Customize SLA Scripts - Administrator Guide - 6.6 - Cortex XSOAR - Cortex - Security Operations

Cortex XSOAR Administrator Guide
Product
Cortex XSOAR
Version
6.6
Creation date
2022-09-29
Last date published
2024-04-08
End_of_Life
EoL
Category
Administrator Guide
Abstract

Create scripts that will perform specific actions in Cortex XSOAR when the SLA is breached. Properties in the SLA timer field value.

Scripts in Cortex XSOAR enable you to automate processes. In the context of SLA, you can create scripts that will perform specific actions when the SLA is breached. Each SLA script must include the SLA tag.

Cortex XSOAR comes with an out-of-the-box script, called SendEmailOnSLABreach, that sends an email to specific users when the script is triggered. By default, the script sends an email to the incident assignee, but you can configure additional recipients within the script.

When you create your own scripts, the following arguments are automatically added, in addition to the basic elements provided with every script (for example, current investigation and current incident):

  • field - the current triggered SLA breach field object (contains: name, cliName, threshold, etc.).

  • fieldValue - the current triggered SLA field's value, for example the startDate.

    The following table lists the different properties in the SLA timer field value:

    Property

    Type

    Description

    dueDate

    Date

    The date by which the SLA for this timer is due.

    breachTriggered

    Boolean

    Was the timer already in breach of the SLA.

    sla

    INT (in minutes)

    The period defined as the SLA for this timer. This is the value that you defined in the timer field.

    endDate

    Date

    The date at which the SLA timer completed.

    lastPauseDate

    Date

    The last date at which the SLA timer was paused.

    startDate

    Date

    The date at which the SLA timer was started.

    accumulatedPause

    INT (in seconds)

    The total number of seconds that the timer was in a paused state.

    totalDuration

    INT (in seconds)

    The total number of seconds that the timer was running. This property is populated after the timer is stopped.

    slaStatus

    INT

    Represents the Cortex XSOAR SLA status. Values are:

    0 - The SLA is within the allotted range.

    1 - The SLA is below the defined risk threshold.

    2 - The SLA is in breach.

    runStatus

    String

    Represents the current status of the timer. Values are:

    idle

    running

    paused

    ended