XSOAR Trigger off reopen incident / close incident

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

XSOAR Trigger off reopen incident / close incident

L2 Linker

Onboarding to a new company.
No post processing on incident type (azure sentinel).


When a ticket is closed on the close form, we have a custom "Azure Closure Reason" and "Classification Comment"; based on this we have a script(CloseSentinelCase) that triggers when "Azure Closure Reason" is modified.  This script sets the "Close Reason" based on the logic to "Resolved" for example.

 

When a ticket is reopened, the "Close Reason" is not reset, it stays "Resolved", but Active; This confuses me, if there any logic we can hang off of when a ticket is reopened to execute scripts?  What happens to an inicident when a ticket is "reopened".  I can't find any detailed documentation.

 

Furthermore when the ticket is then re-closed, the "Close Reason" is then wiped, and is blanked out  Note, the Azure Closure Reason is not modified so the trigger script from earlier is not called.  I can not figure out what is wiping the "Close Reason".  I also can't find any documentation on the close form/close incident button to show what detailed steps are happenning.

 

Trying to figure out specifically what's happening during re-open and close incident.  Is there any logs I can look at that spell it out.  I tried some of the server.logs but they weren't very easy to read.

 

Any help is greatly appreciated - 

 

Thanks!

 

Boyd

1 accepted solution

Accepted Solutions

Hello again,

 

By far the shortest path to a solution would be to use the "Azure Closure Reason" and "Classification Comment" in your reporting and not rely on the "Close Notes" or "Close Reason" fields at all. If you really have to use them, please read on...

 

 

The problem here, it seems, is that the incident (when closed) will have already accepted the values for Close Reason and Close Notes regardless of what is in the post-processing script. i.e. They cannot be set by the post-processing script. All other fields seem to be able to be set by the script. I am unsure whether this is a bug or by design.

 

The workaround (although a little long) is to not let the incident be closed by using the Actions -> Close Incident button but by providing your own button that closes the incident. So as a step by step (as an example):

 

1). Set the incident type to have a post processing script and use something similar to the below:

args = demisto.args()
incident = demisto.incident()
close_reason = incident.get('closeReason')
close_notes = incident.get('closeNotes')

if not close_reason or not close_notes:
    return_error("Please do not close this incident manually. Use the button provided in the 'Case Closure' tab")

 

2). Edit the layout of the incident and under the "Close" form settings, remove all fields and sections (this prevents the user manually adding Close Notes and Close Reason that do not match up with the Azure Closure Reason and Classification Comment)

 

3). Add a new tab called "Case Closure" in the incident layout.

4). Add a section and place a the "Azure Closure Reason" and "Classification Comment" fields. Ensure the tab has the "show empty fields" set too.

5). Set the script of the button to be something similar to:

incident = demisto.incident()
incident_id = incident.get('id')
custom_fields = incident.get('CustomFields')
azure_close_reason = custom_fields.get('azureclosurereason')
classification_comment = custom_fields.get('classificationcomment')


if not azure_close_reason and not classification_comment:
    return_error("Please ensure you fill out the Azure Closure Reason and Classification Comment")
elif not azure_close_reason:
    return_error("Please ensure you fill out the Azure Closure Reason")
elif not classification_comment:
    return_error("Please ensure you fill out the Classification Comment")
else:
    demisto.executeCommand('closeInvestigation', {'closeReason': azure_close_reason, 'closeNotes': classification_comment})

 

6). The script will then close the incident if the Azure Closure Reason and Classification Comment have already been populated. It will copy these values into the Close Reason and Close Notes of the incident during closure.

 

7). Finally, assign a "field-change-triggered" script to both the "Azure Closure Reason" and "Classification Comment" fields that has something like the following:

 

args = demisto.args()

field = args.get('cliName')
value = args.get('new')

if field == "azureclosurereason":
    demisto.executeCommand('setIncident', {'closeReason': value})
if field == "classificationcomment":
    demisto.executeCommand('setIncident', {'closeNotes': value})

This sets the Close Reason and Close Notes based on those fields.

 

 

In the above, this is what happens when a user attempt to click the Actions->Close Incident:

ABurt_0-1643888346786.png

 



They then have to populate the fields before using the button:

ABurt_1-1643888403512.png

 

 

 

Once they are populated, and the button is clicked, it will copy the values into the Close information.

View solution in original post

5 REPLIES 5

L3 Networker

Hi Boyd,

 

When the incident is re-opened the Close Reason and Close Notes retain their values. Depending on how the incident is then closed again, may wipe the values. If you are using the Close Form, the Close Reason and Close Notes are requested. If they are removed from the form the values are set to None and these are saved when the incident is then re-closed.

