This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

Need help on this XSOAR Weird behavior on preprocessing scripts

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Need help on this XSOAR Weird behavior on preprocessing scripts

M.Wang287346
L0 Member

‎02-27-2026 02:44 PM - edited ‎02-27-2026 02:46 PM

Hi All!

 

I developed a preprocessing script and it's working fine in our dev xsoar environment but not working in prod for some reason. 

By looking at the log in detail, i found some nuances that i can't explain.
Both prod and dev run the same code and i am sure the data is there in prod as well
Here is the comparison. this is the log from prod:

 

2026-02-27 21:44:16.1898 debug Accepted module: InnerServicesModule, brand: Builtin  (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/module.go:162)
2026-02-27 21:44:16.1904 debug Searching incidents for dbotMirrorId:6864136729 [from: 0001-01-01T00:00:00Z to: 0001-01-01T00:00:00Z] (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/repo/logicalRepo/incident.go:228)
2026-02-27 21:44:16.1905 debug incident find query &{Match:6864136729 FieldVal:dbotMirrorId Analyzer: BoostVal:<nil> Prefix:0 Fuzziness:0 Operator:0} (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/repo/logicalRepo/incident.go:264)
2026-02-27 21:44:16.1905 debug Find restricted investigations: Took 215ns (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/util/executils/system.go:67)
2026-02-27 21:44:16.2002 debug Filtering restricted investigations against user DBot (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/repoDB/elasticRepo/investigation.go:437)
2026-02-27 21:44:16.2167 debug dockerCodeLoop for script: SearchIncidentsV2 ended.: Took 32.750592ms (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/util/executils/system.go:67)
2026-02-27 21:44:16.2170 debug Docker Code Run for script: SearchIncidentsV2 ended.: Took 34.023879ms (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/util/executils/system.go:67)
2026-02-27 21:44:16.2171 debug SearchIncidentsV2 Done (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/ser


 This is the log from dev instance which is working well:

