Create Incident With Conditions
LAST UPDATED: AUG 29, 2024
Escalates a newly ingested event to an incident, initializing both static and custom fields.
READER NOTE
This command is only applicable within an Event Playbook.
Implementation | System |
Command Category | System Utility |
Tags | N/A |
Inputs
Parameter Name | Required/Optional | Description | Sample Data |
---|---|---|---|
Incident Type | Required | The incident type. | Playbook - Phishing |
Title | Optional | The incident title. | Critical phishing incident |
Description | Optional | The incident description. | This is a phishing incident that requires investigation. |
Severity | Optional | The incident severity. | Low |
Playbook | Required | The incident playbook. | 123 |
Owner | Optional | The incident owner. | admin |
External Key | Optional | An external key is a unique key: outside of D3. Keep the field empty if you do not have one. | 20220111-1 |
Custom Fields | Optional | User defined custom fields. The field name must have the prefix "Custom" and use PascalCase format. If the name does not follow this rule, it will be converted. |
CODE
|
Search Conditions | Optional | Uses the search condition parameter to find the relevant incidents. The parameter takes a JSON object array. The OR logical operator is used to combine each object in the array. The AND logical operator is applied to each key value pair inside the objects. For example, (field1 = "a" AND field2 = "b") OR (field1 = "c" AND field2 = "d") can be written as [ { "field1": "a", "field2": "b" }, { "field1": "c", "field2": "d" } ]. Use "$in" or "$nin" (Not in) to find incidents with the field value that is equal or not equal to any value in an array: [ { "field": { "$nin": [ "a", "b", "c" ] } } ]. Use "$ne" (not equal) to find incidents that the value of the field is not equal to the specified value: [ { "field": { "$ne": "a" } } ]. Regular expressions can be used to specify the field value: [ { "field": { "$regex": "^value"} } ]. To search using a date field: [ { "field": {"$gt": { "$date": "2023-09-01T00:00:00Z"}, "$lt": { "$date": "2024-09-21T00:00:00Z"}} } ]. |
CODE
|
The number of relevant incidents to link | Optional | Determines the maximum number of oldest incidents that the event will link to. Default value is 1. | 1 |
Link to Relevant Incidents | Optional | Decides whether to link incidents when incidents matching the input conditions are found. Default value is True. | True |
Create a new Incident | Optional | Decides whether to create a new incident when none of the existing incidents match the provided input conditions. Default value is True. | True |