IBM QRadar SOAR: Closing Incident with Playbooks: Difference between revisions
No edit summary |
|||
| (One intermediate revision by the same user not shown) | |||
| Line 13: | Line 13: | ||
<nowiki> | <nowiki> | ||
incident.resolution_id = "Resolved" | incident.resolution_id = "Resolved" | ||
if incident.confirmed: | if incident.confirmed: | ||
incident.resolution_summary = "Incident was closed with CONFIRMED." | incident.resolution_summary = "Incident was closed with CONFIRMED." | ||
else: | else: | ||
incident.resolution_summary = "Incident was closed with Unconfirmed." | incident.resolution_summary = "Incident was closed with Unconfirmed." | ||
incident.plan_status = "C" | incident.plan_status = "C" | ||
incident.addNote(" | incident.addNote("Incident was closed.") | ||
</nowiki> | </nowiki> | ||
Latest revision as of 18:43, 11 June 2025
Simple playbook to close a Incident
Configuring the Playbook
In your playbook:
1) add or edit the Close Incident script.
Provide the following code:
incident.resolution_id = "Resolved"
if incident.confirmed:
incident.resolution_summary = "Incident was closed with CONFIRMED."
else:
incident.resolution_summary = "Incident was closed with Unconfirmed."
incident.plan_status = "C"
incident.addNote("Incident was closed.")