This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Pre Processing script for dropping multiple similar incidents

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Pre Processing script for dropping multiple similar incidents

ymaslovski
L0 Member

‎04-10-2025 01:51 AM

Hi Team,

 

I need to find a way to drop similar events (by eventnames field)  from QRadar when they are mirrored in in XSOAR  by using a pre process rule

 

I have checked for a native approach in Cortex Xsoar to do it but it seems that
Pre-processing rules in XSOAR cannot natively count similar incidents based on a dynamic field like "eventnames over a time window.

 

So I have created a script to do it for me but it doesn't seem to be working as expected (disregard the indentation in the body - can't properly copy it here)

 

I have put some fail safe check because  in XSOAR it says"In order for the script to be dropped, script must return false"

 

Here is the Script:

"""
Pre-processing script to drop newly mirrored in 'Qradar Generic' incidents
if 5 or more similar incidents with the same event name exist in the last 20 minutes.
"""

 

 

def should_drop_incident(incident):
incident_type = incident.get('type')
current_id = incident.get('id')

eventnames = incident.get('eventnames', [])
if isinstance(eventnames, list):
description = eventnames[0].strip() if eventnames else ''
else:
description = str(eventnames).strip()

if incident_type != 'Qradar Generic' or not description:
return True # keep it

query = f'type:"Qradar Generic" and eventnames:"{description}" and created:>=\"20 minutes ago\"'

populate_fields = ['id', 'eventnames']
res = demisto.executeCommand('GetIncidentsByQuery', {
'query': query,
'pageSize': 100,
'populateFields': ','.join(populate_fields)
})

if isError(res[0]):
return_results({"Error": res[0].get("Contents", "Unknown error")})
return True # fail-safe: keep incident

contents = res[0].get('Contents', '')
if isinstance(contents, str):
try:
incidents = json.loads(contents)
except Exception as e:
return_results({"ParseError": str(e)})
return True # fail-safe: keep incident
else:
incidents = contents.get('data', []) if isinstance(contents, dict) else []

matched_ids = [i.get('id') for i in incidents if isinstance(i, dict) and i.get('id') != current_id]
matching_count = len(matched_ids)


return matching_count < 5 # True = keep, False = drop


# Run main logic
drop_incident = should_drop_incident(demisto.incidents()[0])
return_results(drop_incident)

 

I will appreciate any tips on this  or another way to achieve similar effect  in XSoar

Thanks

Yuri

 

0 Likes Likes
0 REPLIES 0
  • 112 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks