Update Identical Event
This command can only be executed within an event playbook's "On Event Ingestion" trigger. It identifies the first original event from the same data source and site that matches the search condition in MongoDB. Then, it retrieves the event data from the playbook runtime and uses this data to update the fields of the originally found event. Incidents directly related to the original event will also be updated by invoking the "Set Incident Fields" command using the input parameter "Incident Fields".
Reader Note
Please note that this command is only applicable within an event Playbook.
Implementation | System |
Command Category | System Utility |
Tags | EVENT EVENT MANAGEMENT |
Inputs
Parameter Name | Required/Optional | Description | Sample Data |
---|---|---|---|
Search Conditions | Optional | Specify the search condition in a JSON object for the event you wish to update. If an original event matches this search condition (with system field name as key name), new field values will be updated in the original event. If the field did not exist, then it will be created. The value query corresponding to the key supports regular expressions, string, number, { "$in": ["value1", "value2"] }, and, date:"$date": "2023-08-01T00:00:00Z" format. |
JSON
|
Incident Fields | Optional | A JSON object of an incident with fields to be updated. Fields could be Title, SiteName, IncidentType, Status, SeverityName, Disposition, Tags, DueDate, Description, IncidentCategory, DateEnded, Owner, DateOccurred and CustomFields. Date format: yyyy-mm-dd hh:mm:ss |
JSON
|
Output
Remote Command API
The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.
Request
POST
https:/{base_url}/{api_namespace}/api/Command/UpdateIdenticalEvent
Headers
Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.
Request Body
{
"Username": <Username here>,
"Site": <Site here>,
"CommandParams": {
"Search Conditions": {
"__EventSource": <EventSource here>,
"Severity": <Severity here>,
"IngestedUtcTime": {
"$gt": {
"$date": <IngestedUtcTime start here>
},
"$lt": {
"$date": <IngestedUtcTime end here>
}
},
"SystemStatus": {
"$in": [
<SystemStatus 1 here>,
<SystemStatus 2 here>
]
},
"SystemSeverityId": <SystemSeverityId here>,
"DataSource": {
"$regex": <DataSource regex here>
}
},
"Incident Fields": {
"Title": <Title here>,
"SiteName": <SiteName here>,
"IncidentType": <IncidentType here>,
"Status": <Status here>,
"SeverityName": <SeverityName here>,
"Disposition": <Disposition here>,
"Tags": <Tags here>,
"Description": <Description here>,
"DueDate": <DueDate here>,
"IncidentCategory": <IncidentCategory here>,
"DateEnded": <DateEnded here>,
"Owner": <Owner here>,
"DateOccurred": <DateOccurred here>,
"CustomInputUrl": <CustomInputUrl here>,
"CustomAge": <CustomAge here>
}
}
}
Body Parameters
Parameter Name | Type | Required/Optional | Description |
---|---|---|---|
Username |
| Required | The username of your D3 SOAR account. |
Site |
| Required | The D3 SOAR site to run the remote command. |
Search Conditions |
| Optional | Specify the search condition in a JSON object for the event you wish to update. If an original event matches this search condition (with system field name as key name), new field values will be updated in the original event. If the field did not exist, then it will be created. The value query corresponding to the key supports regular expressions, string, number, { "$in": ["value1", "value2"] }, and, date:"$date": "2023-08-01T00:00:00Z" format. |
Incident Fields |
| Optional | A JSON object of an incident with fields to be updated. Fields could be Title, SiteName, IncidentType, Status, SeverityName, Disposition, Tags, DueDate, Description, IncidentCategory, DateEnded, Owner, DateOccurred and CustomFields. Date format: yyyy-mm-dd hh:mm:ss |
Sample Request
SAMPLE DATA
{
"Username": "Admin",
"Site": "Security Operations",
"CommandParams": {
"Search Conditions": {
"__EventSource": "1.2.2.999999",
"Severity": "High",
"IngestedUtcTime": {
"$gt": {
"$date": "2023-08-25T00:00:00Z"
},
"$lt": {
"$date": "2023-09-01T00:00:00Z"
}
},
"SystemStatus": {
"$in": [
"Escalated",
"Open"
]
},
"SystemSeverityId": 4,
"DataSource": {
"$regex": "^Test"
}
},
"Incident Fields": {
"Title": "Incident title",
"SiteName": "APSOC",
"IncidentType": "Phishing",
"Status": "Closed",
"SeverityName": "medium",
"Disposition": "No Action",
"Tags": "MyTag, MyTag2",
"Description": "This is for updating incident",
"DueDate": "2021-08-01 12:00:00",
"IncidentCategory": "Access",
"DateEnded": "2021-08-02 12:00:00",
"Owner": "firstname lastname",
"DateOccurred": "2021-08-02 12:00:00",
"CustomInputUrl": "url",
"CustomAge": "30"
}
}
}
Response
Response Fields
Field Name | Type | Description |
---|---|---|
error |
| The error message if the API request has failed. |
returnData |
| The return data from the API request. |
Sample Response
{
"error": "",
"returnData": {
"Status": "Successful",
"Data": {
"EventId": 64703,
"EventGuid": "E81F16C7-923A-4A1D-8D7E-BA22ABFBC164",
"EventChanges": {
"ModifiedUtcTime": "2023-04-07T06:02:10.757",
"EventId": 64703,
"Data": [
{
"Field": "Severity",
"OldValue": "High",
"NewValue": "Medium",
"Type": "Update"
},
{
"Field": "Filename",
"OldValue": "Oldfile",
"NewValue": "Newfile",
"Type": "Update"
}
]
},
"Incidents": [
"20230406-52"
],
"IncidentChanges": [
{
"IncidentNumber": "20230406-52",
"UpdateFields": {
"Title": "Incident title",
"SiteName": "APSOC",
"IncidentType": "Phishing",
"Status": "Closed",
"SeverityName": "medium",
"Disposition": "No Action",
"Tags": "MyTag, MyTag2",
"Description": "This is for updating incident",
"DueDate": "2021-08-01 12:00:00",
"IncidentCategory": "Access",
"DateEnded": "2021-08-02 12:00:00",
"Owner": "firstname lastname",
"DateOccurred": "2021-08-02 12:00:00",
"CustomInputUrl": "url",
"CustomAge": "30"
}
}
]
}
}
}