Link to Related Event Incident
This command can only be executed within an event playbook's "On Event Ingestion" trigger. It uses the search condition to find events from MongoDB and retrieves related incidents from the $LinkedIncidents field, then escalates ingested events to the related incidents.
Reader Note
Please note that this command is only applicable within an event Playbook.
Implementation | System |
Command Category | System Utility |
Tags | EVENT EVENT LINKING |
Inputs
Parameter Name | Required/Optional | Description | Sample Data |
---|---|---|---|
Search Conditions | Optional | To find the related event using the search conditions in the JSON object, use the internal field name as the key name. The value query corresponding to the key supports regular expressions, string, number, { "$in": ["value1", "value2"] }, and, date:"$date": "2023-08-01T00:00:00Z" format. |
JSON
|
Output
Remote Command API
The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.
Request
POST
https:/{base_url}/{api_namespace}/api/Command/LinkRelatedEventIncident
Headers
Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.
Request Body
{
"Username": <Username here>,
"Site": <Site here>,
"CommandParams": {
"Search Conditions": {
"EventType": <EventType here>,
"Severity": <Severity here>,
"IngestedUtcTime": {
"$gt": {
"$date": <IngestedUtcTime start here>
},
"$lt": {
"$date": <IngestedUtcTime end here>
}
},
"SystemStatus": {
"$in": [
<SystemStatus 1 here>,
<SystemStatus 2 here>
]
},
"SystemSeverityId": <SystemSeverityId here>,
"DataSource": {
"$regex": <DataSource regex here>
}
}
}
}
Body Parameters
Parameter Name | Type | Required/Optional | Description |
---|---|---|---|
Username |
| Required | The username of your D3 SOAR account. |
Site |
| Required | The D3 SOAR site to run the remote command. |
Search Conditions |
| Optional | To find the related event using the search conditions in the JSON object, use the internal field name as the key name. The value query corresponding to the key supports regular expressions, string, number, { "$in": ["value1", "value2"] }, and, date:"$date": "2023-08-01T00:00:00Z" format. |
Sample Request
SAMPLE DATA
{
"Username": "Admin",
"Site": "Security Operations",
"CommandParams": {
"Search Conditions": {
"EventType": "test20230225",
"Severity": "High",
"IngestedUtcTime": {
"$gt": {
"$date": "2023-08-25T00:00:00Z"
},
"$lt": {
"$date": "2023-09-01T00:00:00Z"
}
},
"SystemStatus": {
"$in": [
"Escalated",
"Open"
]
},
"SystemSeverityId": 4,
"DataSource": {
"$regex": "^Test"
}
}
}
}
Response
Response Fields
Field Name | Type | Description |
---|---|---|
error |
| The error message if the API request has failed. |
returnData |
| The return data from the API request. |
Sample Response
{
"error": "",
"returnData": {
"EscalateToIncidents": [
"20230414-72"
]
}
}