 

The best method to set these values (if they are not presented during a close form) is to use a script that has the tag "post-processing". This script (when assigned to your incident type) can then copy out the Close Reason and Close Notes from other fields and set as required.

Thanks Burt, working on this this morning; appreciate the response.

Hi @ABurt,
I created the following post processing script:

------
closeReason = demisto.incidents()[0]["closeReason"]

if closeReason:
     return_results(closeReason)
     return_results("Close Reason is already set and will be re-set during this post processing")
     demisto.executeCommand('setIncident', {'closeReason': closeReason})

-----

I can see if i run the script in war room while the tickets open and "Close Reason" is previously set, it returns the value and also returns a message sharing that it's already set.  It looks like the script itself is a success.  However, when I close the ticket, the end result is the "Close Reason" is blanked out again.

Question 1.  Will post processing log out to war room; I was hoping i could see my return_results to confirm the steps,but I just see a line that shows post-processing scripts are running.

Question 2.  How can I identify what might be happening after the "Close Incident" is clicked on the Close Form?  I looked at my fields/buttons and sorted by the column to show triggers; nothing seems to stand out.  For the incident type there is no post processing, other than what I just added.

Any additional insight is appreciated, thanks again

Hello again,

 

By far the shortest path to a solution would be to use the "Azure Closure Reason" and "Classification Comment" in your reporting and not rely on the "Close Notes" or "Close Reason" fields at all. If you really have to use them, please read on...

 

 

The problem here, it seems, is that the incident (when closed) will have already accepted the values for Close Reason and Close Notes regardless of what is in the post-processing script. i.e. They cannot be set by the post-processing script. All other fields seem to be able to be set by the script. I am unsure whether this is a bug or by design.

 

The workaround (although a little long) is to not let the incident be closed by using the Actions -> Close Incident button but by providing your own button that closes the incident. So as a step by step (as an example):

 

1). Set the incident type to have a post processing script and use something similar to the below:

args = demisto.args()
incident = demisto.incident()
close_reason = incident.get('closeReason')
close_notes = incident.get('closeNotes')

if not close_reason or not close_notes:
    return_error("Please do not close this incident manually. Use the button provided in the 'Case Closure' tab")

 

2). Edit the layout of the incident and under the "Close" form settings, remove all fields and sections (this prevents the user manually adding Close Notes and Close Reason that do not match up with the Azure Closure Reason and Classification Comment)

 

3). Add a new tab called "Case Closure" in the incident layout.

4). Add a section and place a the "Azure Closure Reason" and "Classification Comment" fields. Ensure the tab has the "show empty fields" set too.

5). Set the script of the button to be something similar to:

incident = demisto.incident()
incident_id = incident.get('id')
custom_fields = incident.get('CustomFields')
azure_close_reason = custom_fields.get('azureclosurereason')
classification_comment = custom_fields.get('classificationcomment')


if not azure_close_reason and not classification_comment:
    return_error("Please ensure you fill out the Azure Closure Reason and Classification Comment")
elif not azure_close_reason:
    return_error("Please ensure you fill out the Azure Closure Reason")
elif not classification_comment:
    return_error("Please ensure you fill out the Classification Comment")
else:
    demisto.executeCommand('closeInvestigation', {'closeReason': azure_close_reason, 'closeNotes': classification_comment})

 

6). The script will then close the incident if the Azure Closure Reason and Classification Comment have already been populated. It will copy these values into the Close Reason and Close Notes of the incident during closure.

 

7). Finally, assign a "field-change-triggered" script to both the "Azure Closure Reason" and "Classification Comment" fields that has something like the following:

 

args = demisto.args()

field = args.get('cliName')
value = args.get('new')

if field == "azureclosurereason":
    demisto.executeCommand('setIncident', {'closeReason': value})
if field == "classificationcomment":
    demisto.executeCommand('setIncident', {'closeNotes': value})

This sets the Close Reason and Close Notes based on those fields.

 

 

In the above, this is what happens when a user attempt to click the Actions->Close Incident:

ABurt_0-1643888346786.png

 



They then have to populate the fields before using the button:

ABurt_1-1643888403512.png

 

 

 

Once they are populated, and the button is clicked, it will copy the values into the Close information.

Thanks again @ABurt, exploring this as an option.  Will circle back and let you know the outcome.  Appreciate the help.

  • 1 accepted solution
  • 5837 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!