Create Incident
The Create Incident command is available in the Event Playbook when a new event is ingested into the system. Its purpose is to escalate the event to a new incident and initialize the incident's fields, both static and custom fields.
Reader Note
Please note that this command is only applicable within an event Playbook.
Implementation | System |
Command Category | System Utility |
Tags | INCIDENT INCIDENTMANAGEMENT |
Inputs
Parameter Name | Required/Optional | Description | Sample Data |
---|---|---|---|
Incident Type | Required | Incident Type. |
|
Title | Optional | Incident Title. |
|
Description | Optional | Incident Description. |
|
Severity | Optional | Incident Severity. |
|
Playbook | Required | Incident Playbook. |
|
Owner | Optional | Incident Owner. |
|
External Key | Optional | An external key is a unique key: outside of D3. Keep the field empty if you do not have one. |
|
Custom Fields | Optional | User defined custom fields. The field name must have the prefix "Custom" and use PascalCase format. If the name does not follow this rule, it will be converted. |
CODE
|
Output
Remote Command API
The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.
Request
POST
https:/{base_url}/{api_namespace}/api/Command/CreateIncident
Headers
Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.
Request Body
{
"Username": "<Username here>",
"Site": "<Site here>",
"CommandParams": {
"Incident Type": "<Incident Type here>",
"Title": "<Title here>",
"Description": "<Description here>",
"Severity": "<Severity here>",
"Playbook": "<Playbook here>",
"Owner": "<Owner here>",
"External Key": "<External Key here>",
"Custom Fields": "<Custom Fields here>"
}
}
Body Parameters
Parameter Name | Type | Required/Optional | Description |
---|---|---|---|
Username |
| Required | The username of your D3 SOAR account. |
Site |
| Required | The D3 SOAR site to run the remote command. |
Incident Type |
| Required | Incident Type. |
Title |
| Optional | Incident Title. |
Description |
| Optional | Incident Description. |
Severity |
| Optional | Incident Severity. |
Playbook |
| Required | Incident Playbook. |
Owner |
| Optional | Incident Owner. |
External Key |
| Optional | An external key is a unique key: outside of D3. Keep the field empty if you do not have one. |
Custom Fields |
| Optional | User defined custom fields. The field name must have the prefix "Custom" and use PascalCase format. If the name does not follow this rule, it will be converted. |
Sample Request
SAMPLE DATA
{
"Username": "Admin",
"Site": "Security Operations",
"CommandParams": {
"Incident Type": "Playbook - Phishing",
"Title": "Critical phishing incident",
"Description": "This is a phishing incident that requires investigation.",
"Severity": "Low",
"Playbook": 123,
"Owner": "admin",
"External Key": "20220111-1",
"Custom Fields": {
"CustomField1": "data1",
"CustomField2": "data2",
"CustomField3": "data3"
}
}
}
Response
Response Fields
Field Name | Type | Description |
---|---|---|
error |
| The error message if the API request has failed. |
returnData |
| The return data from the API request. |
Sample Response
{
"error": "",
"returnData": "{
"Status": "Successful"
}"
}