Last updated: Aug 02, 2024
Trigger 'On Incident External Action' in the playbooks for the first incident that meets the search condition.
|
Implementation |
System |
|
Command Category |
System Utility |
|
Tags |
Incident RunPlaybook |
Inputs
|
Parameter Name |
Required/Optional |
Description |
Sample Data |
|---|---|---|---|
|
Search Conditions |
Required |
The search condition is to find the first incident that occurred. The value query corresponding to the key supports regular expressions, string, number, { "$in": ["value1", "value2"] }, and, date:"$date": "2023-08-01T00:00:00Z" format. |
|
|
Trigger Data |
Optional |
'Trigger Data' is the data when 'On Incident External Action' is triggered in the incident playbooks. |
|
Output
Remote Command API
The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.
Request
POST
https:/{base_url}/{api_namespace}/api/Command/TriggerIncidentExternalAction
Headers
Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.
Request Body
{
"Username": "<Username here>",
"Site": "<Site here>",
"CommandParams": {
"Search Conditions": "<Search Conditions here>",
"Trigger Data": "<Trigger Data here>"
}
}
Body Parameters
|
Parameter Name |
Type |
Required/Optional |
Description |
|---|---|---|---|
|
Username |
|
Required |
The username of your D3 SOAR account. |
|
Site |
|
Required |
The D3 SOAR site to run the remote command. |
|
Search Conditions |
|
Required |
The search condition is to find the first incident that occurred. The value query corresponding to the key supports regular expressions, string, number, { "$in": ["value1", "value2"] }, and, date:"$date": "2023-08-01T00:00:00Z" format. |
|
Trigger Data |
|
Optional |
'Trigger Data' is the data when 'On Incident External Action' is triggered in the incident playbooks. |
Sample Request
Sample Data
{
"Username": "Admin",
"Site": "Security Operations",
"CommandParams": {
"Search Conditions": {
"Number": "20230413-123",
"Type": "Suspicious Network Activity",
"Status": "Open|Closed|In Progress|On Hold",
"Stage": "Sample Stage",
"DataSource": "QRadar Offense",
"IncidentSource": "Sample Incident Source",
"Connection": "QRadar Connection",
"IngestionType": "Unknown|Schedule Job|Webhook|File|Command|Automation Rule|Manual Creation|Manual Escalation",
"Category": "Incident Category",
"ExternalKey": "Sample External Key",
"CustomField1": "Sample Custom Field 1",
"CustomField2": "Sample Custom Field 2",
"Title": {
"$regex": "^Incident Title"
},
"Severity": {
"$in": [
"Critical",
"High"
]
},
"CreatedUtcTime": {
"$gt": {
"$date": "2023-09-01T00:00:00Z"
},
"$lt": {
"$date": "2023-09-21T00:00:00Z"
}
}
},
"Trigger Data": {
"CustomKey1": "Custom value1",
"CustomKey2": "Custom value2"
}
}
}
Response
Response Fields
|
Field Name |
Type |
Description |
|---|---|---|
|
error |
|
The error message if the API request has failed. |
|
returnData |
|
The return data from the API request. |
Sample Response
{
"error": "",
"returnData": {
"Status": "Successful",
"Data": {
"IncidentId": 123,
"IncidentNo": "20230413-123",
"TriggeredPlaybooks": [
{
"RuntimeId": 287,
"PlaybookName": "Trigger External Action Playbook"
}
]
}
}
}