Skip to main content
Skip table of contents

Create Incident With Conditions

LAST UPDATED: AUG 29, 2024

Escalates a newly ingested event to an incident, initializing both static and custom fields.

READER NOTE

This command is only applicable within an Event Playbook.

Implementation

System

Command Category

System Utility

Tags

N/A

Inputs

Parameter Name

Required/Optional

Description

Sample Data

Incident Type

Required

The incident type.

Playbook - Phishing

Title

Optional

The incident title.

Critical phishing incident

Description

Optional

The incident description.

This is a phishing incident that requires investigation.

Severity

Optional

The incident severity.

Low

Playbook

Required

The incident playbook.

123

Owner

Optional

The incident owner.

admin

External Key

Optional

An external key is a unique key: outside of D3. Keep the field empty if you do not have one.

20220111-1

Custom Fields

Optional

User defined custom fields. The field name must have the prefix "Custom" and use PascalCase format. If the name does not follow this rule, it will be converted.

CODE 
{
    "CustomField1": "data1",
    "CustomField2": "data2",
    "CustomField3": "data3"
}

Search Conditions

Optional

Uses the search condition parameter to find the relevant incidents. The parameter takes a JSON object array. The OR logical operator is used to combine each object in the array. The AND logical operator is applied to each key value pair inside the objects. For example, (field1 = "a" AND field2 = "b") OR (field1 = "c" AND field2 = "d") can be written as [ { "field1": "a", "field2": "b" }, { "field1": "c", "field2": "d" } ]. Use "$in" or "$nin" (Not in) to find incidents with the field value that is equal or not equal to any value in an array: [ { "field": { "$nin": [ "a", "b", "c" ] } } ]. Use "$ne" (not equal) to find incidents that the value of the field is not equal to the specified value: [ { "field": { "$ne": "a" } } ]. Regular expressions can be used to specify the field value: [ { "field": { "$regex": "^value"} } ]. To search using a date field: [ { "field": {"$gt": { "$date": "2023-09-01T00:00:00Z"}, "$lt": { "$date": "2024-09-21T00:00:00Z"}} } ].

CODE 
[
    {
        "Number": "20230413-123",
        "Type": "Suspicious Network Activity",
        "Status": {
            "$nin": [
                "Open",
                "Closed",
                "In Progress",
                "On Hold"
            ]
        },
        "Stage": {
            "$ne": "Sample Stage"
        },
        "IncidentSource": "Sample Incident Source",
        "IngestionType": {
            "$in": [
                "Unknown",
                "Schedule Job",
                "Webhook",
                "File",
                "Command",
                "Automation Rule",
                "Manual Creation",
                "Manual Escalation"
            ]
        },
        "Category": "Incident Category",
        "ExternalKey": "Sample External Key",
        "CustomField1": "Sample Custom Field 1",
        "CustomField2": "Sample Custom Field 2",
        "Title": {
            "$regex": "^Incident Title"
        },
        "Severity": {
            "$in": [
                "Critical",
                "High"
            ]
        },
        "CreatedUtcTime": {
            "$gt": {
                "$date": "2023-09-01T00:00:00Z"
            },
            "$lt": {
                "$date": "2023-09-21T00:00:00Z"
            }
        }
    },
    {
        "Number": "20230413-124",
        "Type": "Suspicious Network Activity A",
        "Status": {
            "$nin": [
                "Open",
                "Closed",
                "In Progress",
                "On Hold"
            ]
        },
        "Stage": {
            "$ne": "Sample Stage"
        },
        "IncidentSource": "Sample Incident Source",
        "IngestionType": {
            "$in": [
                "Unknown",
                "Schedule Job",
                "Webhook",
                "File",
                "Command",
                "Automation Rule",
                "Manual Creation",
                "Manual Escalation"
            ]
        },
        "Category": "Incident Category",
        "ExternalKey": "Sample External Key",
        "CustomField1": "Sample Custom Field 1",
        "CustomField2": "Sample Custom Field 2",
        "Title": {
            "$regex": "^Incident Title"
        },
        "Severity": {
            "$in": [
                "Critical",
                "High"
            ]
        },
        "CreatedUtcTime": {
            "$gt": {
                "$date": "2023-09-01T00:00:00Z"
            },
            "$lt": {
                "$date": "2023-09-21T00:00:00Z"
            }
        }
    }
]

The number of relevant incidents to link

Optional

Determines the maximum number of oldest incidents that the event will link to. Default value is 1.

1

Link to Relevant Incidents

Optional

Decides whether to link incidents when incidents matching the input conditions are found. Default value is True.

True

Create a new Incident

Optional

Decides whether to create a new incident when none of the existing incidents match the provided input conditions. Default value is True.

True

Output

Return Data

The returned result of this command. If some required parameters are not defined, this returned data could be empty. The returned result can be passed down directly to a subsequent command in playbooks.

SAMPLE DATA

JSON 
{
    "Status": "Successful"
}
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close