DarkmonCreateIncidents
Creates one XSOAR incident per item using a name_template and field_map (comma-separated 'field=path' pairs).
python · Darkmon
Source
import re import demistomock as demisto # noqa: F401 from CommonServerPython import * # noqa: F401 def _render(template, item): return re.sub(r"\$\{(\w+)\}", lambda m: str(item.get(m.group(1), "")), template or "") def main(): args = demisto.args() items = argToList(args.get("items")) or [] incident_type = args.get("incident_type") severity = args.get("severity") name_template = args.get("name_template", "") field_map_raw = args.get("field_map", "") field_map = {} for pair in field_map_raw.split(","): if "=" in pair: k, v = pair.split("=", 1) field_map[k.strip()] = v.strip() created = [] for it in items: cf = {} for cli, src in field_map.items(): cf[cli] = it.get(src) if not src.startswith("=") else src[1:] body = { "name": _render(name_template, it) or f"Darkmon: {incident_type}", "type": incident_type, "rawJSON": demisto.dt(it, "{.}") if hasattr(demisto, "dt") else None, "customFields": cf, } if severity: body["severity"] = severity try: demisto.executeCommand("createNewIncident", body) created.append(body["name"]) except Exception as e: demisto.error(f"createNewIncident failed: {e}") return_results({"CreatedIncidents": created, "Count": len(created)}) if __name__ in ("__main__", "__builtin__", "builtins"): main()
README
Creates one XSOAR incident per item using a name_template and field_map (comma-separated ‘field=path’ pairs).
Script Data
| Name | Description |
|---|---|
| Script Type | python3 |
| Tags | darkmon |
| Cortex XSOAR Version | 6.5.0 |
Used In
This script is used in the following playbooks and scripts.
- Darkmon - Compromised Credentials Sweep
- Darkmon - Ransomware Mentions Watch
- Darkmon - Brand-Targeted NRD Watch
- Darkmon - Critical CVE Pipeline
- Darkmon - Compromised Employee Auto-Disable
Inputs
| Argument Name | Description |
|---|---|
| items | Items to process. |
| id_field | Field name to use as the dedup key. |
| seen_list | Name of the XSOAR List storing already-seen IDs. |
| domain_filter_list | Optional - list of customer domains to filter username matches. |
| domain_match_field | Field on each item to match against domain_filter_list. |
| allowlist | Optional list of usernames/DNs that must NEVER be actioned. |
| allowlist_match_field | Field to match against the allowlist. |
| incident_type | Incident type for newly created incidents. |
| severity | Severity (1=Low, 2=Medium, 3=High, 4=Critical). |
| name_template | Incident name template (supports ${field} interpolation). |
| field_map | Comma-separated ‘fieldCli=sourcePath’ pairs. |
| emails | Email addresses to fan out per VIP fetch. |
| domains | |
| brands_list | |
| max_distance | |
| min_cvss | |
| tech_stack_list |
Outputs
| Path | Description | Type |
|---|---|---|
| NewAccounts | unknown | |
| CreatedIncidents | unknown | |
| Count | number | |
| Typosquats | unknown | |
| FilteredCVEs | unknown | |
| VIPCreated | number |