying to debug to see why the multiple case closures aren't setting the close reason and close notes the same.


---Start of Script-----

### Close Sentinel Case
return_results("Trying close sentinel script")
command_sentinel = "azure-sentinel-update-incident"
external_id=demisto.incidents()[0]["CustomFields"]["externalid"]
sentinel_close_reason=demisto.incidents()[0]["CustomFields"].get("sentinelclosereason", None)
sentinel_classification_comment=demisto.incidents()[0]["CustomFields"].get("sentinelclassificationcomment", None)
demisto.executeCommand('setIncident', {'closeNotes': sentinel_classification_comment})
demisto.executeCommand('setIncident', {'closeReason': "Resolved"})

 

----END----

L2 Linker

Ok, I have tried various things to get this to work. I was able to reproduce what you were seeing, with it working on a single incident but not multiple. Unfortunately that may be a bug. I noticed in the war room of each respective incident, there is an entry saying the close notes were modified, but it isn't actually modified. You are welcome to report it via support.paloaltonetworks.com

 

As far as other options, I also tried this in a post-processing script, but fields are kind of locked into a limbo state during post-processing and can't really be changed. If you attempt to set them, they just return to what they were prior to being set.

 

I unfortunately am not able to come up with any way to get this working as far as your current flow goes.

L2 Linker

Thanks again, I'll open a ticket with support.

I received the below response from support and they recommended I re-reach out to the Live community.

===Response==
I synced with the team and this appears to be working as expected as the bulk close flow will post the closeNotes and closeReason to the values set during the incident closure. It performs a get args in the background and then once the script has completed, since the args are originally empty, once the incident is closed, it's wiped from context which is why it's not being populated.


They have requested you open a feature request via http://xsoar.ideas.aha.io/ if you would like this flow altered.

Some potential workarounds would be:
1. Set the close reason and notes before closing multiple incidents - manually or via playbook.
2. Add close reason and notes to your close layout and use a field change script on sentinelclosereason & sentinel_classification_comment to populate the close reason and notes on change.

If you need assistance with these workarounds, I would suggest reaching out to the team via the live community as this then treads into implementation.

======
Option 2 doesn't make sense to me since I already have the field trigger script executing, though I don't have close reason and close notes on the form.  Not sure if anyone could expand on that - 

Option 1:  How would I action the suggestion into a playbook.
i think of a playbook as executing once the incident is created.   Can I call a button to execute a separate play book for closing?

Thanks again

  • 1 accepted solution
  • 5588 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!