Skip to main content
Skip table of contents

Link Event to Incident

LAST UPDATED: AUG 19, 2024

This command finds the first incident that meets the search condition, then escalates the ingested events to the incident. Additionally, it can update the incident fields by invoking the "Set Incident Fields" command using the input parameter "Incident Fields".

READER NOTE

Please note that this command can only be executed within an event playbook's "On Event Ingestion" trigger.

Implementation

System

Command Category

System Utility

Tags

EVENT EVENT LINKING

Inputs

Parameter Name

Required/Optional

Description

Sample Data

Search Conditions

Optional

The search condition is to find the first incident that occurred. The value query corresponding to the key supports regular expressions, string, number, { "$in": ["value1", "value2"] }, and, date:"$date": "2023-08-01T00:00:00Z" format.

{
"Number": "20230413-123",
"Type": "Suspicious Network Activity",
"Status": "Open|Closed|In Progress|On Hold",
"Severity": {
"$in": [
"Critical",
"High"
]
},
"Title": {
"$regex": "^Incident Title"
},
"Stage": "Sample Stage",
"DataSource": "QRadar Offense",
"IncidentSource": "Sample Incident Source",
"Connection": "QRadar Connection",
"IngestionType": "Unknown|Schedule Job|Webhook|File|Command|Automation Rule|Manual Creation|Manual Escalation",
"Category": "Incident Category",
"ExternalKey": "Sample External Key",
"CustomField1": "Sample Custom Field 1",
"CustomField2": "Sample Custom Field 2",
"CreatedUtcTime": {
"$gt": {
"$date": "2023-09-01T00:00:00Z"
},
"$lt": {
"$date": "2023-09-21T00:00:00Z"
}
}
}

Incident Fields

Optional

A JSON array of incidents with fields to be updated. Fields could be Title, SiteName, IncidentType, Status, SeverityName, Disposition, Tags, DueDate, Description, IncidentCategory, DateEnded, Owner, DateOccurred and CustomFields. Date format: yyyy-mm-dd hh:mm:ss

{
"Title": "Incident title",
"SiteName": "APSOC",
"IncidentType": "Phishing",
"Status": "Closed",
"SeverityName": "medium",
"Disposition": "No Action",
"Tags": "MyTag, MyTag2",
"Description": "This is for updating incident",
"DueDate": "2021-08-01 12:00:00",
"IncidentCategory": "Access",
"DateEnded": "2021-08-02 12:00:00",
"Owner": "firstname lastname",
"DateOccurred": "2021-08-02 12:00:00",
"CustomInputUrl": "url",
"CustomAge": "30"
}

Output

Return Data

The returned result of this command. If some required parameters are not defined, this returned data could be empty. The returned result can be passed down directly to a subsequent command in playbooks.

SAMPLE DATA

JSON 
{
    "Status": "Successful",
    "Data": {
        "IncidentNumber": "20230413-123",
        "UpdateFields": {
            "Title": "Incident title",
            "SiteName": "APSOC",
            "IncidentType": "Phishing",
            "Status": "Closed",
            "SeverityName": "medium",
            "Disposition": "No Action",
            "Tags": "MyTag, MyTag2",
            "Description": "This is for updating incident",
            "DueDate": "2021-08-01 12:00:00",
            "IncidentCategory": "Access",
            "DateEnded": "2021-08-02 12:00:00",
            "Owner": "firstname lastname",
            "DateOccurred": "2021-08-02 12:00:00",
            "CustomInputUrl": "url",
            "CustomAge": "30"
        }
    }
}
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close