About DZerkle

Interesting, as I've noticed some differences between XSOAR and that guide.   For instance, that guide lists tables as extended (not basic), but XSOAR does support Markdown tables.   Also, that guide is sometimes vague.  For instance, it notes that some Markdown applications support some HTML tags.  I'd rather not engage in trial-and-error to figure out which ones I can use.  Is there a comprehensive guide to the Markdown used in XSOAR? ... View more

The timeouts for all the scripts are set to the default, 180 seconds.  The lockup seems to be forever.   I've asked our admin to file a support ticket to get help closing the broken incidents. ... View more

Also, I'm very impressed that your triggered script in the video managed to close the incident.  On reading the documentation for trigger scripts, I see that " Trigger scripts cannot close incidents.". ... View more

Yes, I created a new button for the "Create new parent" thing.  I tried to do it via the triggered script.  I could get it to link to create the new incident and to link to it (using demisto.investigation()['id']).  However, that would require updating the field that just got changed from "Create new..." to the name of the new parent, and I couldn't get that to work.  That's when I gave up and made the button.   You suggest a delay.  I'm not sure where you want me to put it.  Here's the current sequence.  Where should I put it?   User clicks button The button graphic changes to a swirly circle Button script creates new parent incident Button script calls setIncident to successfully update falsepositiveparent field with the name of the new incident The trigger script for the falsepositiveparent field activates The trigger script computes its own ID using demisto.investigation()["id"]. The trigger script (using that ID) successfully unlinks any old incidents and links to the new parent. The trigger script attempts to update the falsepositive boolean field using setIncident, but hangs, instead, and never finishes. The button graphic stays a swirly circle forever. I attempt to close the case manually, filling in required fields for the pop-up form.  I get no errors. The case stays open forever. If steps 1-4 are replaced by a user clicking on the falsepositiveparent field to update it, everything works perfectly.  So, this smells like a deadly embrace bug where the button and the trigger script are waiting for each other.   Note that there are no loops.   The workaround is just to stop trying to update the falsepositive field and make the user do it manually.  That's not a huge problem, so don't break your back trying to figure this out in a rush.  It's worth figuring out eventually, though, as the documentation for the restrictions on trigger scripts should be more complete, and also this might be an actual bug. ... View more

Another complication is that triggered scripts need to use demisto.investigation()['id'] to get the incident ID.  They can't use demisto.incidents()[0]['id'].  I was able to use that ID to get linkIncidents to work.   My current problem is using setIncident to update fields from a trigger script.  It's fine if the user modifies the field via the GUI, but if a button script modifies the field, then the trigger script locks up when it tries to update an additional field with setIncident.  The script just hangs.  At that point, the incident is locked up, and it's not even possible to close it. ... View more

