Close Incidents in Bulk
LAST UPDATED: SEPT 11, 2024
Closes incidents via their incident numbers.
Implementation | System |
Command Category | System Utility |
Tags | INCIDENT |
Inputs
Parameter Name | Required/Optional | Description | Sample Data |
|---|---|---|---|
Incident Numbers | Required | The array of incident numbers for the incidents that are to be closed. |
CODE
|
Bypass Required Pending Tasks | Required | Whether to proceed with closing the incidents, even if they still have pending tasks of Required task status. | Yes |
Bypass All Required Fields | Optional | Whether to proceed with closing the incidents, even if one or more of their required dynamic fields (Activity or Info Activity marked as Required on Close) have not received a value. | Yes |
Username | Required | The username of the user who is closing the incidents. This parameter will be used only when the task is automatically executed. | admin user |
Conclusion | Optional | The message to append to the Conclusion section of the incident. | The incident was closed in bulk. |
Output
Remote Command API
The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.
Request
POST
https:/{base_url}/{api_namespace}/api/Command/CloseIncidentInBulkHeaders
Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.
Request Body
{
"Username": <Username here>,
"Site": <Site here>,
"CommandParams": {
"Incident Numbers": <Incident Numbers here>,
"Bypass Required Pending Tasks": <Bypass Required Pending Tasks here>,
"Bypass All Required Fields": <Bypass All Required Fields here>,
"Username": <Username here>,
"Conclusion": <Conclusion here>
}
}Body Parameters
Parameter Name | Type | Required/Optional | Description |
|---|---|---|---|
Username |
| Required | The username of your D3 SOAR account. |
Site |
| Required | The D3 SOAR site to run the remote command. |
Incident Numbers |
| Required | The array of incident numbers for the incidents that are to be closed. |
Bypass Required Pending Tasks |
| Required | Whether to proceed with closing the incidents, even if they still have pending tasks of Required task status. |
Bypass All Required Fields |
| Optional | Whether to proceed with closing the incidents, even if one or more of their required dynamic fields (Activity or Info Activity marked as Required on Close) have not received a value. |
Username |
| Required | The username of the user who is closing the incidents. This parameter will be used only when the task is automatically executed. |
Conclusion |
| Optional | The message to append to the Conclusion section of the incident. |
Sample Request
SAMPLE DATA
{
"Username": "Admin",
"Site": "Security Operations",
"CommandParams": {
"Incident Numbers": [
"20210127-198",
"20210127-197"
],
"Bypass Required Pending Tasks": "Yes",
"Bypass All Required Fields": "Yes",
"Username": "admin user",
"Conclusion": "The incident was closed in bulk."
}
}Response
Response Fields
Field Name | Type | Description |
|---|---|---|
error |
| The error message if the API request has failed. |
returnData |
| The return data from the API request. |
contextData |
| The context data from the API request. |
Sample Response
{
"result": "<table class='cc-table'> <tr> <th>Incident Number</th> <th>Status</th> <th>Close Date</th> <th>Closed By</th> <th>Result</th> </tr> <tr> <td>20210127-198</td> <td>Closed</td> <td>Jan 27, 2021 06:08 AM PST</td> <td>admin user</td> <td>Successful</td> </tr> <tr> <td>20210127-197</td> <td>Closed</td> <td>Jan 27, 2021 06:08 AM PST</td> <td>admin user</td> <td>Successful</td> </tr> </table>"
"error": "",
"returnData": "Successful",
"contextData": [
{
"Incident Number": "20210127-198",
"Status": "Closed",
"Close Date": "01/27/2021 06:08 AM PST",
"Result": "Successful",
"Closed By": "admin user"
},
{
"Incident Number": "20210127-197",
"Status": "Closed",
"Close Date": "01/27/2021 06:08 AM PST",
"Result": "Successful",
"Closed By": "admin user"
}
]
}