.png)
Create Incident
LAST UPDATED: SEPT 19, 2024
Escalates a newly ingested event to an incident, initializing both static and custom fields.
READER NOTE
This command takes effect in the Event Playbook when a new event is ingested into the system.
The output for this command does not currently indicate whether an incident was successfully found or linked. The Return Data solely confirms the validity of the input parameters.
To verify whether a relevant incident has been linked, and to determine whether a new or existing incident was used in the linking process, locate the event in the "All Escalated" section under the "Events" accordion within the investigative dashboard, and check the creation time of the incident.
Implementation | System |
Command Category | System Utility |
Tags | INCIDENT INCIDENT ESCALATION EVENT PLAYBOOK |
Inputs
Parameter Name | Required/Optional | Description | Sample Data |
|---|---|---|---|
Incident Type | Required | The incident type. | Playbook - Phishing |
Title | Optional | The incident title. | Critical phishing incident |
Description | Optional | The incident description. | This is a phishing incident that requires investigation. |
Severity | Optional | The incident severity. | Low |
Playbook | Required | The incident playbook. | 123 |
Owner | Optional | The incident owner. | admin |
External Key | Optional | An external key is a unique key: outside of D3. Keep the field empty if you do not have one. | 20220111-1 |
Custom Fields | Optional | User defined custom fields. The field name must have the prefix "Custom" and use PascalCase format. If the name does not follow this rule, it will be converted. |
CODE
|
Event Id | Optional | The ID corresponding to an event used for incident escalation. If this ID is not provided, the runtime event will be used instead. A new incident will not be created if the specified event has already been escalated to an incident of the same type. | 11160030 |