Update Identical Event

LAST UPDATED: AUG 19, 2024

This command identifies the first original event from the same data source and site that matches the search condition in MongoDB. Then, it retrieves the event data from the playbook runtime and uses this data to update the fields of the originally found event. Incidents directly related to the original event will also be updated by invoking the "Set Incident Fields" command using the input parameter "Incident Fields".

READER NOTE

Please note that this command can only be executed within an event playbook's "On Event Ingestion" trigger.

Implementation	System
Command Category	System Utility
Tags	EVENT EVENT MANAGEMENT

Inputs

Parameter Name	Required/Optional	Description	Sample Data
Search Conditions	Required	Specify the search condition in a JSON object for the event you wish to update. If an original event matches this search condition (with system field name as key name), new field values will be updated in the original event. If the field did not exist, then it will be created. The value query corresponding to the key supports regular expressions, string, number, { "$in": ["value1", "value2"] }, and, date:"$date": "2023-08-01T00:00:00Z" format.	{ "__EventSource": "1.2.2.999999", "Severity": "High", "IngestedUtcTime": { "$gt": { "$date": "2023-08-25T00:00:00Z" }, "$lt": { "$date": "2023-09-01T00:00:00Z" } }, "SystemStatus": { "$in": [ "Escalated", "Open" ] }, "SystemSeverityId": 4, "DataSource": { "$regex": "^Test" } }
Incident Fields	Required	A JSON object of an incident with fields to be updated. Fields could be Title, SiteName, IncidentType, Status, SeverityName, Disposition, Tags, DueDate, Description, IncidentCategory, DateEnded, Owner, DateOccurred and CustomFields. Date format: yyyy-mm-dd hh:mm:ss	{ "Title": "Incident title", "SiteName": "APSOC", "IncidentType": "Phishing", "Status": "Closed", "SeverityName": "medium", "Disposition": "No Action", "Tags": "MyTag, MyTag2", "Description": "This is for updating incident", "DueDate": "2021-08-01 12:00:00", "IncidentCategory": "Access", "DateEnded": "2021-08-02 12:00:00", "Owner": "firstname lastname", "DateOccurred": "2021-08-02 12:00:00", "CustomInputUrl": "url", "CustomAge": "30" }

Output

Return Data

The returned result of this command. If some required parameters are not defined, this returned data could be empty. The returned result can be passed down directly to a subsequent command in playbooks.

SAMPLE DATA

JSON

{
    "Status": "Successful",
    "Data": {
        "EventId": 64703,
        "EventGuid": "E81F16C7-923A-4A1D-8D7E-BA22ABFBC164",
        "EventChanges": {
            "ModifiedUtcTime": "2023-04-07T06:02:10.757",
            "EventId": 64703,
            "Data": [
                {
                    "Field": "Severity",
                    "OldValue": "High",
                    "NewValue": "Medium",
                    "Type": "Update"
                },
                {
                    "Field": "Filename",
                    "OldValue": "Oldfile",
                    "NewValue": "Newfile",
                    "Type": "Update"
                }
            ]
        },
        "Incidents": [
            "20230406-52"
        ],
        "IncidentChanges": [
            {
                "IncidentNumber": "20230406-52",
                "UpdateFields": {
                    "Title": "Incident title",
                    "SiteName": "APSOC",
                    "IncidentType": "Phishing",
                    "Status": "Closed",
                    "SeverityName": "medium",
                    "Disposition": "No Action",
                    "Tags": "MyTag, MyTag2",
                    "Description": "This is for updating incident",
                    "DueDate": "2021-08-01 12:00:00",
                    "IncidentCategory": "Access",
                    "DateEnded": "2021-08-02 12:00:00",
                    "Owner": "firstname lastname",
                    "DateOccurred": "2021-08-02 12:00:00",
                    "CustomInputUrl": "url",
                    "CustomAge": "30"
                }
            }
        ]
    }
}