Create Incident

The Create Incident command is available in the Event Playbook when a new event is ingested into the system. Its purpose is to escalate the event to a new incident and initialize the incident's fields, both static and custom fields.

Reader Note

Please note that this command is only applicable within an event Playbook.

Implementation	System
Command Category	System Utility
Tags	INCIDENT INCIDENTMANAGEMENT

Inputs

Parameter Name	Required/Optional	Description	Sample Data
Incident Type	Required	Incident Type.	`Playbook - Phishing`
Title	Optional	Incident Title.	`Critical phishing incident`
Description	Optional	Incident Description.	`This is a phishing incident that requires investigation.`
Severity	Optional	Incident Severity.	`Low`
Playbook	Required	Incident Playbook.	`123`
Owner	Optional	Incident Owner.	`admin`
External Key	Optional	An external key is a unique key: outside of D3. Keep the field empty if you do not have one.	`20220111-1`
Custom Fields	Optional	User defined custom fields. The field name must have the prefix "Custom" and use PascalCase format. If the name does not follow this rule, it will be converted.	CODE `{ "CustomField1": "data1", "CustomField2": "data2", "CustomField3": "data3" }`

Output

Return Data

The returned result of this command. If some required parameters are not defined, this returned data could be empty. The returned result can be passed down directly to a subsequent command in playbooks.

SAMPLE DATA

JSON

{
    "Status": "Successful"
}

Remote Command API

The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.

Request

POST

CODE

https:/{base_url}/{api_namespace}/api/Command/CreateIncident

Headers

Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.

Request Body

JSON

{
  "Username": "<Username here>",
  "Site": "<Site here>",
  "CommandParams": {
    "Incident Type": "<Incident Type here>",
    "Title": "<Title here>",
    "Description": "<Description here>",
    "Severity": "<Severity here>",
    "Playbook": "<Playbook here>",
    "Owner": "<Owner here>",
    "External Key": "<External Key here>",
    "Custom Fields": "<Custom Fields here>"
  }
}

Body Parameters

Parameter Name	Type	Required/Optional	Description
Username	`String`	Required	The username of your D3 SOAR account.
Site	`String`	Required	The D3 SOAR site to run the remote command.
Incident Type	`Number`	Required	Incident Type.
Title	`Text`	Optional	Incident Title.
Description	`Text`	Optional	Incident Description.
Severity	`Number`	Optional	Incident Severity.
Playbook	`Number`	Required	Incident Playbook.
Owner	`Number`	Optional	Incident Owner.
External Key	`Text`	Optional	An external key is a unique key: outside of D3. Keep the field empty if you do not have one.
Custom Fields	`JSON Object`	Optional	User defined custom fields. The field name must have the prefix "Custom" and use PascalCase format. If the name does not follow this rule, it will be converted.

Sample Request

SAMPLE DATA

JSON

{
  "Username": "Admin",
  "Site": "Security Operations",
  "CommandParams": {
    "Incident Type": "Playbook - Phishing",
    "Title": "Critical phishing incident",
    "Description": "This is a phishing incident that requires investigation.",
    "Severity": "Low",
    "Playbook": 123,
    "Owner": "admin",
    "External Key": "20220111-1",
    "Custom Fields": {
      "CustomField1": "data1",
      "CustomField2": "data2",
      "CustomField3": "data3"
    }
  }
}

Response

Response Fields

Field Name	Type	Description
error	`String`	The error message if the API request has failed.
returnData	`JSON Object`	The return data from the API request.

Sample Response

JSON

{
    "error": "",
    "returnData": "{
    "Status": "Successful"
    }"
}