Scripts

Resilient Scripts use Python code to change the incident details in response to conditions. Because they’re written with code, they provide a lot of flexibility in the way that your incidents are managed. A basic understanding of Python will be useful when writing scripts. If you’re just getting started, check out the official Python tutorial.

Scripts have access to the incident where they are running. They can’t access data outside this context. To integrate with external data, use Functions and Custom Actions.

Scripts can be implemented in various components of the playbook. The objects that the script can access depends on where the script is executed.

  • Rule
  • Workflow
  • A function’s pre-process or post-script script. Functions are executed only within a workflow.
  • Conditions for inclusive and exclusive gateways within a workflow.
  • Here are a few examples of when scripts are useful:

    • A menu-item rule (executed only when a user selects an action) runs a script that performs a complex change, changing incident type, assignments, and is executed as a result of a user’s action.
    • An automatic rule identifies the conditions, such as the severity changing to High. As an example, say you want to automatically update the incident membership for all high-severity incidents. Write an automatic rule that executes when the severity changes to High. The rule runs a script that adds the CSIRT group to the Member list.
    • An automatic rule is triggered when an incident is created from a particular source. The rule runs a script, which can parse the raw information received from the source, and extract artifacts and summary information.
    • When the incident is created, an automatic rule triggers a workflow. The workflow adds a “Perform Initial Analysis” task with a timer watching for task completion. If the task is not completed within an hour, the workflow runs a script that flags the incident as overdue for triage, where it can then be aged or acted upon according to policy.

    Developing Scripts

    When creating a script, you must give it a name, and assign an object type. You assign a script to one type of object, such as incident, note, milestone, task, attachment, artifact, email message or data table. The object type determines the context of the data that is provided to the script. A task script has access to the task object and its properties. An artifact script has access to the artifact object and its type, description and value and hits. Similarly for the other contexts.

    In your script code, the incident object is always available. It provides access to the incident fields, and also has helper methods, addTask, addMilestone, addArtifact, addNote, and addRow, which adds a row in any data table.

    Finally there are some global objects: helper with some utility functions; principal with properties of the user who is executing the script; groups to access group membership; and log to add action status messages.

    Working with Data in Scripts

    Resilient fields include

    • Text, numeric, boolean, date and time,
    • Textarea, including HTML rich text,
    • Select and multi-select choices.

    Scripts for Metrics and Reporting

    One important use of scripts is to calculate and store values for record-keeping, display and reporting. Use custom scripts to record specific timestamps and durations, or to calculate severity based on the impacted users, machines or data.

    Scripts for Orchestration

    Use Resilient scripts to coordinate the way your teams work together, and adjust the response plan as an incident evolves. Use scripts to automatically reassign incidents and tasks, add custom tasks with instructions derived from artifacts, create milestones for key events, automatically add work-notes, and work with other incident data.

    Scripts for Validation

    Scripts can be used to fail validation: by raising an error, they prevent the current action.

    You can use this to set complex conditions on a field’s value, for example to conform to a particular numbering scheme or data format. Another use is to ensure that multiple fields relate to each other: if one field is blank, another must be filled. Or use a task script to prevent a task from being closed unless required data has been entered in the task.