10-30-2024 10:30 AM
@alan.chan , there is a built-in parent-child hierarchy available in XSOAR, with the option to create child Investigations with the command !addChildInvestigation. However, I would not recommend this option as it is very limited. It is intended to be used if you need to run other playbooks and tasks in parallel within the same incident and to conduct parallel investigations with separate evidence and war-room.
Outside of that, unfortunately, there is no built-in parent-child hierarchy available for linked incidents. However, we can add in a relatively simple manner this functionality to incidents by:
1. Create a custom incident field that tags the incident as Parent or Child, let's call it incidenthierarchy.
2. Create the child incidents from the parent incident, specifying the incidenthierarchy field as Child accordingly. Link them to the parent once created e.g.:
!createNewIncident name="Test Child1" incidenthierarchy=Child type=Unclassified
!linkIncidents incidentId=${incident.id} linkedIncidentIDs=${CreatedIncidentID}
3. Configure a post-processing script that closes all linked incidents when the parent is closed, and sets the close code and close notes the same as the parent (see attached script).
Let me know if you have any questions.
Abel
