Skip to main content

SearchIncidentsSummary

This Script is part of the Common Scripts Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Searches Cortex XSOAR Incidents. Default search range is the last 30 days, if you want to change this, use the fromDate argument.

Returns the id, name, type, severity, status, owner, and created/closed times to context. You can add additional fields using the add_field_to_context argument.

This automation runs using the default Limited User role, unless you explicitly change the permissions. Based on the SearchIncidentsV2 from the Common Scripts pack, but more efficient.

Script Data#


NameDescription
Script Typepython3
TagsUtility

Inputs#


Argument NameDescription
idA comma-separated list of incident IDs by which to filter the results.
nameA comma-separated list of incident names by which to filter the results.
statusA comma-separated list of incident statuses by which to filter the results. For example: assigned.
notstatusA comma-separated list of incident statuses to exclude from the results. For example: assigned.
reasonA comma-separated list of incident close reasons by which to filter the results.
fromdateFilter by from date (e.g. "3 days ago" or 2006-01-02T15:04:05+07:00 or 2006-01-02T15:04:05Z), default is "30 days ago"
todateFilter by to date (e.g. "3 days ago" or 2006-01-02T15:04:05+07:00 or 2006-01-02T15:04:05Z)
fromclosedateFilter by from close date (e.g. 2006-01-02T15:04:05+07:00 or 2006-01-02T15:04:05Z)
toclosedateFilter by to close date (e.g. 2006-01-02T15:04:05+07:00 or 2006-01-02T15:04:05Z)
fromduedateFilter by from due date (e.g. 2006-01-02T15:04:05+07:00 or 2006-01-02T15:04:05Z)
toduedateFilter by to due date (e.g. 2006-01-02T15:04:05+07:00 or 2006-01-02T15:04:05Z)
levelFilter by Severity
ownerFilter by incident owners
detailsFilter by incident details
typeFilter by incident type
queryUse free form query (use Lucene syntax) as filter. All other filters will be ignored when this filter is used.
pageFilter by the page number
trimeventsThe number of events to return from the alert JSON. The default is 0, which returns all events.
Note that the count is from the head of the list, regardless of event time or other properties.
sizeNumber of incidents per page (per fetch)
sortSort in format of field.asc,field.desc,...
searchresultslabelIf provided, the value of this argument will be set under the searchResultsLabel context key for each incident found.
add_fields_to_contextA comma seperated list of fields to return to the context, (default: id,name,type,severity,status,owner,created,closed)

Outputs#


PathDescriptionType
foundIncidents.idA list of incident IDs returned from the query.Unknown
foundIncidents.nameA list of incident names returned from the query.Unknown
foundIncidents.severityA list of incident severities returned from the query.Unknown
foundIncidents.statusA list of incident statuses returned from the query.Unknown
foundIncidents.ownerA list of incident owners returned from the query.Unknown
foundIncidents.createdA list of the incident create date returned from the query.Unknown
foundIncidents.closedA list of incident close dates returned from the query.Unknown
foundIncidents.incidentLinkA list with links to the incidents returned from the query.Unknown
foundIncidents.searchResultsLabelThe value provided in the searchresultslabel argument.String