Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

XSOAR getIncidents command

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

XSOAR getIncidents command

Hi community, 

 

I've been making great use of custom scripts to extract reporting metrics that wouldn't have been possible with the built in widgets. But something I've noticed recently is that querying incidents seems to be causing huge spikes in CPU and memory usage. Most of my scripts are querying the previous months worth of incidents, which is only ~2000 incidents. 

Even though I'm doing some processing (parsing datetimes, iterating over lists and dictionaries), I can't see why it should be so resource hungry. The demand of the script itself should be trivial. 

 

The only thing I can think of that might explain the resource drain is executing commands in the scripts. The documentation around that is almost non-existent, but I did find this blog post which suggests that if I pass queries to the getIncidents command, it will ignore the from and to date fields and instead query incident across all time which sounds ridiculous, but if true, might explain why my queries are so hungry. 

Does anyone have a good understanding of how the getIncidents command works under the hood?

 

Anyone had some experience scripting queries that has some pointers about performance? 
 

2 REPLIES 2

L4 Transporter

If you aren't specifying a date range in the from date and to date, then it does default to all time.  This is likely the cause of the resource consumption particularly if you have more than 12 months of Incident data on your system.

 

As you call it, the easiest fix is to tighten your query by adding those arguments.

 

This OOTB script uses the getIncidents command and has alot of different options:

https://xsoar.pan.dev/docs/reference/scripts/search-incidents-summary

 

Basically the getIncidents subscribes to the rules of searching in XSOAR as described here, not sure if there is any better document:

https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.11/Cortex-XSOAR-Administrator-Guide/How-to...

 

Thanks for pointing me toward those other scripts. I'm experimenting with the different options to get an idea on the performance.  

  • 1794 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!