Skip to main content
Skip table of contents

Update Identical Event

LAST UPDATED: APRIL 15, 2025

This command identifies the first original event from the same data source and site that matches the search condition in MongoDB. Then, it retrieves the event data from the playbook runtime and uses this data to update the fields of the originally found event. Incidents directly related to the original event will also be updated by invoking the "Set Incident Fields" command using the input parameter "Incident Fields".

READER NOTE

Please note that this command can only be executed within an event playbook's "On Event Ingestion" trigger.

Implementation

System

Command Category

System Utility

Tags

EVENT EVENT MANAGEMENT

Inputs

Parameter Name

Required/Optional

Description

Sample Data

Search Conditions

Required

Specify the search condition in a JSON object for the event you wish to update. If an original event matches this search condition (with system field name as key name), new field values will be updated in the original event. If the field did not exist, then it will be created. The value query corresponding to the key supports regular expressions, string, number, { "$in": ["value1", "value2"] }, and, date:"$date": "2023-08-01T00:00:00Z" format.

CODE 
{
    "__EventSource": "1.2.2.999999",
    "Severity": "High",
    "IngestedUtcTime": {
        "$gt": {
            "$date": "2023-08-25T00:00:00Z"
        },
        "$lt": {
            "$date": "2023-09-01T00:00:00Z"
        }
    },
    "SystemStatus": {
        "$in": [
            "Escalated",
            "Open"
        ]
    },
    "SystemSeverityId": 4,
    "DataSource": {
        "$regex": "^Test"
    }
}

Incident Fields

Required

A JSON object of an incident with fields to be updated. Fields could be Title, SiteName, IncidentType, Status, SeverityName, Disposition, Tags, DueDate, Description, IncidentCategory, DateEnded, Owner, DateOccurred and CustomFields. Date format: yyyy-mm-dd hh:mm:ss

CODE 
{
    "Title": "Incident title",
    "SiteName": "APSOC",
    "IncidentType": "Phishing",
    "Status": "Closed",
    "SeverityName": "medium",
    "Disposition": "No Action",
    "Tags": "MyTag, MyTag2",
    "Description": "This is for updating incident",
    "DueDate": "2021-08-01 12:00:00",
    "IncidentCategory": "Access",
    "DateEnded": "2021-08-02 12:00:00",
    "Owner": "firstname lastname",
    "DateOccurred": "2021-08-02 12:00:00",
    "CustomInputUrl": "url",
    "CustomAge": "30"
}

Skip Event Creation

Optional

Whether to skip creating duplicate events.

By default, the value is No – a new event is created even if an identical one exists.

Yes

Output

Return Data

The returned result of this command. If some required parameters are not defined, this returned data could be empty. The returned result can be passed down directly to a subsequent command in playbooks.

SAMPLE DATA

JSON 
{
    "Status": "Successful",
    "Data": {
        "EventId": 64703,
        "EventGuid": "E81F16C7-923A-4A1D-8D7E-BA22ABFBC164",
        "EventChanges": {
            "ModifiedUtcTime": "2023-04-07T06:02:10.757",
            "EventId": 64703,
            "Data": [
                {
                    "Field": "Severity",
                    "OldValue": "High",
                    "NewValue": "Medium",
                    "Type": "Update"
                },
                {
                    "Field": "Filename",
                    "OldValue": "Oldfile",
                    "NewValue": "Newfile",
                    "Type": "Update"
                }
            ]
        },
        "Incidents": [
            "20230406-52"
        ],
        "IncidentChanges": [
            {
                "IncidentNumber": "20230406-52",
                "UpdateFields": {
                    "Title": "Incident title",
                    "SiteName": "APSOC",
                    "IncidentType": "Phishing",
                    "Status": "Closed",
                    "SeverityName": "medium",
                    "Disposition": "No Action",
                    "Tags": "MyTag, MyTag2",
                    "Description": "This is for updating incident",
                    "DueDate": "2021-08-01 12:00:00",
                    "IncidentCategory": "Access",
                    "DateEnded": "2021-08-02 12:00:00",
                    "Owner": "firstname lastname",
                    "DateOccurred": "2021-08-02 12:00:00",
                    "CustomInputUrl": "url",
                    "CustomAge": "30"
                }
            }
        ]
    }
}
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close