Create An Incident | docs.d3security

POST /Command/CreateAnIncident

Creates a new incident with the provided fields.

Request

Authentication: API keys or JSON web tokens (JWT)

Body Parameters

Parameter Name	Type	Required/Optional	Description
Username	`string`	Required	The username of your D3 SOAR account.
Site	`string`	Required	The D3 SOAR site to run the remote command.
IncidentType	`string`	Required	Specifies the type of the incident. Refer to incident form in VSOC to check the valid incident types.
Title	`string`	Optional	Specifies the title of the incident
Description	`string`	Optional	Specifies the description of the incident
Severity	`string`	Optional	Specifies the severity of the incident. The valid options are “Critical“, “High“, “Medium“, “Low“, “Informational“
Playbook	`string`	Optional	Specifies the incident playbook that will executed after incident creation. Refer to incident playbook in VSOC to check the valid playbook names.
Owner	`string`	Optional	Specifies the incident owner; the value must be the user’s username. Refer to users in VSOC to check the valid username. The default value is “System“
TimeZone	`string`	Optional	Specifies the Time Zone of the incident. The default value is “(UTC+00:00) Coordinated Universal Time“
DueDate	`string`	Optional	Specifies the due datetime of the incident. Note: the due date cannot before current datetime.
RawData	`JSON Object`	Optional	Specifies the addition fields in rawdata that needs to be included in the incident.

READER NOTE

For Date/Time parameters Start Time and End Time, all times and timestamps must follow the format: yyyy-mm-dd hh:mm:ss.

e.g. May 15, 2024, 2:32 PM should be written as 2024-05-15 14:32:00.

READER NOTE

The “TimeZone” input parameter format is (GMT±hh:mm) Time Zone Name, where GMT stands for Greenwich Mean Time, ± indicates the offset direction (ahead + or behind - GMT), and hh:mm represents the hours and minutes of the offset. For example, (GMT-12:00) International Date Line West.

Body Sample Data

application/json

JSON

{
    "Username": "Admin",
    "Site": "Security Operations",
    "CommandParams": {
        "Incident Type": "Playbook - Phishing",
        "Title": "Critical phishing incident",
        "Description": "This is a phishing incident that requires investigation.",
        "Severity": "Low",
        "Playbook": "Phishing Playbook",
        "Owner": "admin",
        "Time Zone": "(GMT-05:00) Eastern Standard Time",
        "Due Date": "2024-08-31 00:00:00",
        "Raw Data": {
            "threatId": "184712ab-6d8b-47b3-89d3-a314efef79e2",
            "messages": [
                {
                    "messageId": 4551618356913732000
                }
            ]
        }
    }
}

Response

200 OK

application/json

Response Fields

Field Name	Type	Description
error	`string`	The error message if the command execution failed.
returnData	`JSON Object`	The return data from the API request.

Sample Data

JSON

{
  "error": "",
  "returnData": {
    "Status": "Successful",
    "Data": {
      "IncidentId": "1",
      "IncidentNumber": "20241145-1"
    }
  }
}

400 BadRequest

application/json

Response Fields

Field Name	Type	Description
Error	`string`	A error message when the API request fails.

Sample Data

JSON

{"Error": "The body of the request must be a valid JSON object"}

401 Unauthorized

application/json

Response Fields

Field Name	Type	Description
Error	`string`	A error message when the API request fails.

Sample Data

JSON

{"Error": "Invalid authentication key."}

429 TooManyRequests

application/json

Response Fields

Field Name	Type	Description
Error	`string`	A error message when the API request fails.

Sample Data

JSON

{"Error": "The request exceeds rate limits or is otherwise blocked by rate limiting policies."}

500 InternalServerError

application/json

Response Fields

Field Name	Type	Description
Error	`string`	A error message when the API request fails.

Sample Data

JSON

{"Error": "Unexpected Error."}