- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-22-2022 09:25 AM
Hello,
We are using XDR with XSOAR mirroring both direction configuration. It's working. However, incidents created on XSOAR don't close all the alerts of XDR related to the incident. So a post-script should be done to force them to close. What commands in XSOAR could make them close? How do we choose those alerts related to the incident?
Thanks for your time.
11-22-2022 06:04 PM
Hi @Josep, From what I see in the current command set there is no command (API) to update or close alerts. I found one for incidents - xdr-update-incident
.
I would suggest creating a XDR support case to check this is possible or requires a feature request. Once Identified the XSOAR content team can update the integration.
11-28-2022 08:17 AM
There is nothing to close the alerts, but post-processing executes right before an XSOAR Incident is closed, you can use a post processing script with the xdr-update-incident command as mentioned, here is an example:
# get the close notes & reason from the XSOAR Incident
close_reason = demisto.args().get("closeReason","Resolved")
close_notes = demisto.args().get("closeNotes","No close notes provided")
# get the xdr incident id
xdrincidentid = demisto.incident().get("CustomFields",{}).get("xdrincidentid",False)
# map XSOAR close reasons to XDR close codes
close_code_map = {
"False Positive":"RESOLVED_FALSE_POSITIVE",
"Resolved":"RESOLVED_THREAT_HANDLED",
"Other":"RESOLVED_OTHER",
"Duplicate":"RESOLVED_DUPLICATE"
}
if xdrincidentid:
demisto.results(demisto.executeCommand("xdr-update-incident", {"incident_id":xdrincidentid,"status":close_code_map.get(close_reason),"resolve_comment":close_notes}))
else:
demisto.results("No XDR Incident ID found, doing nothing...")
11-29-2022 02:44 AM
Thanks for your reply.
We are already using "xdr-update-incident" command completely at the end of the playbook. It should do exactly the same as the post-script. However, as I said, it's not closing all the alerts.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!