Skip to main content
Skip table of contents

Link Incidents With Related Artifacts

LAST UPDATED: AUG 27, 2024

Links incidents that have related artifacts in 3 steps. First, search for relevant artifacts by their type and/or name. With the relevant artifacts identified, specify if incidents should be linked only if they have the exact set of artifacts or if they share any of the artifacts. Lastly, refine the selection by filtering the relevant incidents based on site, status, time range, and by limiting the number of incidents linked.

READER NOTE

This command is only applicable within an Incident Playbook.

Implementation

System

Command Category

System Utility

Tags

INCIDENT INCIDENT LINKING

Inputs

Parameter Name

Required/Optional

Description

Sample Data

Artifact Types

Optional

Specifies the types of artifacts you want to search for.

CODE
[
  "URL"
]

Artifact Names

Optional

Specifies the names of the artifacts you want to search for.

CODE
[
  "www.example.com"
]

Incident Link Criteria

Optional

Defines how incidents are linked when matching artifacts are found. Any Artifact Match: Link incidents if they share any of the artifacts. Exact Artifact Match: Link incidents only if they share the exact set of artifacts.

Exact Artifact Match

Incident Sites

Optional

Specifies the array of sites you want the system to search for related incidents. If the incident belongs to an internal site, only internal sites within the array would be searched. If the incident belongs to a client site, only the respective client site within the array would be searched. If there are no sites specified, the system will search according to the site of the incident.

CODE
[
  "Security Operations"
]

Incident Status

Optional

Selects the status of the incidents you want to search for.

Closed

Incident Time Range

Optional

Defines the time range for the incident you want to search for. The time range refers to the "Date Created" field of an incident.

CODE
{
  "timeRangeType": "custom range",
  "startTime": "2020-06-04 23:02:11",
  "endTime": "2020-07-04 23:02:11"
}

Limit

Optional

Sets the maximum number of linked incidents. If no limit is set or limit is greater than 50, only 50 incidents that meet the above conditions will be linked.

50

Order

Optional

The order (ascending/descending) will determine if the system links the incidents based on their IDs, either from the lowest to the highest or from the highest to the lowest, as defined by the limit. By default, the order is in descending order of IDs.

Descending

Output

Return Data

The returned result of this command. If some required parameters are not defined, this returned data could be empty. The returned result can be passed down directly to a subsequent command in playbooks.

SAMPLE DATA

JSON
[
    "20230612-8"
]
Context Data

The response data from the utility command.

SAMPLE DATA

JSON
[
    {
        "Artifact Name": "www.example.com",
        "Artifact Type": "URL",
        "Incident Case Number": "20230612-8"
    }
]
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.