Hi! Sorry for teh long delay. You can carry out the whole process using a single drop down menu: I had created: A field named "False Positive Parent" The field was a "single select" field with the values: "None,Create New..." It is set to "Run triggered script after incident is modified" It has a script a field display script called "populateParent" (described below) It has a field value change script called "setLinkedIncident" (described below) "populateParent" is: args = demisto.args()
field = args.get('field', {})
options = field.get('selectValues', [])
all_incidents = [f"{x['name']} - {x['id']}" for x in demisto.executeCommand("getIncidents", {"query": "-status:Closed and type:\"False Positive Parent\""})[0]['Contents']['data']] + options
demisto.results({"hidden": False, "options": all_incidents}) "setLinkedIncident" is: args = demisto.args()
new = args.get('new', None)
old = args.get('old', None)
incident = demisto.incident()
incident_id = incident.get('investigationId')
incident_name = incident.get('name', '')
custom_fields = incident.get('CustomFields', {})
linked_incidents = incident.get('linkedIncidents', [])
# Remove existing linked incidents0
if new == "None" or old != "None" and linked_incidents:
demisto.executeCommand("linkIncidents", {"incidentId": incident_id, "linkedIncidentIDs": ",".join(linked_incidents), "action": "unlink"})
# If the user requested a new case:
if new == "Create New..." or new != "None":
if new == "Create New...":
new_incident = demisto.executeCommand("createNewIncident", {
"name": f"PARENT: {incident_name}",
"type": "False Positive Parent",
"severity": 1
})[0]['EntryContext']
new_incident = new_incident.get('CreatedIncidentID', None)
demisto.executeCommand("linkIncidents", {"incidentId": incident_id, "linkedIncidentIDs": new_incident, "action": "link"})
new = new_incident
demisto.executeCommand("setIncident", {"falsepositiveparent": f"PARENT: {incident_name} - {new_incident}"})
new = new_incident
return_results(new)
elif new != "None":
new = new.split(" - ")[1]
demisto.executeCommand("linkIncidents", {"incidentId": incident_id, "linkedIncidentIDs": new, "action": "link"}) The above script doesn't contain items such as "closeInvestigation", but could easily include them. I DO have trouble when using the "Create New..." option. It will create the new incident and assign it, but it won't assign the new value to the field. It has to be assigned manually again. I would suggest having a separate button that is purely used for creating a new incident, perhaps with a few more fields in there. However, I can link incidents using the dropdown. I think the key here is to link the current incident to the remote incident, not the other way around.
... View more