Link to Related Event Incident

This command can only be executed within an event playbook's "On Event Ingestion" trigger. It uses the search condition to find events from MongoDB and retrieves related incidents from the $LinkedIncidents field, then escalates ingested events to the related incidents.

Reader Note

Please note that this command is only applicable within an event Playbook.

Implementation	System
Command Category	System Utility
Tags	EVENT EVENT LINKING

Inputs

Parameter Name	Required/Optional	Description	Sample Data
Search Conditions	Optional	To find the related event using the search conditions in the JSON object, use the internal field name as the key name. The value query corresponding to the key supports regular expressions, string, number, { "$in": ["value1", "value2"] }, and, date:"$date": "2023-08-01T00:00:00Z" format.	JSON `{ "EventType": "test20230225", "Severity": "High", "IngestedUtcTime": { "$gt": { "$date": "2023-08-25T00:00:00Z" }, "$lt": { "$date": "2023-09-01T00:00:00Z" } }, "SystemStatus": { "$in": [ "Escalated", "Open" ] }, "SystemSeverityId": 4, "DataSource": { "$regex": "^Test" } }`

Output

Return Data

The returned result of this command. If some required parameters are not defined, this returned data could be empty. The returned result can be passed down directly to a subsequent command in playbooks.

SAMPLE DATA

JSON

{
    "EscalateToIncidents": [
        "20230414-72"
    ]
}

Remote Command API

The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.

Request

POST

CODE

https:/{base_url}/{api_namespace}/api/Command/LinkRelatedEventIncident

Headers

Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.

Request Body

JSON

{
  "Username": <Username here>,
  "Site": <Site here>,
  "CommandParams": {
    "Search Conditions": {
      "EventType": <EventType here>,
      "Severity": <Severity here>,
      "IngestedUtcTime": {
        "$gt": {
          "$date": <IngestedUtcTime start here>
        },
        "$lt": {
          "$date": <IngestedUtcTime end here>
        }
      },
      "SystemStatus": {
        "$in": [
          <SystemStatus 1 here>,
          <SystemStatus 2 here>
        ]
      },
      "SystemSeverityId": <SystemSeverityId here>,
      "DataSource": {
        "$regex": <DataSource regex here>
      }
    }
  }
}

Body Parameters

Parameter Name	Type	Required/Optional	Description
Username	`String`	Required	The username of your D3 SOAR account.
Site	`String`	Required	The D3 SOAR site to run the remote command.
Search Conditions	`JSON Object`	Optional	To find the related event using the search conditions in the JSON object, use the internal field name as the key name. The value query corresponding to the key supports regular expressions, string, number, { "$in": ["value1", "value2"] }, and, date:"$date": "2023-08-01T00:00:00Z" format.

Sample Request

SAMPLE DATA

JSON

{
  "Username": "Admin",
  "Site": "Security Operations",
  "CommandParams": {
    "Search Conditions": {
      "EventType": "test20230225",
      "Severity": "High",
      "IngestedUtcTime": {
        "$gt": {
          "$date": "2023-08-25T00:00:00Z"
        },
        "$lt": {
          "$date": "2023-09-01T00:00:00Z"
        }
      },
      "SystemStatus": {
        "$in": [
          "Escalated",
          "Open"
        ]
      },
      "SystemSeverityId": 4,
      "DataSource": {
        "$regex": "^Test"
      }
    }
  }
}

Response

Response Fields

Field Name	Type	Description
error	`Text`	The error message if the API request has failed.
returnData	`JSON Object`	The return data from the API request.

Sample Response

JSON

{
    "error": "",
    "returnData": {
        "EscalateToIncidents": [
            "20230414-72"
        ]
    }
}