OnboardingCleanup

Cleanup the incidents and indicators created by OnboardingIntegration This automation runs using the default Limited User role, unless you explicitly change the permissions. For more information, see the section about permissions here: - For Cortex XSOAR 6 see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations - For Cortex XSOAR 8 Cloud see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script - For Cortex XSOAR 8.7 On-prem see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script

python · OnboardingIntegration

Source

import demistomock as demisto  # noqa: F401
from CommonServerPython import *  # noqa: F401

try:
    # Delete indicators generated by the OnboardingIntegration
    delete_indicators_cmd_args = {"query": "incident.sourceBrand:OnboardingIntegration", "doNotWhitelist": "true"}
    command_result = demisto.executeCommand("deleteIndicators", delete_indicators_cmd_args)
    if isError(command_result[0]):
        raise Exception(command_result[0])
    demisto.results("Indicators added by incidents generated by the OnboardingIntegration have been deleted.")

    # Close incidents of type Phishing that were created by OnboardingIntegration
    get_incidents_cmd_args = {"query": "type:Phishing and sourceBrand:OnboardingIntegration and -status:Closed"}
    res_get_incidents = demisto.executeCommand("getIncidents", get_incidents_cmd_args)

    incidents = res_get_incidents[0].get("Contents", {}).get("data")
    res = []
    if incidents:
        for incident in incidents:
            incident_id = incident.get("id")
            incident_name = incident.get("name")
            res.append({"Incident ID": incident_id, "Incident Name": incident_name})
            close_investigation_cmd_args = {
                "id": incident_id,
                "closeNotes": "Closing all incidents of type PhishingDemo. (Cleanup)",
            }
            demisto.executeCommand("closeInvestigation", close_investigation_cmd_args)
    headers = ["Incident ID", "Incident Name"]
    title = f"Total Incidents Closed: {len(res)}"
    human_readable = tableToMarkdown(title, res, headers=headers, removeNull=True)
    demisto.results(
        {
            "Type": entryTypes["note"],
            "Contents": res,
            "ContentsFormat": formats["json"],
            "ReadableContentsFormat": formats["markdown"],
            "HumanReadable": human_readable,
        }
    )
except Exception as e:
    demisto.results(
        {
            "Type": entryTypes["error"],
            "ContentsFormat": formats["text"],
            "Contents": "A problem occurred while trying to execute this script. Exception info:\n" + str(e),
        }
    )

README

Cleans up the incidents and indicators created by the Onboarding Integration command.

Permissions


This automation runs using the default Limited User role, unless you explicitly change the permissions.
For more information, see the section about permissions here: For Cortex XSOAR 6, see the https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.x/Cortex-XSOAR-Playbook-Design-Guide/Automations for Cortex XSOAR 8 Cloud, see the https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8/Cortex-XSOAR-Cloud-Documentation/Create-a-script for Cortex XSOAR 8 On-prem, see the https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/8.7/Cortex-XSOAR-On-prem-Documentation/Create-a-script.

Script Data


Name Description
Script Type python3
Tags -

Inputs


There are no inputs for this script.

Outputs


There are no outputs for this script.