The script is pretty unremarkable, except that it's called by a wrapper script that processes the "new" argument.  The same wrapper is attached to the (correctly working) button, which fills the "new" argument with the field value.   The behavior is consistently reproducible.  At this point, I'm looking for confirmation:  Is it expected behavior that scripts triggered by a field change can't modify linked cases?  If so, a documentation update and feature idea would be in order.  If not, a bug fix is in order.   Of course, if you have a workaround better than "Use a button to trigger the script", that would be great!   incident = demisto.incidents()[0] new_parent_case_id = demisto.args()["parent"] child_case_id = demisto.args().get("child", "") if child_case_id == "": child_case_id = incident.get("id", "Error") # Remove any existing links on the child (current) case old_linked_incidents_list = incident.get('linkedIncidents', []) if old_linked_incidents_list: old_linked_incidents = ",".join(old_linked_incidents_list) # This line does nothing when this script is triggered by a field change # It works fine when this script is triggered by a button # Removing the "incidentId" argument changes nothing # Changing the "run as" parameter to DBot changes nothing demisto.executeCommand("linkIncidents", {"incidentId":child_case_id, "linkedIncidentIDs":old_linked_incidents, "action": "unlink"}) # Create new false positive parent, if requested if new_parent_case_id == "Create": parent_name = "PARENT: " + demisto.incidents()[0]['name'] resp = demisto.executeCommand("createNewCase", { "name": parent_name, "type": "False Positive Parent", "severity": "low", "roles": "##Redacted##" }) if isError(resp[0]): demisto.results('Error while creating the new false positive parent case: ' + str(resp)) sys.exit(0) new_parent_case_id = None if (resp[0] and resp[0]["EntryContext"] and 'CreatedIncidentID' in resp[0]["EntryContext"] ): new_parent_case_id = resp[0]["EntryContext"]['CreatedIncidentID'] else: demisto.results(f'Failed to find the new incident id from create case request') # Update the False Postive Parent field to show the new parent # Note that this may trigger a field-change script, so it's important to avoid looping around # However, the problem with the linked incidents happens even when this branch of code is not executed resp = demisto.executeCommand('setIncident', { 'falsepositiveparent': "{} {}".format(new_parent_case_id, parent_name) }) # Link to the False Positive Parent if new_parent_case_id != "None": # Link to the parent case # This line does nothing then this script is triggered by a field change demisto.executeCommand('linkIncidents', {"incidentId":child_case_id, "linkedIncidentIDs":new_parent_case_id}) # Mark the child case as a stalled false positive # This line works fine when this script is triggered by a field change resp = demisto.executeCommand('setIncident', { 'id': child_case_id, 'stalled': True, 'falsepositive': True }) if isError(resp[0]): demisto.results('Failed updating existing case with false positive attributes: ' + str(resp)) sys.exit(0) demisto.results("Attempted to attach child false positive case {} to parent case {}".format(child_case_id, new_parent_case_id))   Here's the wrapper:   new_field_value = demisto.args()["new"] new_parent_case_id = new_field_value.split(" ")[0] # Execute the update demisto.executeCommand("AddChildToParent", {"parent":new_parent_case_id}) demisto.results("Attempted to attach child false positive case to parent case {}".format(new_parent_case_id))   ... View more

It was set to "limited user".  I tried setting it to "DBot".  No change in behavior resulted.   I have the exact same script triggered by a button and triggered by a field change.  It works fine when triggered by the button. ... View more

We just upgraded to 6.1, so I revisited this matter.  It's not much better.   The DB Version errors no longer appear.   If I leave "Run triggered script after case is modified" unchecked, the triggered script correctly updates other fields with the setIncident command.   If I check that box, the other fields do not update, even though the war room says that they're updated.   Whether I check that box or not, and no matter how it is called, the linkIncidents command does nothing when run from a triggered script.  It works as expected if run from a script launched by a button or the command line.    Can you confirm the above?  The docs mention nothing about linking incidents from triggered scripts. ... View more

The solution above turns out to be only partial.  Leaving out the incidentId field for the linkIncidents command causes the command to do nothing.  Putting it back in re-generates the DB version errors.  Running the trigger script from the command line works perfectly.   So, I don't have a way to modify linked cases in a triggered script in 6.0.  Anyone know? ... View more

I don't even have that checkbox.  Where is it?  We're running 6.0.   ... View more

Yes, the dropdown is displaying correctly now.  Thank you!  I haven't attempted to implement any (on-change) functionality yet. This  CommonServerPython sounds very interesting.  Where can I see that?    Are those the same as what is documented at https://xsoar.pan.dev/docs/integrations/code-conventions#common-server-functions?   Also, note that the code ran differently when it was triggered to populate the field options and when it was triggered by a button.  When it was populating the field options, demisto.log() triggered an error.  When it was running from a button, demisto.log() worked as expected.  Same user.  Same code.  Same layout tab.   This actually feels intentional.  Populating a GUI element maybe shouldn't have side effects in the context or the war room.  However, this is not documented, so writing this scrap of code was a lot more difficult than it had to be. ... View more

Looks like our letters crossed in the mail.   What was fouling me up was trying to extract the results of the demisto.executeCommand().  It appears that a script executing in order to determine the selection options doesn't run with the same access, and the documentation is terrible.  I eventually attached my script to a button where I could run demisto.log() and look at the results from that.  It would be better if the data structure were documented.   Also, you call the "getIncidents" command, which doesn't appear to exist in any documentation (except as an example) or as a command on my dev instance.  I managed to get the job done with "SearchIncidentsV2", though. ... View more