Create single incident

Cortex XSOAR 6 API

post /incident

Create or update incident according to JSON structure. To update incident custom fields you should lowercase them and remove all spaces. For example: Scan IP -> scanip To get the actual key name you can also go to Cortex XSOAR CLI and run /incident_add and look for the key that you would like to update

Use the 'createInvestigation\: true' to start the investigation process automatically. (by running a playbook based on incident type.)

CURL
curl -X POST \ -H "Authorization: [[apiKey]]" \ -H "Accept: application/json" \ -H "Content-Type: application/json,application/xml" \ "https://hostname:443/incident" \ -d '{ "lastOpen" : "2000-01-23T04:56:07.000+00:00", "dbotCreatedBy" : "dbotCreatedBy", "parent" : "parent", "reason" : "reason", "sourceInstance" : "sourceInstance", "sizeInBytes" : 2, "closeNotes" : "closeNotes", "dbotMirrorTags" : [ "dbotMirrorTags", "dbotMirrorTags" ], "dueDate" : "2000-01-23T04:56:07.000+00:00", "linkedCount" : 5, "syncHash" : "syncHash", "type" : "Unclassified", "closingUserId" : "closingUserId", "rawPhase" : "rawPhase", "modified" : "2000-01-23T04:56:07.000+00:00", "xsoarReadOnlyRoles" : [ "xsoarReadOnlyRoles", "xsoarReadOnlyRoles" ], "details" : "details", "closeReason" : "closeReason", "dbotMirrorDirection" : "dbotMirrorDirection", "rawCategory" : "rawCategory", "phase" : "phase", "allReadWrite" : true, "numericId" : 2, "sequenceNumber" : 3, "previousAllRead" : true, "investigationId" : "investigationId", "todoTaskIds" : [ "todoTaskIds", "todoTaskIds" ], "created" : "2000-01-23T04:56:07.000+00:00", "indexName" : "indexName", "notifyTime" : "2000-01-23T04:56:07.000+00:00", "xsoarHasReadOnlyRole" : true, "sla" : 4.145608029883936, "autime" : 6, "rawJSON" : "rawJSON", "version" : 7, "labels" : [ { "type" : "type", "value" : "value" }, { "type" : "type", "value" : "value" } ], "dbotMirrorLastSync" : "2000-01-23T04:56:07.000+00:00", "rawCloseReason" : "rawCloseReason", "previousAllReadWrite" : true, "canvases" : [ "canvases", "canvases" ], "playbookId" : "playbookId", "name" : "name", "hasRole" : true, "dbotCurrentDirtyFields" : [ "dbotCurrentDirtyFields", "dbotCurrentDirtyFields" ], "status" : 2, "dbotDirtyFields" : [ "dbotDirtyFields", "dbotDirtyFields" ], "rawType" : "rawType", "primaryTerm" : 9, "roles" : [ "roles", "roles" ], "isPlayground" : true, "droppedCount" : 5, "dbotMirrorId" : "dbotMirrorId", "createInvestigation" : true, "isDebug" : true, "feedBased" : true, "highlight" : { "key" : [ "highlight", "highlight" ] }, "activatingingUserId" : "activatingingUserId", "runStatus" : "runStatus", "dbotMirrorInstance" : "dbotMirrorInstance", "owner" : "owner", "severity" : 4, "linkedIncidents" : [ "linkedIncidents", "linkedIncidents" ], "previousRoles" : [ "previousRoles", "previousRoles" ], "occurred" : "2000-01-23T04:56:07.000+00:00", "reminder" : "2000-01-23T04:56:07.000+00:00", "xsoarPreviousReadOnlyRoles" : [ "xsoarPreviousReadOnlyRoles", "xsoarPreviousReadOnlyRoles" ], "cacheVersn" : 1, "openDuration" : 7, "lastJobRunTime" : "2000-01-23T04:56:07.000+00:00", "rawName" : "rawName", "sortValues" : [ "sortValues", "sortValues" ], "ShardID" : 0, "sourceBrand" : "sourceBrand", "allRead" : true, "closed" : "2000-01-23T04:56:07.000+00:00", "category" : "category", "account" : "account", "activated" : "2000-01-23T04:56:07.000+00:00" }' \ -d ' 123456789 aeiou 2000-01-23T04:56:07.000Z aeiou true true 123456789 123456789 aeiou aeiou aeiou aeiou 2000-01-23T04:56:07.000Z aeiou true 2000-01-23T04:56:07.000Z aeiou aeiou aeiou aeiou aeiou aeiou 2000-01-23T04:56:07.000Z aeiou
aeiou
123456789 2000-01-23T04:56:07.000Z true true UNDEFINED_EXAMPLE_VALUE aeiou aeiou true true aeiou aeiou 2000-01-23T04:56:07.000Z 2000-01-23T04:56:07.000Z 123456789 aeiou 2000-01-23T04:56:07.000Z aeiou 2000-01-23T04:56:07.000Z 123456789 2000-01-23T04:56:07.000Z 123456789 aeiou aeiou aeiou aeiou true true aeiou 123456789 aeiou aeiou aeiou aeiou aeiou aeiou aeiou 2000-01-23T04:56:07.000Z aeiou aeiou 123456789 4 123456789 3.149 aeiou aeiou aeiou 2 aeiou aeiou Unclassified 123456789 true aeiou aeiou
'
Authentication: api_key Api Key "Authorization"
Request
Body
optional
ShardID
optional
Number (Long)
format: int64
account
optional
String
Account holds the tenant name so that slicing and dicing on the master can leverage bleve
activated
optional
Object
When was this activated format: date-time
activatingingUserId
optional
String
The user that activated this investigation
allRead
optional
Boolean
allReadWrite
optional
Boolean
autime
optional
Number (Long)
AlmostUniqueTime is an attempt to have a unique sortable ID for an incident format: int64
