Troubleshooting
Problem
Scripts cannot be run against incidents when testing them from the MSSP configuration organization.
Symptom
When testing scripts against an incident, the message "Incident not found - please try a different incident ID" might be returned.
Cause
With MSSP, all configuration is performed in the configuration organization before being pushed to the child organizations.
Incidents are created in a specific child organization and cannot be accessed from other organizations including the configuration organization. An exception to that rule with MSSP is the dashboard organization which is special in a way that it is allowed to view incidents from child organizations. This doesn't include the ability to run scripts against incidents it is allowed to view.
Environment
IBM Security SOAR MSSP.
Diagnosing The Problem
In this instance, a simple script is run from the configuration organization against incident 2108.
Incident 2108 was created in the organization "child1."
The same script can be run successfully from within a standard organization.
Resolving The Problem
MSSP clients tend to develop their scripts in a standard organization, that is one that is not an MSSP related organization. A standard organization allows you to create incidents as well as scripts in the same organization. That way scripts can access all incidents.
Once the script is working as expected in your standard organization, the script can be created in the MSSP configuration organization before being pushed down to all child organizations.
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSA230","label":"IBM Security QRadar SOAR"},"ARM Category":[{"code":"a8m0z000000cwqYAAQ","label":"Resilient Core-\u003EMSSP"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Type":"MASTER"}]
Was this topic helpful?
Document Information
Modified date:
13 May 2024
UID
ibm17151113