IBM Security QRadar SOAR

 View Only
Expand all | Collapse all

Best way to set incident members by script?

  • 1.  Best way to set incident members by script?

    Posted Fri September 11, 2020 05:12 PM
    What is the right way to set the incident members in a script?  I have incidents that are being created by an API script, the "Created By" shows up as the API key and the "Owner" is assigned to the default group.  I have a script that changes the owner of the incident via a menu item rule

    incident.owner_id = principal.id

    But when I do this, it sets the incident members from empty to the default group.  I've tried different methods of "unsetting" the members with varying success.

    incident.members = None

    # or even tried

    incident.members = []
    But none of these methods are working as expected within the same script that sets the owner_id - they all end up with the incident members containing the default group.​​

    I'm on version 37.2.46 if that helps.

    ------------------------------
    David Vasil
    ------------------------------


  • 2.  RE: Best way to set incident members by script?

    Posted Mon September 14, 2020 10:33 AM
    I was able to accomplish this two two rules. The first is  the menu item rule that allows the the user to assign to themselves:



    And the second was an automatic rule that removes the default group:


    Ben

    ------------------------------
    Ben Lurie
    ------------------------------

    Original Message