IBM Security QRadar SOAR

 View Only

  • 1.  Close Incidents with scripts

    Posted Fri May 24, 2019 09:19 AM
    Hi,

    How to close the incidents using script in resilient


    ------------------------------
    Dastagirsab Mulla
    ------------------------------


  • 2.  RE: Close Incidents with scripts

    Posted Sat May 25, 2019 02:50 AM
    Hi,
    You can use the following:
    incident.plan_status = "C"

    ------------------------------
    Clément Fouque
    ------------------------------

    Original Message


  • 3.  RE: Close Incidents with scripts

    Posted Fri June 07, 2019 10:10 AM
    I use the following script that sets multiple fields.

    if incident.id:
    incident.plan_status = "C"
    incident.resolution_id = "Resolved"
    incident.resolution_summary = "Incident automatically resolved via script [name]"


    ------------------------------
    Nathan Getty
    ------------------------------

    Original Message


  • 4.  RE: Close Incidents with scripts

    Posted Wed August 26, 2020 04:48 AM

    Hello, 

    Sorry if I reply to this after so long. 

    I'm trying to configure a rule that closes the incident when the description contains something.

    I tried configuring a script with what you wrote:

    if incident.id:

    incident.plan_status = "C"
    incident.resolution_id = "Resolved"
    incident.resolution_summary = "Incident automatically resolved via script [name]"
    But when testing the script i receive a "Enter Incident ID" prompt, if I enter the incident ID I get "Incident not found - please try a different incident ID."
    I'm trying this on a MSSP deployment from the configuration Organization.


    ------------------------------
    Alessandro Di Liberto
    ------------------------------

    Original Message


  • 5.  RE: Close Incidents with scripts

    Posted Wed August 26, 2020 01:00 PM
    @Alessandro Di Liberto are you running the script inside that specific Organization? I have seen that error when I accidentally ran the script in a different Org than where the incident was located. The rest of the script looks right.

    ------------------------------
    Richard Giesige
    Security Engineer
    Oshkosh Corporation
    Oshkosh
    ------------------------------

    Original Message


  • 6.  RE: Close Incidents with scripts

    Posted Thu August 27, 2020 06:36 AM

    Hi Richard, 

    Yes I was running it in test mode on the Configuration Organization ( It is an MSSP deployment ). 

    I created the same rule that triggers the same script but manually instead of automatically and the script is working fine.

    I just don't understand why, in automatic mode, the rule/script works only for some incidents.



    ------------------------------
    Alessandro Di Liberto
    ------------------------------

    Original Message


  • 7.  RE: Close Incidents with scripts

    Posted Thu August 27, 2020 11:01 AM
    If a rule is not triggering it may be helpful to see the rule configuration for the automatic rule.

    Ben

    ------------------------------
    Ben Lurie
    ------------------------------

    Original Message