Create a Post-Processing Script

Create a post-processing script to run after a Cortex XSOAR incident has been remedied. Automation
This procedure describes how to create a post-processing script after an incident has been remedied.
  1. Select
    New Automation
  2. Type a name for the post-processing script and click
  3. In the
    field, from the drop down list select
  4. Add fields as required.
  5. Click
The following script example requires the user to verify all
To Do
tasks before closing an incident. Before you start, you need to configure a Cortex XSOAR REST API instance.
inc_id = demisto.incidents()[0].get('id') tasks = list(demisto.executeCommand("demisto-api-get", {"uri": "/todo/{}".format(inc_id)})[0]['Contents']['response']) if tasks: for task in tasks: if not task.get("completedBy"): return_error("Please complete all ToDo tasks before closing the incident") break
In this example, we create post processing script for Service Now incidents using a SNOW instance, where there are required fields to resolve and close (such as Resolution Code, Resolution Notes, etc).
This script works with the defaults from Service Now and resolves and closes the mirrored ticket in Service Now.
commonfields: id: c8eeeb6c-3622-4bcb-897a-d183625609fd version: 20 vcShouldKeepItemLegacyProdMachine: false name: ServiceNowCloseIncidentTicket script: |- # return the args and incident details to the war room, useful for seeing what you have available to you # args can be called with demisto.args().get('argname') # debugging # demisto.results(demisto.args()) # demisto.results(demisto.incident()) # get the close notes and reason from the XSOAR Incident close_reason = demisto.args().get('closeReason') close_notes = demisto.args().get('closeNotes','No close notes provided') servicenow_sysid = demisto.incident().get("dbotMirrorId", False) # map XSOAR close reasons to Service Now close codes close_code_map = { "False Positive":"Not Solved (Not Reproducible)", "Resolved":"Solved (Permanently)", "Other":"Solved (Work Around)", "Duplicate":"Solved (Work Around)" } close_code = close_code_map.get(close_reason,"Solved (Work Arounnd") # handle if there is no service now sys_id, resolve and close snow ticket if servicenow_sysid: demisto.results(demisto.executeCommand("servicenow-update-ticket", {"id":servicenow_sysid,"close_code":close_code,"state":6,"close_notes":close_notes})) demisto.results(demisto.executeCommand("servicenow-update-ticket", {"id":servicenow_sysid,"state":7})) else: demisto.results("No ServiceNow sys_id found, doing nothing...") type: python tags: - post-processing - training comment: Post processing script to resolve and close Service Now tickets if the XSOAR Incident is closed. enabled: true scripttarget: 0 subtype: python3 timeout: 80ns pswd: "" runonce: false dockerimage: demisto/python:1.3-alpine runas: Administrator

Recommended For You