From 327445c271a24f012b831e9ae9f03018cb0a182e Mon Sep 17 00:00:00 2001 From: scottbrumley Date: Thu, 9 Apr 2026 20:03:00 -0400 Subject: [PATCH 1/4] - Added pagination to the auto triage job --- .../Playbooks/JOB_-_Triage_Alerts_V3.yml | 104 +++++++++--------- 1 file changed, 53 insertions(+), 51 deletions(-) diff --git a/Packs/soc-optimization-unified/Playbooks/JOB_-_Triage_Alerts_V3.yml b/Packs/soc-optimization-unified/Playbooks/JOB_-_Triage_Alerts_V3.yml index c34d6cc0..c59e689b 100644 --- a/Packs/soc-optimization-unified/Playbooks/JOB_-_Triage_Alerts_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/JOB_-_Triage_Alerts_V3.yml @@ -15,8 +15,8 @@ contentitemexportablefields: vcShouldKeepItemLegacyProdMachine: false name: JOB - Auto Triage V3 tags: -- SOC -- SOC_Framework_Unified + - SOC + - SOC_Framework_Unified starttaskid: "0" tasks: "0": @@ -33,7 +33,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "1" + - "1" separatecontext: false continueonerrortype: "" view: |- @@ -58,8 +58,10 @@ tasks: id: 993570fa-2548-4e9c-af63-478189b6c22b version: -1 name: Get Unstarred Open Cases - description: Queries get_incidents — starred=false, status new. Age window filtering - handled in SOCAutoTriageScoreFilter using Python time.time() ms comparison. + description: Queries get_incidents — starred=false, status new, sorted oldest-first. + Fetches up to 100 cases per run (API maximum). Age window and score filtering + handled in SOCAutoTriageScoreFilter. Run this JOB frequently (e.g., every 15m) + to drain backlogs exceeding 100 cases across successive executions. script: '|||core-api-post' type: regular iscommand: true @@ -68,10 +70,10 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "12" + - "12" scriptarguments: body: - simple: '{"request_data":{"filters":[{"field":"status","operator":"eq","value":"new"},{"field":"starred","operator":"eq","value":false}],"fields":["incident_id","aggregated_score","manual_score","creation_time","status","starred"],"sort":{"field":"creation_time","keyword":"asc"}}}' + simple: '{"request_data":{"filters":[{"field":"status","operator":"eq","value":"new"},{"field":"starred","operator":"eq","value":false}],"fields":["incident_id","aggregated_score","manual_score","creation_time","status","starred"],"sort":{"field":"creation_time","keyword":"asc"},"search_from":0,"search_to":100}}' extend-context: simple: Found=. uri: @@ -109,20 +111,20 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#default#': - - "9" + - "9" "yes": - - "8" + - "8" separatecontext: false conditions: - - label: "yes" - condition: - - - operator: isExists - left: - value: - simple: AutoTriage.filtered_incidents.incident_id - iscontext: true - right: - value: {} + - label: "yes" + condition: + - - operator: isExists + left: + value: + simple: AutoTriage.filtered_incidents.incident_id + iscontext: true + right: + value: {} continueonerrortype: "" view: |- { @@ -183,7 +185,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "9" + - "9" scriptarguments: incident_id: simple: ${AutoTriage.filtered_incidents.incident_id} @@ -230,7 +232,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "7" + - "7" separatecontext: false continueonerrortype: "" view: |- @@ -266,7 +268,7 @@ tasks: istaskmissingcomponenterrordismissed: false nexttasks: '#none#': - - "5" + - "5" scriptarguments: incidents: complex: @@ -277,41 +279,41 @@ tasks: root: lists accessor: SOCOptimizationConfig_V3 transformers: - - operator: getField - args: - field: - value: - simple: Triage Incidents JOB - - operator: getField - args: - field: - value: - simple: fields - - operator: getField - args: - field: - value: - simple: TriageScoreThreshold + - operator: getField + args: + field: + value: + simple: Triage Incidents JOB + - operator: getField + args: + field: + value: + simple: fields + - operator: getField + args: + field: + value: + simple: TriageScoreThreshold window_hours: complex: root: lists accessor: SOCOptimizationConfig_V3 transformers: - - operator: getField - args: - field: - value: - simple: Triage Incidents JOB - - operator: getField - args: - field: - value: - simple: fields - - operator: getField - args: - field: - value: - simple: TriageWindowHours + - operator: getField + args: + field: + value: + simple: Triage Incidents JOB + - operator: getField + args: + field: + value: + simple: fields + - operator: getField + args: + field: + value: + simple: TriageWindowHours separatecontext: false continueonerror: true continueonerrortype: "" From 65dc11ec8fdef324dcee99f41c007a0fb9acc996 Mon Sep 17 00:00:00 2001 From: scottbrumley Date: Thu, 9 Apr 2026 20:39:19 -0400 Subject: [PATCH 2/4] =?UTF-8?q?fix:=20remove=20manual=5Fscore=20gate=20fro?