IBM QRadar SOAR: Closing Incident with Playbooks

From Wiki
Revision as of 18:43, 11 June 2025 by Ebasso (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Simple playbook to close a Incident

Configuring the Playbook

In your playbook:

1) add or edit the Close Incident script.

Provide the following code: 

incident.resolution_id = "Resolved"

if incident.confirmed: 
  incident.resolution_summary = "Incident was closed with CONFIRMED."
else: 
  incident.resolution_summary = "Incident was closed with Unconfirmed."

incident.plan_status = "C"

incident.addNote("Incident was closed.")

Ver também

Retrieved from "https://ebasso.net/wiki/index.php?title=IBM_QRadar_SOAR:_Closing_Incident_with_Playbooks&oldid=9387"