Create Incident With Conditions

LAST UPDATED: NOV 5, 2024

Escalates a newly ingested event to incidents, initializing both static and custom fields.

READER NOTE

This command takes effect in the Event Playbook when a new event is ingested into the system.
The output for this command does not currently indicate whether an incident was successfully found or linked. The Return Data solely confirms the validity of the input parameters.
- To verify whether a relevant incident has been linked, and to determine whether a new or existing incident was used in the linking process, locate the event in the "All Escalated" section under the "Events" accordion within the investigative dashboard, and check the creation time of the incident.

Implementation	System
Command Category	System Utility
Tags	INCIDENT INCIDENT ESCALATION EVENT PLAYBOOK

Inputs

Parameter Name	Required/Optional	Description	Sample Data
Incident Type	Required	The incident type.	Playbook - Phishing
Title	Optional	The incident title.	Critical phishing incident
Description	Optional	The incident description.	This is a phishing incident that requires investigation.
Severity	Optional	The incident severity. The options are: Critical High Medium Low Informational	Low
Playbook	Required	The incident playbook.	123
Owner	Optional	The incident owner.	admin
External Key	Optional	A unique value assigned to the ExternalKey incident attribute for new incidents created by this command. Keep the field empty if you do not have a value.	20220111-1
Custom Fields	Optional	User-defined custom fields must have names that start with the prefix "Custom" and adhere to the PascalCase format. Names not conforming to this standard will be automatically converted.	JSON `{ "CustomField1": "data1", "CustomField2": "data2", "CustomField3": "data3" }`
Search Conditions	Optional	Identifies relevant incidents based on criteria specified within the array of JSON objects. Query criteria can be defined using the following methods: Equal EXAMPLE An incident whose number is equal to 20230413-123. JSON `{ "Number": "20230413-123" }` Not equal EXAMPLE Incidents whose Stage is not equal to Sample Stage. JSON `{ "Stage": { "$ne": "Sample Stage" } }` Attribute matching any of the array values EXAMPLE Incidents where the IngestionType is one of the following: Schedule Job, Webhook, Command, or Automation Rule. JSON `{ "IngestionType": { "$in": [ "Schedule Job", "Webhook", "Command", "Automation Rule" ] } }` Attribute not matching any of the array values EXAMPLE Incidents with a Status that is not equal to Closed, In Progress, or On Hold. JSON `{ "Status": { "$nin": [ "Closed", "In Progress", "On Hold" ] } }` Regular expressions EXAMPLE Incidents where the Title starts with Incident Title. JSON `{ "Title": { "$regex": "^Incident Title" } }` Date field EXAMPLE Incidents created between 2023-09-01T00:00:00Z and 2023-09-21T00:00:00Z JSON `{ "CreatedUtcTime": { "$gt": { "$date": "2023-09-01T00:00:00Z" }, "$lt": { "$date": "2023-09-21T00:00:00Z" } } }` AND logic EXAMPLE Incidents where the IncidentSource is Sample Incident Source and the Type is Suspicious Network Activity. JSON `{ "IncidentSource": "Sample Incident Source", "Type": "Suspicious Network Activity" }` OR logic EXAMPLE An incident where the Number is 20230413-123 and the Type is Suspicious Network Activity A, or an incident where the Number is 20230413-124 and the Type is Suspicious Network Activity B. JSON `[ { "Number": "20230413-123", "Type": "Suspicious Network Activity A" }, { "Number": "20230413-124", "Type": "Suspicious Network Activity B" } ]`	JSON [ { "Number": "20230413-123", "Type": "Suspicious Network Activity", "Status": { "$nin": [ "Open", "Closed", "In Progress", "On Hold" ] }, "Stage": { "$ne": "Sample Stage" }, "IncidentSource": "Sample Incident Source", "IngestionType": { "$in": [ "Unknown", "Schedule Job", "Webhook", "File", "Command", "Automation Rule", "Manual Creation", "Manual Escalation" ] }, "Category": "Incident Category", "ExternalKey": "Sample External Key", "CustomField1": "Sample Custom Field 1", "CustomField2": "Sample Custom Field 2", "Title": { "$regex": "^Incident Title" }, "Severity": { "$in": [ "Critical", "High" ] }, "CreatedUtcTime": { "$gt": { "$date": "2023-09-01T00:00:00Z" }, "$lt": { "$date": "2023-09-21T00:00:00Z" } } }, { "Number": "20230413-124", "Type": "Suspicious Network Activity A", "Status": { "$nin": [ "Open", "Closed", "In Progress", "On Hold" ] }, "Stage": { "$ne": "Sample Stage" }, "IncidentSource": "Sample Incident Source", "IngestionType": { "$in": [ "Unknown", "Schedule Job", "Webhook", "File", "Command", "Automation Rule", "Manual Creation", "Manual Escalation" ] }, "Category": "Incident Category", "ExternalKey": "Sample External Key", "CustomField1": "Sample Custom Field 1", "CustomField2": "Sample Custom Field 2", "Title": { "$regex": "^Incident Title" }, "Severity": { "$in": [ "Critical", "High" ] }, "CreatedUtcTime": { "$gt": { "$date": "2023-09-01T00:00:00Z" }, "$lt": { "$date": "2023-09-21T00:00:00Z" } } } ]
The number of relevant incidents to link	Optional	The maximum number of the oldest incidents to which the event can be linked. The default value is 1.	1
Link to Relevant Incidents	Optional	Whether to link the current event with incidents matching the input conditions. The default value is True.	True
Create a new Incident	Optional	Whether a new incident should be created if no existing incidents meet the specified input conditions. The default setting is True.	True
Event ID	Optional	The ID corresponding to an event used for incident escalation. If this ID is not provided, the runtime event will be used instead. A new incident will not be created if the specified event has already been escalated to an incident of the same type.	11160030

Output

Return Data

The returned result of this command. If some required parameters are not defined, this returned data could be empty. The returned result can be passed down directly to a subsequent command in playbooks.

SAMPLE DATA

JSON

{
    "Status": "Successful"
}