TitaniamProtectIncident
This Script is part of the TitaniamProtect Pack.#
TitaniamProtectIncident script is used to apply encode/decode operation on one or more incidents.
Script Data#
| Name | Description |
|---|---|
| Script Type | python3 |
| Tags | - |
| Cortex XSOAR Version | 6.0.0 |
Dependencies#
This script uses the following commands.
- titaniamprotect-encode
- titaniamprotect-decode
Inputs#
| Argument Name | Description |
|---|---|
| incident_id | Zero or more incident IDs, comma separated (if omitted, will protect current incident) |
| operation | protect | protect-masked | protect-tangled | unprotect. |
Outputs#
There are no outputs for this script.
Examples#
Examples of invoking this script:
!TitaniamProtectIncident incident_id="225,226,227,228" operation="protect-masked"
Encode list of incidents, specified with comma-separated values incidents IDs (225,226,227,228). Display format for protected fields of encoded incidents is a mask in the form of "xxx". When invoked on already encoded incidents this command doesn't have an effect.
!TitaniamProtectIncident operation="protect-masked"
Encode current incident. Display format for protected fields of encoded incident is a mask in the form of "xxx". When invoked on already encoded incident this command doesn't have an effect.
!TitaniamProtectIncident incident_id="225,226,227,228" operation="protect-tangled"
Encode list of incidents, specified with comma-separated values incidents IDs (225,226,227,228). Display format for protected fields of encoded incidents is encoded value. When invoked on already encoded incidents this command doesn't have an effect.
!TitaniamProtectIncident operation="protect-tangled"
Encode current incident. Display format for protected fields of encoded incident is encoded value. When invoked on already encoded incident this command doesn't have an effect.
!TitaniamProtectIncident incident_id="225,226,227,228" operation="unprotect"
Decode list of incidents, specified with comma-separated values incidents IDs (225,226,227,228). Protected fields will be decoded back to cleartext. When invoked on already decoded incidents this command doesn't have an effect.
!TitaniamProtectIncident operation="unprotect"
Decode current incident. Protected fields will be decoded back to cleartext. When invoked on already decoded incident this command doesn't have an effect.
Revert titaniamOp flag using the below command when the following scenarios happen If protected fields is not part of the schema while creating incident the titaniamOp flag set to 1 but the values are in clear text in the incident. Check the value in incident context Data. Eg: TITANIAM_PROTECTED = "1", TITANIAM_UNPROTECTED = "0" Once the schema updated with the protected fields, then we have to revert the flag to 0 before clicking the Show Cleartext or Protect Data button
!setIncident addLabels=[{\"titaniamOp\":\"0\"}]