Post-processing script to close XDR alerts from XSOAR in Mirroring Both Direction integration setting.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Post-processing script to close XDR alerts from XSOAR in Mirroring Both Direction integration setting.

L4 Transporter

Hello,

We are using XDR with XSOAR mirroring both direction configuration. It's working. However, incidents created on XSOAR don't close all the alerts of XDR related to the incident. So a post-script should be done to force them to close. What commands in XSOAR could make them close? How do we choose those alerts related to the incident?

 

Thanks for your time.

 

3 REPLIES 3

L4 Transporter

Hi @Josep, From what I see in the current command set there is no command (API) to update or close alerts. I found one for incidents - xdr-update-incident.

 

I would suggest creating a XDR support case to check this is possible or requires a feature request. Once Identified the XSOAR content team can update the integration. 

L4 Transporter

There is nothing to close the alerts, but post-processing executes right before an XSOAR Incident is closed, you can use a post processing script with the xdr-update-incident command as mentioned, here is an example:

 

# get the close notes & reason from the XSOAR Incident
close_reason = demisto.args().get("closeReason","Resolved")
close_notes = demisto.args().get("closeNotes","No close notes provided")

# get the xdr incident id
xdrincidentid = demisto.incident().get("CustomFields",{}).get("xdrincidentid",False)

# map XSOAR close reasons to XDR close codes
close_code_map = {
"False Positive":"RESOLVED_FALSE_POSITIVE",
"Resolved":"RESOLVED_THREAT_HANDLED",
"Other":"RESOLVED_OTHER",
"Duplicate":"RESOLVED_DUPLICATE"
}

if xdrincidentid:
demisto.results(demisto.executeCommand("xdr-update-incident", {"incident_id":xdrincidentid,"status":close_code_map.get(close_reason),"resolve_comment":close_notes}))

else:
demisto.results("No XDR Incident ID found, doing nothing...")

Thanks for your reply.

We are already using "xdr-update-incident" command completely at the end of the playbook. It should do exactly the same as the post-script. However, as I said, it's not closing all the alerts. 

  • 1306 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!