Create Incident With Conditions
The Create Incident command is available in the Event Playbook when a new event is ingested into the system. Its purpose is to escalate the event to a new incident and initialize the incident's fields, both static and custom fields.
Reader Note
Please note that this command is only applicable within an event Playbook.
Implementation | System |
Command Category | System Utility |
Tags | N/A |
Inputs
Parameter Name | Required/Optional | Description | Sample Data |
|---|---|---|---|
Incident Type | Required | Incident Type |
|
Title | Optional | Incident Title |
|
Description | Optional | Incident Description |
|
Severity | Optional | Incident Severity |
|
Playbook | Required | Incident Playbook |
|
Owner | Optional | Incident Owner |
|
External Key | Optional | An external key is a unique key: outside of D3. Keep the field empty if you do not have one. |
|
Custom Fields | Optional | User defined custom fields. The field name must have the prefix "Custom" and use PascalCase format. If the name does not follow this rule, it will be converted. |
CODE
|
Search Conditions | Optional | Use the search condition parameter to find the relevant incidents. The parameter takes a JSON object array. The OR logical operator is used to combine each object in the array. The AND logical operator is applied to each key value pair inside the objects. For example, (field1 = "a" AND field2 = "b") OR (field1 = "c" AND field2 = "d") can be written as [ { "field1": "a", "field2": "b" }, { "field1": "c", "field2": "d" } ]. Use "$in" or "$nin" (Not in) to find incidents with the field value that is equal or not equal to any value in an array: [ { "field": { "$nin": [ "a", "b", "c" ] } } ]. Use "$ne" (not equal) to find incidents that the value of the field is not equal to the specified value: [ { "field": { "$ne": "a" } } ]. Regular expressions can be used to specify the field value: [ { "field": { "$regex": "^value"} } ]. To search using a date field: [ { "field": {"$gt": { "$date": "2023-09-01T00:00:00Z"}, "$lt": { "$date": "2024-09-21T00:00:00Z"}} } ]. |
CODE
|
The number of relevant incidents to link | Optional | Determine the maximum number of oldest incidents that the event will link to. Default value is 1. |
|
Link to Relevant Incidents | Optional | Decide whether to link incidents when incidents matching the input conditions are found. Default value is True. |
|
Create a new Incident | Optional | Decide whether to create a new incident when none of the existing incidents match the provided input conditions. Default value is True. |
|
Output
Remote Command API
The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.
Request
POST
https:/{base_url}/{api_namespace}/api/Command/CreateIncidentWithConditionsHeaders
Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.
Request Body
{
"Username": <Username here>,
"Site": <Site here>,
"CommandParams": {
"Incident Type": <Incident Type here>,
"Title": <Title here>,
"Description": <Description here>,
"Severity": <Severity here>,
"Playbook": <Playbook here>,
"Owner": <Owner here>,
"External Key": <External Key here>,
"Custom Fields": <Custom Fields here>,
"Search Conditions": <Search Conditions here>,
"The number of relevant incidents to link": <The number of relevant incidents to link here>,
"Link to Relevant Incidents": <Whether to Link to Relevant Incidents>,
"Create a new Incident": <Whether to Create a new Incident>
}
}Body Parameters
Parameter Name | Type | Required/Optional | Description |
|---|---|---|---|
Username |
| Required | The username of your D3 SOAR account. |
Site |
| Required | The D3 SOAR site to run the remote command. |
Incident Type |
| Required | Incident Type |
Title |
| Optional | Incident Title |
Description |
| Optional | Incident Description |
Severity |
| Optional | Incident Severity |
Playbook |
| Required | Incident Playbook |
Owner |
| Optional | Incident Owner |
External Key |
| Optional | An external key is a unique key: outside of D3. Keep the field empty if you do not have one. |
