DarkmonCreateIncidents

Creates one XSOAR incident per item using a name_template and field_map (comma-separated 'field=path' pairs).

python · Darkmon

Source

import re

import demistomock as demisto  # noqa: F401
from CommonServerPython import *  # noqa: F401


def _render(template, item):
    return re.sub(r"\$\{(\w+)\}", lambda m: str(item.get(m.group(1), "")), template or "")


def main():
    args = demisto.args()
    items = argToList(args.get("items")) or []
    incident_type = args.get("incident_type")
    severity = args.get("severity")
    name_template = args.get("name_template", "")
    field_map_raw = args.get("field_map", "")
    field_map = {}
    for pair in field_map_raw.split(","):
        if "=" in pair:
            k, v = pair.split("=", 1)
            field_map[k.strip()] = v.strip()

    created = []
    for it in items:
        cf = {}
        for cli, src in field_map.items():
            cf[cli] = it.get(src) if not src.startswith("=") else src[1:]
        body = {
            "name": _render(name_template, it) or f"Darkmon: {incident_type}",
            "type": incident_type,
            "rawJSON": demisto.dt(it, "{.}") if hasattr(demisto, "dt") else None,
            "customFields": cf,
        }
        if severity:
            body["severity"] = severity
        try:
            demisto.executeCommand("createNewIncident", body)
            created.append(body["name"])
        except Exception as e:
            demisto.error(f"createNewIncident failed: {e}")

    return_results({"CreatedIncidents": created, "Count": len(created)})


if __name__ in ("__main__", "__builtin__", "builtins"):
    main()

README

Creates one XSOAR incident per item using a name_template and field_map (comma-separated ‘field=path’ pairs).

Script Data


Name Description
Script Type python3
Tags darkmon
Cortex XSOAR Version 6.5.0

Used In


This script is used in the following playbooks and scripts.

  • Darkmon - Compromised Credentials Sweep
  • Darkmon - Ransomware Mentions Watch
  • Darkmon - Brand-Targeted NRD Watch
  • Darkmon - Critical CVE Pipeline
  • Darkmon - Compromised Employee Auto-Disable

Inputs


Argument Name Description
items Items to process.
id_field Field name to use as the dedup key.
seen_list Name of the XSOAR List storing already-seen IDs.
domain_filter_list Optional - list of customer domains to filter username matches.
domain_match_field Field on each item to match against domain_filter_list.
allowlist Optional list of usernames/DNs that must NEVER be actioned.
allowlist_match_field Field to match against the allowlist.
incident_type Incident type for newly created incidents.
severity Severity (1=Low, 2=Medium, 3=High, 4=Critical).
name_template Incident name template (supports ${field} interpolation).
field_map Comma-separated ‘fieldCli=sourcePath’ pairs.
emails Email addresses to fan out per VIP fetch.
domains  
brands_list  
max_distance  
min_cvss  
tech_stack_list  

Outputs


Path Description Type
NewAccounts   unknown
CreatedIncidents   unknown
Count   number
Typosquats   unknown
FilteredCVEs   unknown
VIPCreated   number