cacheVersn
optional
Number (Long)
format: int64
canvases
optional
Array of strings
Canvases of the incident
category
optional
String
Category
closeNotes
optional
String
Notes for closing the incident
closeReason
optional
String
The reason for closing the incident (select from existing predefined values)
closed
optional
Object
When was this closed format: date-time
closingUserId
optional
String
The user ID that closed this investigation
createInvestigation
optional
Boolean
created
optional
Object
format: date-time
dbotCreatedBy
optional
String
Who has created this event - relevant only for manual incidents
dbotCurrentDirtyFields
optional
Array of strings
For mirroring, manage a list of current dirty fields so that we can send delta to outgoing integration
dbotDirtyFields
optional
Array of strings
For mirroring, manage a list of dirty fields to not override them from the source of the incident
dbotMirrorDirection
optional
String
DBotMirrorDirection of how to mirror the incident (in/out/both)
dbotMirrorId
optional
String
DBotMirrorID of a remote system we are syncing with
dbotMirrorInstance
optional
String
DBotMirrorInstance name of a mirror integration instance
dbotMirrorLastSync
optional
Object
The last time we synced this incident even if we did not update anything format: date-time
dbotMirrorTags
optional
Array of strings
The entry tags I want to sync to remote system
details
optional
String
The details of the incident - reason, etc.
droppedCount
optional
Number (Long)
DroppedCount ... format: int64
dueDate
optional
Object
SLA format: date-time
feedBased
optional
Boolean
If this incident was triggered by a feed job
hasRole
optional
Boolean
Internal field to make queries on role faster
highlight
optional
Map
indexName
optional
String
investigationId
optional
String
Investigation that was opened as a result of the incoming event
isDebug
optional
Boolean
IsDebug ...
isPlayground
optional
Boolean
IsPlayGround
labels
optional
Array
Labels related to incident - each label is composed of a type and value
type
optional
String
value
optional
String
lastJobRunTime
optional
Object
If this incident was triggered by a job, this would be the time the **previous** job started format: date-time
lastOpen
optional
Object
format: date-time
linkedCount
optional
Number (Long)
LinkedCount ... format: int64
linkedIncidents
optional
Array of strings
LinkedIncidents incidents that were marked as linked by user
modified
optional
Object
format: date-time
name
optional
String
Incident Name - given by user
notifyTime
optional
Object
Incdicates when last this field was changed with a value that supposed to send a notification format: date-time
numericId
optional
Number (Long)
format: int64
occurred
optional
Object
When this incident has really occurred format: date-time
openDuration
optional
Number (Long)
Duration incident was open format: int64
owner
optional
String
The user who owns this incident
parent
optional
String
Parent
phase
optional
String
Phase
playbookId
optional
String
The associated playbook for this incident
previousAllRead
optional
Boolean
previousAllReadWrite
optional
Boolean
previousRoles
optional
Array of strings
Do not change this field manually
primaryTerm
optional
Number (Long)
format: int64
rawCategory
optional
String
rawCloseReason
optional
String
The reason for closing the incident (select from existing predefined values)
rawJSON
optional
String
rawName
optional
String
Incident RawName
rawPhase
optional
String
RawPhase
rawType
optional
String
Incident raw type
reason
optional
String
The reason an incident was closed.
reminder
optional
Object
When if at all to send a reminder format: date-time
roles
optional
Array of strings
The role assigned to this investigation
runStatus
optional
String
RunStatus of a job
sequenceNumber
optional
Number (Long)
format: int64
severity
optional
Number (Double)
Severity is the incident severity format: double
sizeInBytes
optional
Number (Long)
format: int64
sla
optional
Number (Double)
SLAState is the incident sla at closure time, in minutes. format: double
sortValues
optional
Array of strings
sourceBrand
optional
String
SourceBrand ...
sourceInstance
optional
String
SourceInstance ...
status
optional
Number (Double)
IncidentStatus is the status of the incident format: double
syncHash
optional
String
todoTaskIds
optional
Array of strings
ToDoTaskIDs list of to do task ids
type
optional
String
Incident type
version
optional
Number (Long)
format: int64
xsoarHasReadOnlyRole
optional
Boolean
xsoarPreviousReadOnlyRoles
optional
Array of strings
xsoarReadOnlyRoles
optional
Array of strings
Responses