Custom Fields |
| Optional | User defined custom fields. The field name must have the prefix "Custom" and use PascalCase format. If the name does not follow this rule, it will be converted. |
Search Conditions |
| Optional | Use the search condition parameter to find the relevant incidents. The parameter takes a JSON object array. The OR logical operator is used to combine each object in the array. The AND logical operator is applied to each key value pair inside the objects. For example, (field1 = "a" AND field2 = "b") OR (field1 = "c" AND field2 = "d") can be written as [ { "field1": "a", "field2": "b" }, { "field1": "c", "field2": "d" } ]. Use "$in" or "$nin" (Not in) to find incidents with the field value that is equal or not equal to any value in an array: [ { "field": { "$nin": [ "a", "b", "c" ] } } ]. Use "$ne" (not equal) to find incidents that the value of the field is not equal to the specified value: [ { "field": { "$ne": "a" } } ]. Regular expressions can be used to specify the field value: [ { "field": { "$regex": "^value"} } ]. To search using a date field: [ { "field": {"$gt": { "$date": "2023-09-01T00:00:00Z"}, "$lt": { "$date": "2024-09-21T00:00:00Z"}} } ]. |
The number of relevant incidents to link |
| Optional | Determine the maximum number of oldest incidents that the event will link to. Default value is 1. |
Link to Relevant Incidents |
| Optional | Decide whether to link incidents when incidents matching the input conditions are found. Default value is True. |
Create a new Incident |
| Optional | Decide whether to create a new incident when none of the existing incidents match the provided input conditions. Default value is True. |
Sample Request
SAMPLE DATA
{
"Username": "Admin",
"Site": "Security Operations",
"CommandParams": {
"Incident Type": "Playbook - Phishing",
"Title": "Critical phishing incident",
"Description": "This is a phishing incident that requires investigation.",
"Severity": "Low",
"Playbook": 123,
"Owner": "admin",
"External Key": "20220111-1",
"Custom Fields": {
"CustomField1": "data1",
"CustomField2": "data2",
"CustomField3": "data3"
},
"Search Conditions": [
{
"Number": "20230413-123",
"Type": "Suspicious Network Activity",
"Status": {
"$nin": [
"Open",
"Closed",
"In Progress",
"On Hold"
]
},
"Stage": {
"$ne": "Sample Stage"
},
"IncidentSource": "Sample Incident Source",
"IngestionType": {
"$in": [
"Unknown",
"Schedule Job",
"Webhook",
"File",
"Command",
"Automation Rule",
"Manual Creation",
"Manual Escalation"
]
},
"Category": "Incident Category",
"ExternalKey": "Sample External Key",
"CustomField1": "Sample Custom Field 1",
"CustomField2": "Sample Custom Field 2",
"Title": {
"$regex": "^Incident Title"
},
"Severity": {
"$in": [
"Critical",
"High"
]
},
"CreatedUtcTime": {
"$gt": {
"$date": "2023-09-01T00:00:00Z"
},
"$lt": {
"$date": "2023-09-21T00:00:00Z"
}
}
},
{
"Number": "20230413-124",
"Type": "Suspicious Network Activity A",
"Status": {
"$nin": [
"Open",
"Closed",
"In Progress",
"On Hold"
]
},
"Stage": {
"$ne": "Sample Stage"
},
"IncidentSource": "Sample Incident Source",
"IngestionType": {
"$in": [
"Unknown",
"Schedule Job",
"Webhook",
"File",
"Command",
"Automation Rule",
"Manual Creation",
"Manual Escalation"
]
},
"Category": "Incident Category",
"ExternalKey": "Sample External Key",
"CustomField1": "Sample Custom Field 1",
"CustomField2": "Sample Custom Field 2",
"Title": {
"$regex": "^Incident Title"
},
"Severity": {
"$in": [
"Critical",
"High"
]
},
"CreatedUtcTime": {
"$gt": {
"$date": "2023-09-01T00:00:00Z"
},
"$lt": {
"$date": "2023-09-21T00:00:00Z"
}
}
}
],
"The number of relevant incidents to link": 1,
"Link to Relevant Incidents": "True",
"Create a new Incident": "True"
}
}Response
Response Fields
Field Name | Type | Description |
|---|---|---|
error |
| The error message if the API request has failed. |
returnData |
| The return data from the API request. |
Sample Response
{
"error": "",
"returnData": {
"Status": "Successful"
}
}