/
SearchIncidentsV2.yml
129 lines (128 loc) · 5.23 KB
/
SearchIncidentsV2.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
args:
- default: true
description: A comma-separated list of incident IDs by which to filter the results.
isArray: true
name: id
- description: A comma-separated list of incident names by which to filter the results.
isArray: true
name: name
- description: 'A comma-separated list of incident statuses by which to filter the results. For example: assigned.'
isArray: true
name: status
- description: 'A comma-separated list of incident statuses to exclude from the results. For example: assigned.'
isArray: true
name: notstatus
- description: A comma-separated list of incident close reasons by which to filter the results.
isArray: true
name: reason
- description: Filter by from date (e.g. "3 days ago" or 2006-01-02T15:04:05+07:00 or 2006-01-02T15:04:05Z).
name: fromdate
- description: Filter by to date (e.g. "3 days ago" or 2006-01-02T15:04:05+07:00 or 2006-01-02T15:04:05Z).
name: todate
- description: Filter by from close date (e.g. 2006-01-02T15:04:05+07:00 or 2006-01-02T15:04:05Z).
name: fromclosedate
- description: Filter by to close date (e.g. 2006-01-02T15:04:05+07:00 or 2006-01-02T15:04:05Z).
name: toclosedate
- description: Filter by from due date (e.g. 2006-01-02T15:04:05+07:00 or 2006-01-02T15:04:05Z).
name: fromduedate
- description: Filter by to due date (e.g. 2006-01-02T15:04:05+07:00 or 2006-01-02T15:04:05Z).
name: toduedate
- description: Filter by Severity.
isArray: true
name: level
- description: Filter by incident owners.
isArray: true
name: owner
- description: Filter by incident details.
name: details
- description: Filter by incident type.
isArray: true
name: type
- description: Use free form query (use Lucene syntax) as filter. All other filters will be ignored when this filter is used.
name: query
- description: Filter by the page number.
name: page
deprecated: true
- description: |-
The number of events to return from the alert JSON. The default is 0, which returns all events.
Note that the count is from the head of the list, regardless of event time or other properties.
name: trimevents
hidden: true
- description: Number of incidents per page (per fetch).
name: size
deprecated: true
- description: The maximum number of incidents to be returned.
name: limit
defaultValue: '100'
- description: Sort in format of field.asc,field.desc,...
name: sort
- description: If provided, the value of this argument will be set under the searchResultsLabel context key for each incident found.
name: searchresultslabel
- description: If enabled runs a summarized version of this script. Disables auto-extract, sets fromDate to 30 days, and minimizes the context output. You can add sepcific fields to context using the add_fields_to_summarize_context argument. Default is false.
name: summarizedversion
auto: PREDEFINED
predefined:
- "false"
- "true"
- description: A comma seperated list of fields to add to context when using summarized version, (default- id,name,type,severity,status,owner,created,closed).
name: add_fields_to_summarize_context
comment: |-
Searches Demisto incidents. A summarized version of this scrips is avilable with the summarizedversion argument.
This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here:
https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.10/Cortex-XSOAR-Administrator-Guide/Automations
commonfields:
id: SearchIncidentsV2
version: -1
enabled: true
name: SearchIncidentsV2
outputs:
- contextPath: foundIncidents.id
description: A list of incident IDs returned from the query.
type: Unknown
- contextPath: foundIncidents.name
description: A list of incident names returned from the query.
type: Unknown
- contextPath: foundIncidents.severity
description: A list of incident severities returned from the query.
type: Unknown
- contextPath: foundIncidents.status
description: A list of incident statuses returned from the query.
type: Unknown
- contextPath: foundIncidents.owner
description: A list of incident owners returned from the query.
type: Unknown
- contextPath: foundIncidents.created
description: A list of the incident create date returned from the query.
type: Unknown
- contextPath: foundIncidents.closed
description: A list of incident close dates returned from the query.
type: Unknown
- contextPath: foundIncidents.labels
description: An array of labels per incident returned from the query.
type: Unknown
- contextPath: foundIncidents.details
description: Details of the incidents returned from the query.
type: Unknown
- contextPath: foundIncidents.dueDate
description: A list of incident due dates returned from the query.
type: Unknown
- contextPath: foundIncidents.phase
description: A list of incident phases returned from the query.
type: Unknown
- contextPath: foundIncidents.incidentLink
description: A list with links to the incidents returned from the query.
type: Unknown
- contextPath: foundIncidents.searchResultsLabel
description: The value provided in the searchresultslabel argument.
type: String
script: '-'
subtype: python3
tags:
- Utility
timeout: '0'
type: python
dockerimage: demisto/python3:3.10.13.83255
fromversion: 5.0.0
tests:
- No tests (auto formatted)