The different ways to update the incident fields.
Sometimes you may want to update incident fields based on a change in the alert. For example, an analyst may want to change the severity of the incident, which contains many alerts with different severities. After investigating one of the alerts, the analyst wants to change the severity to low.
You can update the following incident fields through a playbook, script, or command:
manual_severity
starred
assigned_user_email
status
score
incident_name
description
Update Incident Fields Using the CLI
You can update incident fields in the Incident or Alert War Room by running the !setParentIncidentFields
command. For example, to change the name of the incident to Malware, run !setParentIncidentFields incident_name=Malware
.
Note
You can add multiple fields at once. For example, !setParentIncidentFields incident_name=Malware starred=true
When selecting a field, you can see available values (for enums).
Update Incident Fields Using a Playbook
When running a playbook, by default the data is added to the alert context data and alert fields. You can add this data to incident context data and incident fields, when configuring tasks in a playbook.
Caution
Users with Trigger Playbook permissions on a given alert may still be able to modify the parent incident via commands and scripts, even without full access to the incident.
In the following example, you want to star an incident in a playbook.
Add the following tasks to a new or existing playbook.
Create a Conditional task to check whether the parent incident fields are starred using the
${parentIncidentFields.starred}
key.Create a standard task using the
setParentIncidentFields
script to update the starred field.Create a standard task to print the value to the War Room.
Run the playbook.
In the incident context data, you can see the key
starred: true
. If running in an alert or an incident, after refreshing the incident, the incident is now starred.
Update Incident Fields Using a Script
In any script that runs in an alert, the data is added to the alert fields. If you want to update incident fields, in a Json file, add the setParentIncidentFields
to the demisto.executeCommand
function.
For example, to update the incident status to resolved, type demisto.executeCommand("setParentIncidentFields", {"status":"resolved_other"})
Note
Ensure that you have the required RBAC permission to write scripts.