Hello again, By far the shortest path to a solution would be to use the "Azure Closure Reason" and "Classification Comment" in your reporting and not rely on the "Close Notes" or "Close Reason" fields at all. If you really have to use them, please read on... The problem here, it seems, is that the incident (when closed) will have already accepted the values for Close Reason and Close Notes regardless of what is in the post-processing script. i.e. They cannot be set by the post-processing script. All other fields seem to be able to be set by the script. I am unsure whether this is a bug or by design. The workaround (although a little long) is to not let the incident be closed by using the Actions -> Close Incident button but by providing your own button that closes the incident. So as a step by step (as an example): 1). Set the incident type to have a post processing script and use something similar to the below: args = demisto.args()
incident = demisto.incident()
close_reason = incident.get('closeReason')
close_notes = incident.get('closeNotes')
if not close_reason or not close_notes:
return_error("Please do not close this incident manually. Use the button provided in the 'Case Closure' tab") 2). Edit the layout of the incident and under the "Close" form settings, remove all fields and sections (this prevents the user manually adding Close Notes and Close Reason that do not match up with the Azure Closure Reason and Classification Comment) 3). Add a new tab called "Case Closure" in the incident layout. 4). Add a section and place a the "Azure Closure Reason" and "Classification Comment" fields. Ensure the tab has the "show empty fields" set too. 5). Set the script of the button to be something similar to: incident = demisto.incident()
incident_id = incident.get('id')
custom_fields = incident.get('CustomFields')
azure_close_reason = custom_fields.get('azureclosurereason')
classification_comment = custom_fields.get('classificationcomment')
if not azure_close_reason and not classification_comment:
return_error("Please ensure you fill out the Azure Closure Reason and Classification Comment")
elif not azure_close_reason:
return_error("Please ensure you fill out the Azure Closure Reason")
elif not classification_comment:
return_error("Please ensure you fill out the Classification Comment")
else:
demisto.executeCommand('closeInvestigation', {'closeReason': azure_close_reason, 'closeNotes': classification_comment}) 6). The script will then close the incident if the Azure Closure Reason and Classification Comment have already been populated. It will copy these values into the Close Reason and Close Notes of the incident during closure. 7). Finally, assign a "field-change-triggered" script to both the "Azure Closure Reason" and "Classification Comment" fields that has something like the following: args = demisto.args()
field = args.get('cliName')
value = args.get('new')
if field == "azureclosurereason":
demisto.executeCommand('setIncident', {'closeReason': value})
if field == "classificationcomment":
demisto.executeCommand('setIncident', {'closeNotes': value}) This sets the Close Reason and Close Notes based on those fields. In the above, this is what happens when a user attempt to click the Actions->Close Incident: They then have to populate the fields before using the button: Once they are populated, and the button is clicked, it will copy the values into the Close information.
... View more