IBM QRadar SOAR: Closing Incident with Playbooks: Difference between revisions
(Created page with "Simple playbook to close a Incident == Configuring the Playbook == 346x599px In your playbook: 1) add or edit the '''Get Artifacts''' script. Provide the following code: <nowiki> incident.resolution_id = "Resolved" if incident.confirmed: incident.resolution_summary = "Incident was closed with CONFIRMED." else: incident.resolution_summary = "Incident was closed with Unconfirmed." incident.plan_status = "C" incident.addNote("...") |
No edit summary |
||
| (2 intermediate revisions by the same user not shown) | |||
| Line 7: | Line 7: | ||
In your playbook: | In your playbook: | ||
1) add or edit the ''' | 1) add or edit the '''Close Incident''' script. | ||
Provide the following code: | Provide the following code: | ||
| Line 13: | Line 13: | ||
<nowiki> | <nowiki> | ||
incident.resolution_id = "Resolved" | incident.resolution_id = "Resolved" | ||
if incident.confirmed: | if incident.confirmed: | ||
incident.resolution_summary = "Incident was closed with CONFIRMED." | incident.resolution_summary = "Incident was closed with CONFIRMED." | ||
else: | else: | ||
incident.resolution_summary = "Incident was closed with Unconfirmed." | incident.resolution_summary = "Incident was closed with Unconfirmed." | ||
incident.plan_status = "C" | incident.plan_status = "C" | ||
incident.addNote(" | incident.addNote("Incident was closed.") | ||
</nowiki> | </nowiki> | ||
Latest revision as of 18:43, 11 June 2025
Simple playbook to close a Incident
Configuring the Playbook
In your playbook:
1) add or edit the Close Incident script.
Provide the following code:
incident.resolution_id = "Resolved"
if incident.confirmed:
incident.resolution_summary = "Incident was closed with CONFIRMED."
else:
incident.resolution_summary = "Incident was closed with Unconfirmed."
incident.plan_status = "C"
incident.addNote("Incident was closed.")