IncidentWrapper

Body
IncidentWrapper is an extension of the Incident entity, which includes an additional field of changed-status for the web client
ShardID
optional
Number (Long)
format: int64
account
optional
String
Account holds the tenant name so that slicing and dicing on the master can leverage bleve
activated
optional
Object
When was this activated format: date-time
activatingingUserId
optional
String
The user that activated this investigation
allRead
optional
Boolean
allReadWrite
optional
Boolean
attachment
optional
Array
Attachments
description
optional
String
isTempPath
optional
Boolean
name
optional
String
path
optional
String
showMediaFile
optional
Boolean
type
optional
String
autime
optional
Number (Long)
AlmostUniqueTime is an attempt to have a unique sortable ID for an incident format: int64
cacheVersn
optional
Number (Long)
format: int64
canvases
optional
Array of strings
Canvases of the incident
category
optional
String
Category
changeStatus
optional
String
closeNotes
optional
String
Notes for closing the incident
closeReason
optional
String
The reason for closing the incident (select from existing predefined values)
closed
optional
Object
When was this closed format: date-time
closingUserId
optional
String
The user ID that closed this investigation
created
optional
Object
format: date-time
dbotCreatedBy
optional
String
Who has created this event - relevant only for manual incidents
dbotCurrentDirtyFields
optional
Array of strings
For mirroring, manage a list of current dirty fields so that we can send delta to outgoing integration
dbotDirtyFields
optional
Array of strings
For mirroring, manage a list of dirty fields to not override them from the source of the incident
dbotMirrorDirection
optional
String
DBotMirrorDirection of how to mirror the incident (in/out/both)
dbotMirrorId
optional
String
DBotMirrorID of a remote system we are syncing with
dbotMirrorInstance
optional
String
DBotMirrorInstance name of a mirror integration instance
dbotMirrorLastSync
optional
Object
The last time we synced this incident even if we did not update anything format: date-time
dbotMirrorTags
optional
Array of strings
The entry tags I want to sync to remote system
details
optional
String
The details of the incident - reason, etc.
droppedCount
optional
Number (Long)
DroppedCount ... format: int64
dueDate
optional
Object
SLA format: date-time
feedBased
optional
Boolean
If this incident was triggered by a feed job
hasRole
optional
Boolean
Internal field to make queries on role faster
highlight
optional
Map
id
optional
String
indexName
optional
String
insights
optional
Integer
format: uint64
investigationId
optional
String
Investigation that was opened as a result of the incoming event
isDebug
optional
Boolean
IsDebug ...
isPlayground
optional
Boolean
IsPlayGround
labels
optional
Array
Labels related to incident - each label is composed of a type and value
type
optional
String
value
optional
String
lastJobRunTime
optional
Object
If this incident was triggered by a job, this would be the time the previous job started format: date-time
lastOpen
optional
Object
format: date-time
linkedCount
optional
Number (Long)
LinkedCount ... format: int64
linkedIncidents
optional
Array of strings
LinkedIncidents incidents that were marked as linked by user
modified
optional
Object
format: date-time
name
optional
String
Incident Name - given by user
notifyTime
optional
Object
Incdicates when last this field was changed with a value that supposed to send a notification format: date-time
numericId
optional
Number (Long)
format: int64
occurred
optional
Object
When this incident has really occurred format: date-time
openDuration
optional
Number (Long)
Duration incident was open format: int64
owner
optional
String
The user who owns this incident
parent
optional
String
Parent
phase
optional
String
Phase
playbookId
optional
String
The associated playbook for this incident
previousAllRead
optional
Boolean
previousAllReadWrite
optional
Boolean
previousRoles
optional
Array of strings
Do not change this field manually
primaryTerm
optional
Number (Long)
format: int64
rawCategory
optional
String
rawCloseReason
optional
String
The reason for closing the incident (select from existing predefined values)
rawJSON
optional
String
rawName
optional
String
Incident RawName
rawPhase
optional
String
RawPhase
rawType
optional
String
Incident raw type
reason
optional
String
The reason for the resolve
reminder
optional
Object
When if at all to send a reminder format: date-time
roles
optional
Array of strings
The role assigned to this investigation
runStatus
optional
String
RunStatus of a job
sequenceNumber
optional
Number (Long)
format: int64
severity
optional
Number (Double)
Severity is the incident severity format: double
Example: 4
sizeInBytes
optional
Number (Long)
format: int64
sla
optional
Number (Double)
SLAState is the incident sla at closure time, in minutes. format: double
sortValues
optional
Array of strings
sourceBrand
optional
String
SourceBrand ...
sourceInstance
optional
String
SourceInstance ...
status
optional
Number (Double)
IncidentStatus is the status of the incident format: double
Example: 2
syncHash
optional
String
todoTaskIds
optional
Array of strings
ToDoTaskIDs list of to do task ids
type
optional
String
Incident type
version
optional
Number (Long)
format: int64
xsoarHasReadOnlyRole
optional
Boolean
xsoarPreviousReadOnlyRoles
optional
Array of strings
xsoarReadOnlyRoles
optional
Array of strings