About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
Scripts
Resilient Scripts use Python code to change the incident details in response to conditions. Because they're written with code, they provide a lot of flexibility in the way that your incidents are managed. A basic understanding of Python will be useful when writing scripts. If you're just getting started, check out the official Python tutorial.
Scripts have access to the incident where they are running. They can't access data outside this context. To integrate with external data, use Functions and Custom Actions.
Scripts can be implemented in various components of the playbook. The objects that the script can access depends on where the script is executed.
Here are a few examples of when scripts are useful:
- A menu-item rule (executed only when a user selects an action) runs a script that performs a complex change, changing incident type, assignments, and is executed as a result of a user’s action.
- An automatic rule identifies the conditions, such as the severity changing to High. As an example, say you want to automatically update the incident membership for all high-severity incidents. Write an automatic rule that executes when the severity changes to High. The rule runs a script that adds the CSIRT group to the Member list.
- An automatic rule is triggered when an incident is created from a particular source. The rule runs a script, which can parse the raw information received from the source, and extract artifacts and summary information.
- When the incident is created, an automatic rule triggers a workflow. The workflow adds a “Perform Initial Analysis” task with a timer watching for task completion. If the task is not completed within an hour, the workflow runs a script that flags the incident as overdue for triage, where it can then be aged or acted upon according to policy.
Developing Scripts
When creating a script, you must give it a name, and assign an object type. You assign a script to one type of object, such as incident, note, milestone, task, attachment, artifact, email message or data table. The object type determines the context of the data that is provided to the script. A task script has access to the task object and its properties. An artifact script has access to the artifact object and its type, description and value and hits. Similarly for the other contexts.
In your script code, the incident object is always available. It provides access to the incident fields, and also has helper methods, addTask
, addMilestone
, addArtifact
, addNote
, and addRow
, which adds a row in any data table.
In addition, there are operations available in the scripting engine: helper provides some utility functions; principal
provides the properties of the user who is executing the script; groups
can access group membership; and log
allows you to add action status messages.