Skip to main content
Skip table of contents

Trigger Incident External Action

LAST UPDATED: AUG 02, 2024

Trigger 'On Incident External Action' in the playbooks for the first incident that meets the search condition.

Implementation

System

Command Category

System Utility

Tags

INCIDENT RUNPLAYBOOK

Inputs

Parameter Name

Required/Optional

Description

Sample Data

Search Conditions

Required

The search condition is to find the first incident that occurred. The value query corresponding to the key supports regular expressions, string, number, { "$in": ["value1", "value2"] }, and, date:"$date": "2023-08-01T00:00:00Z" format.

CODE 
{
    "Number": "20230413-123",
    "Type": "Suspicious Network Activity",
    "Status": "Open|Closed|In Progress|On Hold",
    "Severity": {
        "$in": [
            "Critical",
            "High"
        ]
    },
    "Title": {
        "$regex": "^Incident Title"
    },
    "Stage": "Sample Stage",
    "DataSource": "QRadar Offense",
    "IncidentSource": "Sample Incident Source",
    "Connection": "QRadar Connection",
    "IngestionType": "Unknown|Schedule Job|Webhook|File|Command|Automation Rule|Manual Creation|Manual Escalation",
    "Category": "Incident Category",
    "ExternalKey": "Sample External Key",
    "CustomField1": "Sample Custom Field 1",
    "CustomField2": "Sample Custom Field 2",
    "CreatedUtcTime": {
        "$gt": {
            "$date": "2023-09-01T00:00:00Z"
        },
        "$lt": {
            "$date": "2023-09-21T00:00:00Z"
        }
    }
}

Trigger Data

Optional

'Trigger Data' is the data when 'On Incident External Action' is triggered in the incident playbooks.

CODE 
{
    "CustomKey1": "Custom value1",
    "CustomKey2": "Custom value2"
}

Output

Return Data

The returned result of this command. If some required parameters are not defined, this returned data could be empty. The returned result can be passed down directly to a subsequent command in playbooks.

SAMPLE DATA

JSON 
{
    "Status": "Successful",
    "Data": {
        "IncidentId": 123,
        "IncidentNo": "20230413-123",
        "TriggeredPlaybooks": [
            {
                "RuntimeId": 287,
                "PlaybookName": "Trigger External Action Playbook"
            }
        ]
    }
}

Remote Command API

The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.

Request

POST

CODE 
https:/{base_url}/{api_namespace}/api/Command/TriggerIncidentExternalAction

Headers

Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.

Request Body

JSON 
{
  "Username": "<Username here>",
  "Site": "<Site here>",
  "CommandParams": {
    "Search Conditions": "<Search Conditions here>",
    "Trigger Data": "<Trigger Data here>"
  }
}

Body Parameters

Parameter Name

Type

Required/Optional

Description

Username

string

Required

The username of your D3 SOAR account.

Site

string

Required

The D3 SOAR site to run the remote command.

Search Conditions

JSON Object

Required

The search condition is to find the first incident that occurred. The value query corresponding to the key supports regular expressions, string, number, { "$in": ["value1", "value2"] }, and, date:"$date": "2023-08-01T00:00:00Z" format.

Trigger Data

JSON Object

Optional

'Trigger Data' is the data when 'On Incident External Action' is triggered in the incident playbooks.

Sample Request

SAMPLE DATA

JSON 
{
  "Username": "Admin",
  "Site": "Security Operations",
  "CommandParams": {
    "Search Conditions": {
      "Number": "20230413-123",
      "Type": "Suspicious Network Activity",
      "Status": "Open|Closed|In Progress|On Hold",
      "Stage": "Sample Stage",
      "DataSource": "QRadar Offense",
      "IncidentSource": "Sample Incident Source",
      "Connection": "QRadar Connection",
      "IngestionType": "Unknown|Schedule Job|Webhook|File|Command|Automation Rule|Manual Creation|Manual Escalation",
      "Category": "Incident Category",
      "ExternalKey": "Sample External Key",
      "CustomField1": "Sample Custom Field 1",
      "CustomField2": "Sample Custom Field 2",
      "Title": {
        "$regex": "^Incident Title"
      },
      "Severity": {
        "$in": [
          "Critical",
          "High"
        ]
      },
      "CreatedUtcTime": {
        "$gt": {
          "$date": "2023-09-01T00:00:00Z"
        },
        "$lt": {
          "$date": "2023-09-21T00:00:00Z"
        }
      }
    },
    "Trigger Data": {
      "CustomKey1": "Custom value1",
      "CustomKey2": "Custom value2"
    }
  }
}

Response

Response Fields

Field Name

Type

Description

error

string

The error message if the API request has failed.

returnData

JSON Object

The return data from the API request.

Sample Response

JSON 
{
    "error": "",
    "returnData": {
        "Status": "Successful",
        "Data": {
            "IncidentId": 123,
            "IncidentNo": "20230413-123",
            "TriggeredPlaybooks": [
                {
                    "RuntimeId": 287,
                    "PlaybookName": "Trigger External Action Playbook"
                }
            ]
        }
    }
}
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close