= =?UTF-8?q?m=20auto=20triage=20=E2=80=94=20close=20on=20score=20+=20age=20?= =?UTF-8?q?only?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../Playbooks/JOB_-_Triage_Alerts_V3.yml | 2 +- .../SOCAutoTriageScoreFilter/SOCAutoTriageScoreFilter.py | 8 -------- 2 files changed, 1 insertion(+), 9 deletions(-) diff --git a/Packs/soc-optimization-unified/Playbooks/JOB_-_Triage_Alerts_V3.yml b/Packs/soc-optimization-unified/Playbooks/JOB_-_Triage_Alerts_V3.yml index c59e689b..d3ea15fc 100644 --- a/Packs/soc-optimization-unified/Playbooks/JOB_-_Triage_Alerts_V3.yml +++ b/Packs/soc-optimization-unified/Playbooks/JOB_-_Triage_Alerts_V3.yml @@ -73,7 +73,7 @@ tasks: - "12" scriptarguments: body: - simple: '{"request_data":{"filters":[{"field":"status","operator":"eq","value":"new"},{"field":"starred","operator":"eq","value":false}],"fields":["incident_id","aggregated_score","manual_score","creation_time","status","starred"],"sort":{"field":"creation_time","keyword":"asc"},"search_from":0,"search_to":100}}' + simple: '{"request_data":{"filters":[{"field":"status","operator":"eq","value":"new"},{"field":"starred","operator":"eq","value":false}],"fields":["incident_id","aggregated_score","creation_time","status","starred"],"sort":{"field":"creation_time","keyword":"asc"},"search_from":0,"search_to":100}}' extend-context: simple: Found=. uri: diff --git a/Packs/soc-optimization-unified/Scripts/SOCAutoTriageScoreFilter/SOCAutoTriageScoreFilter.py b/Packs/soc-optimization-unified/Scripts/SOCAutoTriageScoreFilter/SOCAutoTriageScoreFilter.py index d55c7278..31592c2a 100644 --- a/Packs/soc-optimization-unified/Scripts/SOCAutoTriageScoreFilter/SOCAutoTriageScoreFilter.py +++ b/Packs/soc-optimization-unified/Scripts/SOCAutoTriageScoreFilter/SOCAutoTriageScoreFilter.py @@ -64,14 +64,6 @@ def main(): }) continue - # Skip if analyst has manually set a score - if manual_score is not None: - skipped.append({ - 'incident_id': incident_id, - 'aggregated_score': aggregated_score, - 'reason': 'manual_score set — analyst touched this case' - }) - continue # Skip if score is above threshold or missing if aggregated_score is None or float(aggregated_score) > threshold: From c177d188c9f1dc6ea2ae1d5fbd53c4d9a15504db Mon Sep 17 00:00:00 2001 From: scottbrumley Date: Thu, 9 Apr 2026 20:49:10 -0400 Subject: [PATCH 3/4] fix: pass incident_id as integer in close API call --- Packs/soc-optimization-unified/Playbooks/SOC_Close_Cases.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/soc-optimization-unified/Playbooks/SOC_Close_Cases.yml b/Packs/soc-optimization-unified/Playbooks/SOC_Close_Cases.yml index 725fb918..47f7169f 100644 --- a/Packs/soc-optimization-unified/Playbooks/SOC_Close_Cases.yml +++ b/Packs/soc-optimization-unified/Playbooks/SOC_Close_Cases.yml @@ -71,7 +71,7 @@ tasks: - "6" scriptarguments: body: - simple: '{"request_data":{"incident_id":"${inputs.incident_id}","update_data":{"status":"resolved_other","resolve_comment":"Resolved + simple: '{"request_data":{"incident_id":${inputs.incident_id},"update_data":{"status":"resolved_other","resolve_comment":"Resolved by the Auto Triage Job"}}}' uri: simple: /public_api/v1/incidents/update_incident From efb460369ea363d01f56ef5274737acfe506d4d9 Mon Sep 17 00:00:00 2001 From: scottbrumley Date: Thu, 9 Apr 2026 20:58:16 -0400 Subject: [PATCH 4/4] revert: incident_id must be string not integer in update_incident API --- Packs/soc-optimization-unified/Playbooks/SOC_Close_Cases.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Packs/soc-optimization-unified/Playbooks/SOC_Close_Cases.yml b/Packs/soc-optimization-unified/Playbooks/SOC_Close_Cases.yml index 47f7169f..725fb918 100644 --- a/Packs/soc-optimization-unified/Playbooks/SOC_Close_Cases.yml +++ b/Packs/soc-optimization-unified/Playbooks/SOC_Close_Cases.yml @@ -71,7 +71,7 @@ tasks: - "6" scriptarguments: body: - simple: '{"request_data":{"incident_id":${inputs.incident_id},"update_data":{"status":"resolved_other","resolve_comment":"Resolved + simple: '{"request_data":{"incident_id":"${inputs.incident_id}","update_data":{"status":"resolved_other","resolve_comment":"Resolved by the Auto Triage Job"}}}' uri: simple: /public_api/v1/incidents/update_incident