Link Event to Incident
This command can only be executed within an event playbook's "On Event Ingestion" trigger. It finds the first incident that meets the search condition, then escalates the ingested events to the incident. Additionally, it can update the incident fields by invoking the "Set Incident Fields" command using the input parameter "Incident Fields".
Reader Note
Please note that this command is only applicable within an event Playbook.
Implementation | System |
Command Category | System Utility |
Tags | EVENT EVENT LINKING |
Inputs
Parameter Name | Required/Optional | Description | Sample Data |
---|---|---|---|
Search Conditions | Optional | The search condition is to find the first incident that occurred. The value query corresponding to the key supports regular expressions, string, number, { "$in": ["value1", "value2"] }, and, date:"$date": "2023-08-01T00:00:00Z" format. |
JSON
|
Incident Fields | Optional | A JSON array of incidents with fields to be updated. Fields could be Title, SiteName, IncidentType, Status, SeverityName, Disposition, Tags, DueDate, Description, IncidentCategory, DateEnded, Owner, DateOccurred and CustomFields. Date format: yyyy-mm-dd hh:mm:ss |
JSON
|
Output
Remote Command API
The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.
Request
POST
https:/{base_url}/{api_namespace}/api/Command/LinkEventToIncident
Headers
Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.
Request Body
{
"Username": <Username here>,
"Site": <Site here>,
"CommandParams": {
"Search Conditions": {
"Number": <Number here>,
"Type": <Type here>,
"Status": <Status here>,
"Stage": <Stage here>,
"DataSource": <DataSource here>,
"IncidentSource": <IncidentSource here>,
"Connection": <Connection here>,
"IngestionType": <IngestionType here>,
"Category": <Category here>,
"ExternalKey": <ExternalKey here>,
"CustomField1": <CustomField1 here>,
"CustomField2": <CustomField2 here>,
"Title": {
"$regex": <Title regex here>
},
"Severity": {
"$in": [
<Severity 1 here>,
<Severity 2 here>
]
},
"CreatedUtcTime": {
"$gt": {
"$date": <CreatedUtcTime start here>
},
"$lt": {
"$date": <CreatedUtcTime end here>
}
}
},
"Incident Fields": {
"Title": <Incident Title here>,
"SiteName": <SiteName here>,
"IncidentType": <IncidentType here>,
"Status": <Status here>,
"SeverityName": <SeverityName here>,
"Disposition": <Disposition here>,
"Tags": <Tags here>,
"Description": <Description here>,
"DueDate": <DueDate here>,
"IncidentCategory": <IncidentCategory here>,
"DateEnded": <DateEnded here>,
"Owner": <Owner here>,
"DateOccurred": <DateOccurred here>,
"CustomInputUrl": <CustomInputUrl here>,
"CustomAge": <CustomAge here>
}
}
}
Body Parameters
Parameter Name | Type | Required/Optional | Description |
---|---|---|---|
Username |
| Required | The username of your D3 SOAR account. |
Site |
| Required | The D3 SOAR site to run the remote command. |
Search Conditions |
| Optional | The search condition is to find the first incident that occurred. The value query corresponding to the key supports regular expressions, string, number, { "$in": ["value1", "value2"] }, and, date:"$date": "2023-08-01T00:00:00Z" format. |
Incident Fields |
| Optional | A JSON array of incidents with fields to be updated. Fields could be Title, SiteName, IncidentType, Status, SeverityName, Disposition, Tags, DueDate, Description, IncidentCategory, DateEnded, Owner, DateOccurred and CustomFields. Date format: yyyy-mm-dd hh:mm:ss |
Sample Request
SAMPLE DATA
{
"Username": "Admin",
"Site": "Security Operations",
"CommandParams": {
"Search Conditions": {
"Number": "20230413-123",
"Type": "Suspicious Network Activity",
"Status": "Open|Closed|In Progress|On Hold",
"Stage": "Sample Stage",
"DataSource": "QRadar Offense",
"IncidentSource": "Sample Incident Source",
"Connection": "QRadar Connection",
"IngestionType": "Unknown|Schedule Job|Webhook|File|Command|Automation Rule|Manual Creation|Manual Escalation",
"Category": "Incident Category",
"ExternalKey": "Sample External Key",
"CustomField1": "Sample Custom Field 1",
"CustomField2": "Sample Custom Field 2",
"Title": {
"$regex": "^Incident Title"
},
"Severity": {
"$in": [
"Critical",
"High"
]
},
"CreatedUtcTime": {
"$gt": {
"$date": "2023-09-01T00:00:00Z"
},
"$lt": {
"$date": "2023-09-21T00:00:00Z"
}
}
},
"Incident Fields": {
"Title": "Incident title",
"SiteName": "APSOC",
"IncidentType": "Phishing",
"Status": "Closed",
"SeverityName": "medium",
"Disposition": "No Action",
"Tags": "MyTag, MyTag2",
"Description": "This is for updating incident",
"DueDate": "2021-08-01 12:00:00",
"IncidentCategory": "Access",
"DateEnded": "2021-08-02 12:00:00",
"Owner": "firstname lastname",
"DateOccurred": "2021-08-02 12:00:00",
"CustomInputUrl": "url",
"CustomAge": "30"
}
}
}
Response
Response Fields
Field Name | Type | Description |
---|---|---|
error |
| The error message if the API request has failed. |
returnData |
| The return data from the API request. |
Sample Response
{
"error": "",
"returnData": {
"Status": "Successful",
"Data": {
"IncidentNumber": "20230413-123",
"UpdateFields": {
"Title": "Incident title",
"SiteName": "APSOC",
"IncidentType": "Phishing",
"Status": "Closed",
"SeverityName": "medium",
"Disposition": "No Action",
"Tags": "MyTag, MyTag2",
"Description": "This is for updating incident",
"DueDate": "2021-08-01 12:00:00",
"IncidentCategory": "Access",
"DateEnded": "2021-08-02 12:00:00",
"Owner": "firstname lastname",
"DateOccurred": "2021-08-02 12:00:00",
"CustomInputUrl": "url",
"CustomAge": "30"
}
}
}
}