SearchIncidentsV2

Searches Demisto incidents

Script Data


NameDescription
Script Typepython3
TagsUtility
Demisto Version5.0.0

Used In


This script is used in the following playbooks and scripts.

  • ExtraHop - Ticket Tracking
  • SafeBreach - Create Incidents per Insight and Associate Indicators
  • Send Investigation Summary Reports

Inputs


Argument NameDescription
idA comma-separated list of incident IDs by which to filter the results.
nameA comma-separated list of incident names by which to filter the results.
statusA comma-separated list of incident statuses by which to filter the results. For example: assigned.
notstatusA comma-separated list of incident statuses to exclude from the results. For example: assigned.
reasonA comma-separated list of incident close reasons by which to filter the results.
fromdateFilter by from date (e.g. 2006-01-02T15:04:05+07:00 or 2006-01-02T15:04:05Z)
todateFilter by to date (e.g. 2006-01-02T15:04:05+07:00 or 2006-01-02T15:04:05Z)
fromclosedateFilter by from close date (e.g. 2006-01-02T15:04:05+07:00 or 2006-01-02T15:04:05Z)
toclosedateFilter by to close date (e.g. 2006-01-02T15:04:05+07:00 or 2006-01-02T15:04:05Z)
fromduedateFilter by from due date (e.g. 2006-01-02T15:04:05+07:00 or 2006-01-02T15:04:05Z)
toduedateFilter by to due date (e.g. 2006-01-02T15:04:05+07:00 or 2006-01-02T15:04:05Z)
levelFilter by Severity
ownerFilter by incident owners
detailsFilter by incident details
typeFilter by incident type
queryUse free form query (use Lucene syntax) as filter. All other filters will be ignored when this filter is used.
pageFilter by the page number
sizeNumber of incidents per page (per fetch)
sortSort in format of field.asc,field.desc,...

Outputs


PathDescriptionType
foundIncidents.idA list of incident IDs returned from the query.Unknown
foundIncidents.nameA list of incident names returned from the query.Unknown
foundIncidents.severityA list of incident severities returned from the query.Unknown
foundIncidents.statusA list of incident statuses returned from the query.Unknown
foundIncidents.ownerA list of incident owners returned from the query.Unknown
foundIncidents.createdA list of the incident create date returned from the query.Unknown
foundIncidents.closedA list of incident close dates returned from the query.Unknown
foundIncidents.labelsAn array of labels per incident returned from the query.Unknown
foundIncidents.detailsDetails of the incidents returned from the query.Unknown
foundIncidents.dueDateA list of incident due dates returned from the query.Unknown
foundIncidents.phaseA list of incident phases returned from the query.Unknown

Script Example

!SearchIncidentsV2 name="Incident to search"

Context Example

{
"foundIncidents": [
{
"CustomFields": {
"detectionsla": {
"accumulatedPause": 0,
"breachTriggered": false,
"dueDate": "0001-01-01T00:00:00Z",
"endDate": "0001-01-01T00:00:00Z",
"lastPauseDate": "0001-01-01T00:00:00Z",
"runStatus": "idle",
"sla": 20,
"slaStatus": -1,
"startDate": "0001-01-01T00:00:00Z",
"totalDuration": 0
},
"remediationsla": {
"accumulatedPause": 0,
"breachTriggered": false,
"dueDate": "0001-01-01T00:00:00Z",
"endDate": "0001-01-01T00:00:00Z",
"lastPauseDate": "0001-01-01T00:00:00Z",
"runStatus": "idle",
"sla": 7200,
"slaStatus": -1,
"startDate": "0001-01-01T00:00:00Z",
"totalDuration": 0
},
"timetoassignment": {
"accumulatedPause": 0,
"breachTriggered": false,
"dueDate": "0001-01-01T00:00:00Z",
"endDate": "0001-01-01T00:00:00Z",
"lastPauseDate": "0001-01-01T00:00:00Z",
"runStatus": "idle",
"sla": 0,
"slaStatus": -1,
"startDate": "0001-01-01T00:00:00Z",
"totalDuration": 0
},
"urlsslverification": []
},
"ShardID": 0,
"account": "",
"activated": "0001-01-01T00:00:00Z",
"allRead": false,
"allReadWrite": false,
"attachment": null,
"autime": 1601389784162034000,
"canvases": null,
"category": "",
"closeNotes": "",
"closeReason": "",
"closed": "0001-01-01T00:00:00Z",
"closingUserId": "",
"created": "2020-09-29T17:29:44.162034+03:00",
"dbotCreatedBy": "admin",
"dbotCurrentDirtyFields": null,
"dbotDirtyFields": null,
"dbotMirrorDirection": "",
"dbotMirrorId": "",
"dbotMirrorInstance": "",
"dbotMirrorLastSync": "0001-01-01T00:00:00Z",
"dbotMirrorTags": null,
"details": "",
"droppedCount": 0,
"dueDate": "2020-10-09T17:29:44.162034+03:00",
"feedBased": false,
"hasRole": false,
"id": "978",
"investigationId": "",
"isPlayground": false,
"labels": [
{
"type": "Instance",
"value": "admin"
},
{
"type": "Brand",
"value": "Manual"
}
],
"lastJobRunTime": "0001-01-01T00:00:00Z",
"lastOpen": "0001-01-01T00:00:00Z",
"linkedCount": 0,
"linkedIncidents": null,
"modified": "2020-09-29T17:29:44.162202+03:00",
"name": "Incident to search",
"notifyTime": "0001-01-01T00:00:00Z",
"occurred": "2020-09-29T17:29:44.162034+03:00",
"openDuration": 0,
"owner": "admin",
"parent": "",
"phase": "",
"playbookId": "",
"previousAllRead": false,
"previousAllReadWrite": false,
"previousRoles": null,
"rawCategory": "",
"rawCloseReason": "",
"rawJSON": "",
"rawName": "Incident to search",
"rawPhase": "",
"rawType": "Unclassified",
"reason": "",
"reminder": "0001-01-01T00:00:00Z",
"roles": null,
"runStatus": "",
"severity": 0,
"sla": 0,
"sortValues": [
"_score"
],
"sourceBrand": "Manual",
"sourceInstance": "admin",
"status": 0,
"type": "Unclassified",
"version": 1
}
]
}

Human Readable Output

Incidents found

idnameseveritystatusownercreatedclosed
978Incident to search00admin2020-09-29T17:29:44.162034+03:000001-01-01T00:00:00Z