Entitlements are the medium by which integrations can trigger a playbook task to complete when given a response by a user.
Entitlements are composed of three main parts. The GUID, which is an identifier used by Cortex XSOAR to determine that the response is unique. The Incident ID, which ties the entitlement to a specific incident. And lastly, the Task ID which is used to close a specific playbook task with the response given.
The following is an example of an entitlement string where
e95cb5a1-e394-4bc5-8ce0-508973aaf298 is the GUID,
22 is the Incident ID, and
43 is the Task ID.
The basic format for an entitlement is always
Within a script, creating an entitlement is fairly simple.
The response received will provide you with the GUID, which can be extracted with the following:
Now that we have a GUID, we need to add the Incident ID and Task ID (which is optional, but recommended).
This formatted entitlement can now be used by an end user.
To consume an entitlement, the process is fairly simple. The service returning the entitlement string should also provide some basic information about the user replying and what the response was.
Consider the following response from a service:
Our integration should handle the response by calling the
Typically, it is necessary to parse the required information out of the entitlement string.
You may use a function similar to the following to do so.
After we have the parts extracted from our entitlement, we will call the
demisto.handleEntitlementForUser() method as shown below.
demisto.handleEntitlementForUser() function is called, the Cortex XSOAR server will close the given task in the given incident with the response that was provided.