2026-02-27 22:17:51.8953 debug Started docker code loop for SearchIncidentsV2 (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:817)
2026-02-27 22:17:51.8961 debug (SearchIncidentsV2) pack id = Base, pack version = 1.41.64 (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983)
2026-02-27 22:17:51.8988 debug (SearchIncidentsV2) pack id = Tiktok, pack version = 1.0.0 (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983)
2026-02-27 22:17:51.8998 debug (SearchIncidentsV2) pack id = CommonScripts, pack version = 1.20.82 (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983)
2026-02-27 22:17:51.9030 debug Going to execute command: getIncidents (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/module.go:139)
2026-02-27 22:17:51.9033 debug Accepted module: InnerServicesModule, brand: Builtin  (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/module.go:162)
2026-02-27 22:17:51.9042 debug Searching incidents for dbotMirrorId:6864136729 [from: 2026-01-28T22:17:51Z to: 0001-01-01T00:00:00Z] (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/repo/logicalRepo/incident.go:228)
2026-02-27 22:17:51.9044 debug incident find query &{Conjuncts:[0xc1f7773c20 0xc02b4ba060] BoostVal:<nil> queryStringMode:false} (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/repo/logicalRepo/incident.go:264)
2026-02-27 22:17:51.9044 debug Find restricted investigations: Took 190ns (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/util/executils/system.go:67)
2026-02-27 22:17:51.9699 debug (SearchIncidentsV2) Amount of incidents before filtering = 21 with args {'fromdate': '2026-01-28T22:17:51.902237', 'limit': '100', 'query': 'dbotMirrorId:6864136729'} before pagination (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983)
2026-02-27 22:17:51.9701 debug (SearchIncidentsV2) incident_id='1273324', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983)
2026-02-27 22:17:51.9704 debug (SearchIncidentsV2) incident_id='1273323', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983)
2026-02-27 22:17:51.9706 debug (SearchIncidentsV2) incident_id='1272692', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983)
2026-02-27 22:17:51.9707 debug (SearchIncidentsV2) incident_id='1272690', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983)
2026-02-27 22:17:51.9709 debug (SearchIncidentsV2) incident_id='1272688', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983)
2026-02-27 22:17:51.9711 debug (SearchIncidentsV2) incident_id='1272679', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983)
2026-02-27 22:17:51.9712 debug (SearchIncidentsV2) incident_id='1272675', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983)
2026-02-27 22:17:51.9714 debug (SearchIncidentsV2) incident_id='1272611', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983)
2026-02-27 22:17:51.9716 debug (SearchIncidentsV2) incident_id='1272608', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983)
2026-02-27 22:17:51.9717 debug (SearchIncidentsV2) incident_id='1272603', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983)
2026-02-27 22:17:51.9719 debug (SearchIncidentsV2) incident_id='1272599', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983)
2026-02-27 22:17:51.9721 debug (SearchIncidentsV2) incident_id='1272593', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983)
2026-02-27 22:17:51.9722 debug (SearchIncidentsV2) incident_id='1272589', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983)
2026-02-27 22:17:51.9724 debug (SearchIncidentsV2) incident_id='1272586', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983)
2026-02-27 22:17:51.9725 debug (SearchIncidentsV2) incident_id='1272583', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983)
2026-02-27 22:17:51.9727 debug (SearchIncidentsV2) incident_id='1272579', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983)
2026-02-27 22:17:51.9728 debug (SearchIncidentsV2) incident_id='1272576', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983)
2026-02-27 22:17:51.9730 debug (SearchIncidentsV2) incident_id='1272573', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983)
2026-02-27 22:17:51.9731 debug (SearchIncidentsV2) incident_id='1272567', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983)
2026-02-27 22:17:51.9733 debug (SearchIncidentsV2) incident_id='1272564', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983)
2026-02-27 22:17:51.9735 debug (SearchIncidentsV2) incident_id='1272557', incident_type='Meego Tickets' (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983)
2026-02-27 22:17:51.9739 debug (SearchIncidentsV2) Amount of incidents after filtering = 21 before pagination (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983)
2026-02-27 22:17:51.9741 info (SearchIncidentsV2) Setting todate argument to be 2026-02-27T20:31:39.665915978Z to avoid duplications (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:979)
2026-02-27 22:17:51.9823 debug (SearchIncidentsV2) amount of all the incidents that were found 21 (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/services/automation/dockercoderunner.go:983)
2026-02-27 22:17:52.0610 debug dockerCodeLoop for script: SearchIncidentsV2 ended.: Took 165.693347ms (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/util/executils/system.go:67)
2026-02-27 22:17:52.0614 debug Docker Code Run for script: SearchIncidentsV2 ended.: Took 166.841068ms (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/xsoar/server/util/executils/system.go:67)
2026-02-27 22:17:52.0614 debug SearchIncidentsV2 Done (source: /builds/GOPATH/src/gitlab.xdr.pan.local/xdr/x

Here is the script 

import json

def main():
    incident = demisto.incidents()[0]
    ticket_number = incident.get('CustomFields', {}).get('ticketnumber')
    if ticket_number:
        query = f'dbotMirrorId:{ticket_number}'
        res = demisto.executeCommand('SearchIncidentsV2', {'query': query, 'fromDate': '30 days ago'})
        demisto.info(f"INCOMING PRE-PROCESS SearchIncidentsV2_1 indent length: {len(res)}")
        demisto.info(f"INCOMING PRE-PROCESS SearchIncidentsV2_1 indent: {json.dumps(res, indent=4)}")
        if res and res[0].get('Contents', {}):
            return_results(False)
        return
    return_results(True)

if __name__ in ('__main__', '__builtin__', 'builtins'):
    main()

 

As you can see the script is just running `SearchIncidentsV2` command. 

When i compare the log between prod and dev, i found a line that only exist in prod

`2026-02-27 21:44:16.2002 debug Filtering restricted investigations against user DBot`
I am thinking there is might be some configuration in prod that differ from dev for more restricted permission that cause the filtering other than that i don't know what else can explain the difference. 
I manually triggered the same command in prod playground, it also worked well. 

I also set the Roles to Adminitrator and Run as Administrator doesn't work
I get stuck on this problem for a week and hope someone could shed some lights on it! 

 

 

 

 

 

0 Likes Likes
0 REPLIES 0
  • 83 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks