Manually create a new Cortex XSOAR incident or update an existing one.
To update an existing incident, you must update the version parameter. For more information on updating the version parameter, see Optimistic locking and versioning.
To update incident custom fields, they must be in lowercase and without spaces. For example, "Scan IP" should be "scanip".
To get the actual key name, you can go to Cortex XSOAR CLI and run /incident_add and look for the key that you would like to update.
Use createInvestigation: true to start the investigation process automatically upon creating the new incident. This will also run the appropriate playbook based on the incident type.
Authorization
String
required
{api_key}
{api_key}
authorization_example
x-xdr-auth-id
String
required
{api_key_id}
{api_key_id}
xXdrAuthId_example
curl -X 'POST'
-H
'Accept: application/json'
-H
'Content-Type: application/json'
-H
'Authorization: authorization_example'
-H
'x-xdr-auth-id: xXdrAuthId_example'
'https://api-yourfqdn/xsoar/public/v1/incident'
-d
'{
"severity" : 2,
"reason" : "reason",
"closeNotes" : "closeNotes",
"customFields" : {
"key" : "{}"
},
"sla" : 0.8008281904610115,
"rawJSON" : "rawJSON",
"type" : "Unclassified",
"createInvestigation" : true,
"labels" : [ {
"type" : "type",
"value" : "value"
}, {
"type" : "type",
"value" : "value"
} ],
"playbookId" : "playbookId",
"name" : "name",
"closed" : "2000-01-23T04:56:07.000+00:00",
"modified" : "2000-01-23T04:56:07.000+00:00",
"details" : "details",
"closeReason" : "closeReason",
"status" : 2
}'
import http.client
conn = http.client.HTTPSConnection("api-yourfqdn")
payload = "{\"closeNotes\":\"string\",\"closeReason\":\"string\",\"closed\":\"2019-08-24T14:15:22Z\",\"createInvestigation\":true,\"customFields\":{\"property1\":{},\"property2\":{}},\"details\":\"string\",\"labels\":[{\"type\":\"string\",\"value\":\"string\"}],\"modified\":\"2019-08-24T14:15:22Z\",\"name\":\"string\",\"playbookId\":\"string\",\"rawJSON\":\"string\",\"reason\":\"string\",\"severity\":2,\"sla\":0.1,\"status\":2,\"type\":\"Unclassified\"}"
headers = {
'Authorization': "SOME_STRING_VALUE",
'x-xdr-auth-id': "SOME_STRING_VALUE",
'content-type': "application/json"
}
conn.request("POST", "//xsoar/public/v1/incident", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))require 'uri'
require 'net/http'
require 'openssl'
url = URI("https://api-yourfqdn//xsoar/public/v1/incident")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Post.new(url)
request["Authorization"] = 'SOME_STRING_VALUE'
request["x-xdr-auth-id"] = 'SOME_STRING_VALUE'
request["content-type"] = 'application/json'
request.body = "{\"closeNotes\":\"string\",\"closeReason\":\"string\",\"closed\":\"2019-08-24T14:15:22Z\",\"createInvestigation\":true,\"customFields\":{\"property1\":{},\"property2\":{}},\"details\":\"string\",\"labels\":[{\"type\":\"string\",\"value\":\"string\"}],\"modified\":\"2019-08-24T14:15:22Z\",\"name\":\"string\",\"playbookId\":\"string\",\"rawJSON\":\"string\",\"reason\":\"string\",\"severity\":2,\"sla\":0.1,\"status\":2,\"type\":\"Unclassified\"}"
response = http.request(request)
puts response.read_bodyconst data = JSON.stringify({
"closeNotes": "string",
"closeReason": "string",
"closed": "2019-08-24T14:15:22Z",
"createInvestigation": true,
"customFields": {
"property1": {},
"property2": {}
},
"details": "string",
"labels": [
{
"type": "string",
"value": "string"
}
],
"modified": "2019-08-24T14:15:22Z",
"name": "string",
"playbookId": "string",
"rawJSON": "string",
"reason": "string",
"severity": 2,
"sla": 0.1,
"status": 2,
"type": "Unclassified"
});
const xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.addEventListener("readystatechange", function () {
if (this.readyState === this.DONE) {
console.log(this.responseText);
}
});
xhr.open("POST", "https://api-yourfqdn//xsoar/public/v1/incident");
xhr.setRequestHeader("Authorization", "SOME_STRING_VALUE");
xhr.setRequestHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
xhr.setRequestHeader("content-type", "application/json");
xhr.send(data);HttpResponse<String> response = Unirest.post("https://api-yourfqdn//xsoar/public/v1/incident")
.header("Authorization", "SOME_STRING_VALUE")
.header("x-xdr-auth-id", "SOME_STRING_VALUE")
.header("content-type", "application/json")
.body("{\"closeNotes\":\"string\",\"closeReason\":\"string\",\"closed\":\"2019-08-24T14:15:22Z\",\"createInvestigation\":true,\"customFields\":{\"property1\":{},\"property2\":{}},\"details\":\"string\",\"labels\":[{\"type\":\"string\",\"value\":\"string\"}],\"modified\":\"2019-08-24T14:15:22Z\",\"name\":\"string\",\"playbookId\":\"string\",\"rawJSON\":\"string\",\"reason\":\"string\",\"severity\":2,\"sla\":0.1,\"status\":2,\"type\":\"Unclassified\"}")
.asString();import Foundation
let headers = [
"Authorization": "SOME_STRING_VALUE",
"x-xdr-auth-id": "SOME_STRING_VALUE",
"content-type": "application/json"
]
let parameters = [
"closeNotes": "string",
"closeReason": "string",
"closed": "2019-08-24T14:15:22Z",
"createInvestigation": true,
"customFields": [
"property1": [],
"property2": []
],
"details": "string",
"labels": [
[
"type": "string",
"value": "string"
]
],
"modified": "2019-08-24T14:15:22Z",
"name": "string",
"playbookId": "string",
"rawJSON": "string",
"reason": "string",
"severity": 2,
"sla": 0.1,
"status": 2,
"type": "Unclassified"
] as [String : Any]
let postData = JSONSerialization.data(withJSONObject: parameters, options: [])
let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn//xsoar/public/v1/incident")! as URL,
cachePolicy: .useProtocolCachePolicy,
timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data
let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
if (error != nil) {
print(error)
} else {
let httpResponse = response as? HTTPURLResponse
print(httpResponse)
}
})
dataTask.resume()<?php
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://api-yourfqdn//xsoar/public/v1/incident",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS => "{\"closeNotes\":\"string\",\"closeReason\":\"string\",\"closed\":\"2019-08-24T14:15:22Z\",\"createInvestigation\":true,\"customFields\":{\"property1\":{},\"property2\":{}},\"details\":\"string\",\"labels\":[{\"type\":\"string\",\"value\":\"string\"}],\"modified\":\"2019-08-24T14:15:22Z\",\"name\":\"string\",\"playbookId\":\"string\",\"rawJSON\":\"string\",\"reason\":\"string\",\"severity\":2,\"sla\":0.1,\"status\":2,\"type\":\"Unclassified\"}",
CURLOPT_HTTPHEADER => [
"Authorization: SOME_STRING_VALUE",
"content-type: application/json",
"x-xdr-auth-id: SOME_STRING_VALUE"
],
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}CURL *hnd = curl_easy_init();
curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST");
curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn//xsoar/public/v1/incident");
struct curl_slist *headers = NULL;
headers = curl_slist_append(headers, "Authorization: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "x-xdr-auth-id: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "content-type: application/json");
curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);
curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"closeNotes\":\"string\",\"closeReason\":\"string\",\"closed\":\"2019-08-24T14:15:22Z\",\"createInvestigation\":true,\"customFields\":{\"property1\":{},\"property2\":{}},\"details\":\"string\",\"labels\":[{\"type\":\"string\",\"value\":\"string\"}],\"modified\":\"2019-08-24T14:15:22Z\",\"name\":\"string\",\"playbookId\":\"string\",\"rawJSON\":\"string\",\"reason\":\"string\",\"severity\":2,\"sla\":0.1,\"status\":2,\"type\":\"Unclassified\"}");
CURLcode ret = curl_easy_perform(hnd);var client = new RestClient("https://api-yourfqdn//xsoar/public/v1/incident");
var request = new RestRequest(Method.POST);
request.AddHeader("Authorization", "SOME_STRING_VALUE");
request.AddHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"closeNotes\":\"string\",\"closeReason\":\"string\",\"closed\":\"2019-08-24T14:15:22Z\",\"createInvestigation\":true,\"customFields\":{\"property1\":{},\"property2\":{}},\"details\":\"string\",\"labels\":[{\"type\":\"string\",\"value\":\"string\"}],\"modified\":\"2019-08-24T14:15:22Z\",\"name\":\"string\",\"playbookId\":\"string\",\"rawJSON\":\"string\",\"reason\":\"string\",\"severity\":2,\"sla\":0.1,\"status\":2,\"type\":\"Unclassified\"}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);closeNotesstringNotes for closing the incident.
Notes for closing the incident.
closeReasonstringThe reason for closing the incident (select from existing predefined values).
The reason for closing the incident (select from existing predefined values).
closedstringdate-timeUse createInvestigation: true to start the investigation process automatically upon creating the new incident. This will also run the appropriate playbook based on the incident type.
Use 'createInvestigation: false
Use createInvestigation: true to start the investigation process automatically upon creating the new incident. This will also run the appropriate playbook based on the incident type.
Use 'createInvestigation: false
createInvestigationbooleanUse createInvestigation: true to start the investigation process automatically upon creating the new incident. This will also run the appropriate playbook based on the incident type.
Use createInvestigation: true to start the investigation process automatically upon creating the new incident. This will also run the appropriate playbook based on the incident type.
customFieldsobject
Additional propertiesobject
detailsstringThe details of the incident.
The details of the incident.
labelsarrayLabels related to incident - each label is composed of a type and value
Labels related to incident - each label is composed of a type and value
typestring
valuestring
modifiedstringdate-timeDate modified.
Date modified.
namestringIncident name.
Incident name.
playbookIdstringThe associated playbook for this incident.
The associated playbook for this incident.
rawJSONstring
reasonstringThe reason an incident was closed.
The reason an incident was closed.
severitynumberdoubleSeverity is the incident severity
Severity is the incident severity
2slanumberdoubleSLAState is the incident SLA at closure time, in minutes.
SLAState is the incident SLA at closure time, in minutes.
statusnumberdoubleIncidentStatus is the status of the incident
IncidentStatus is the status of the incident
2typestringIncident type.
Incident type.
"Unclassified"{
"details": "My test incident",
"name": "My test incident",
"severity": 2,
"type": "Unclassified"
}OK
IncidentWrapper is an extension of the Incident entity, which includes an additional field of changed-status for the web client
ShardIDintegerint64
accountstringAccount holds the tenant name so that slicing and dicing on the master can leverage bleve
Account holds the tenant name so that slicing and dicing on the master can leverage bleve
activatedstringdate-timeWhen was this activated
When was this activated
activatingingUserIdstringThe user that activated this investigation
The user that activated this investigation
allReadboolean
allReadWriteboolean
attachmentarrayAttachments
Attachments
descriptionstring
isTempPathboolean
namestring
pathstring
showMediaFileboolean
typestring
autimeintegerint64AlmostUniqueTime is an attempt to have a unique sortable ID for an incident
AlmostUniqueTime is an attempt to have a unique sortable ID for an incident
cacheVersnintegerint64
canvasesarray[string]Canvases of the incident
Canvases of the incident
categorystringCategory
Category
changeStatusstring
closeNotesstringNotes for closing the incident
Notes for closing the incident
closeReasonstringThe reason for closing the incident (select from existing predefined values)
The reason for closing the incident (select from existing predefined values)
closedstringdate-timeWhen was this closed
When was this closed
closingUserIdstringThe user ID that closed this investigation
The user ID that closed this investigation
createdstringdate-time
dbotCreatedBystringWho has created this event - relevant only for manual incidents
Who has created this event - relevant only for manual incidents
dbotCurrentDirtyFieldsarray[string]For mirroring, manage a list of current dirty fields so that we can send delta to outgoing integration
For mirroring, manage a list of current dirty fields so that we can send delta to outgoing integration
dbotDirtyFieldsarray[string]For mirroring, manage a list of dirty fields to not override them from the source of the incident
For mirroring, manage a list of dirty fields to not override them from the source of the incident
dbotMirrorDirectionstringDBotMirrorDirection of how to mirror the incident (in/out/both)
DBotMirrorDirection of how to mirror the incident (in/out/both)
dbotMirrorIdstringDBotMirrorID of a remote system we are syncing with
DBotMirrorID of a remote system we are syncing with
dbotMirrorInstancestringDBotMirrorInstance name of a mirror integration instance
DBotMirrorInstance name of a mirror integration instance
dbotMirrorLastSyncstringdate-timeThe last time we synced this incident even if we did not update anything
The last time we synced this incident even if we did not update anything
dbotMirrorTagsarray[string]The entry tags I want to sync to remote system
The entry tags I want to sync to remote system
detailsstringThe details of the incident - reason, etc.
The details of the incident - reason, etc.
droppedCountintegerint64DroppedCount ...
DroppedCount ...
dueDatestringdate-timeSLA
SLA
feedBasedbooleanIf this incident was triggered by a feed job
If this incident was triggered by a feed job
hasRolebooleanInternal field to make queries on role faster
Internal field to make queries on role faster
highlightobject
Additional propertiesarray[string]
idstring
indexNamestring
insightsintegeruint64
investigationIdstringInvestigation that was opened as a result of the incoming event
Investigation that was opened as a result of the incoming event
isDebugbooleanIsDebug ...
IsDebug ...
isPlaygroundbooleanIsPlayGround
IsPlayGround
labelsarrayLabels related to incident - each label is composed of a type and value
Labels related to incident - each label is composed of a type and value
typestring
valuestring
lastJobRunTimestringdate-timeIf this incident was triggered by a job, this would be the time the previous job started
If this incident was triggered by a job, this would be the time the previous job started
lastOpenstringdate-time
linkedCountintegerint64LinkedCount ...
LinkedCount ...
linkedIncidentsarray[string]LinkedIncidents incidents that were marked as linked by user
LinkedIncidents incidents that were marked as linked by user
modifiedstringdate-time
namestringIncident Name - given by user
Incident Name - given by user
notifyTimestringdate-timeIncdicates when last this field was changed with a value that supposed to send a notification
Incdicates when last this field was changed with a value that supposed to send a notification
numericIdintegerint64
occurredstringdate-timeWhen this incident has really occurred
When this incident has really occurred
openDurationintegerint64Duration incident was open
Duration incident was open
ownerstringThe user who owns this incident
The user who owns this incident
parentstringParent
Parent
phasestringPhase
Phase
playbookIdstringThe associated playbook for this incident
The associated playbook for this incident
previousAllReadboolean
previousAllReadWriteboolean
previousRolesarray[string]Do not change this field manually
Do not change this field manually
primaryTermintegerint64
rawCategorystring
rawCloseReasonstringThe reason for closing the incident (select from existing predefined values)
The reason for closing the incident (select from existing predefined values)
rawJSONstring
rawNamestringIncident RawName
Incident RawName
rawPhasestringRawPhase
RawPhase
rawTypestringIncident raw type
Incident raw type
reasonstringThe reason for the resolve
The reason for the resolve
reminderstringdate-timeWhen if at all to send a reminder
When if at all to send a reminder
rolesarray[string]The role assigned to this investigation
The role assigned to this investigation
runStatusstringRun status of a job.
Run status of a job.
sequenceNumberintegerint64
severitynumberdoubleSeverity is the incident severity
Severity is the incident severity
2sizeInBytesintegerint64
slanumberdoubleSLAState is the incident SLA at closure time, in minutes.
SLAState is the incident SLA at closure time, in minutes.
sortValuesarray[string]
sourceBrandstringSourceBrand ...
SourceBrand ...
sourceInstancestringSourceInstance ...
SourceInstance ...
statusnumberdoubleIncidentStatus is the status of the incident
IncidentStatus is the status of the incident
2syncHashstring
todoTaskIdsarray[string]ToDoTaskIDs list of to do task ids
ToDoTaskIDs list of to do task ids
typestringIncident type
Incident type
versionintegerint64
xsoarHasReadOnlyRoleboolean
xsoarPreviousReadOnlyRolesarray[string]
xsoarReadOnlyRolesarray[string]
{
"id": "178791",
"version": 0,
"cacheVersn": 0,
"modified": "1970-01-01T00:00:00Z",
"sizeInBytes": 0,
"CustomFields": {
"bmcassignee": [
{}
],
"bmccustomer": [
{}
],
"bmcrequester": [
{}
],
"containmentsla": {
"accumulatedPause": 0,
"breachTriggered": false,
"dueDate": "0001-01-01T00:00:00Z",
"endDate": "0001-01-01T00:00:00Z",
"lastPauseDate": "0001-01-01T00:00:00Z",
"runStatus": "idle",
"sla": 30,
"slaStatus": -1,
"startDate": "0001-01-01T00:00:00Z",
"totalDuration": 0
},
"crowdstrikefalconbehaviourpatterndispositiondetails": [
{},
{},
{}
],
"datadogcloudsiem": [
{},
{},
{}
],
"dataminrpulserelatedterms": [
{},
{},
{}
],
"decyfirdatadetails": [
{},
{},
{}
],
"detectionsla": {
"accumulatedPause": 0,
"breachTriggered": false,
"dueDate": "0001-01-01T00:00:00Z",
"endDate": "0001-01-01T00:00:00Z",
"lastPauseDate": "0001-01-01T00:00:00Z",
"runStatus": "idle",
"sla": 20,
"slaStatus": -1,
"startDate": "0001-01-01T00:00:00Z",
"totalDuration": 0
},
"domaintoolsirisdetect": [
{},
{},
{}
],
"endpoint": [
{}
],
"externalid": "178791",
"extrahoprevealxdetectiondevices": [
{},
{},
{}
],
"extrahoprevealxmitretechniques": [
{},
{},
{}
],
"filerelationships": [
{},
{},
{}
],
"fortisiemattacktactics": [
{},
{}
],
"fortisiemevents": [
{}
],
"incidentduration": {
"accumulatedPause": 0,
"breachTriggered": false,
"dueDate": "0001-01-01T00:00:00Z",
"endDate": "0001-01-01T00:00:00Z",
"lastPauseDate": "0001-01-01T00:00:00Z",
"runStatus": "idle",
"sla": 0,
"slaStatus": -1,
"startDate": "0001-01-01T00:00:00Z",
"totalDuration": 0
},
"incidentrdpachehuntingstringssimilarity": [
{},
{},
{}
],
"incidentrdpcachehuntingstringsifter": [
{},
{},
{}
],
"inventasource": [
{}
],
"microsoftsentinelowner": [],
"qintelqwatchexposures": [
{},
{},
{}
],
"remediationsla": {
"accumulatedPause": 0,
"breachTriggered": false,
"dueDate": "0001-01-01T00:00:00Z",
"endDate": "0001-01-01T00:00:00Z",
"lastPauseDate": "0001-01-01T00:00:00Z",
"runStatus": "idle",
"sla": 7200,
"slaStatus": -1,
"startDate": "0001-01-01T00:00:00Z",
"totalDuration": 0
},
"rsametasevents": [],
"rsarawlogslist": [],
"securitypolicymatch": [
{}
],
"similarincidentsdbot": [
{}
],
"spycloudcompassdevicedata": [
{},
{},
{}
],
"suspiciousexecutions": [
{},
{},
{}
],
"timetoassignment": {
"accumulatedPause": 0,
"breachTriggered": false,
"dueDate": "0001-01-01T00:00:00Z",
"endDate": "0001-01-01T00:00:00Z",
"lastPauseDate": "0001-01-01T00:00:00Z",
"runStatus": "idle",
"sla": 0,
"slaStatus": -1,
"startDate": "0001-01-01T00:00:00Z",
"totalDuration": 0
},
"triagesla": {
"accumulatedPause": 0,
"breachTriggered": false,
"dueDate": "0001-01-01T00:00:00Z",
"endDate": "0001-01-01T00:00:00Z",
"lastPauseDate": "0001-01-01T00:00:00Z",
"runStatus": "idle",
"sla": 30,
"slaStatus": -1,
"startDate": "0001-01-01T00:00:00Z",
"totalDuration": 0
},
"urlsslverification": [],
"xdralertsearchresults": [
{},
{},
{}
],
"xdrinvestigationresults": [
{},
{},
{},
{
"columnheader1": ""
},
{},
{
"columnheader1": ""
},
{},
{}
],
"xpanseserviceclassifications": [
{},
{},
{}
],
"xpanseservicevalidation": [
{
"columnheader1": ""
},
{},
{}
]
},
"account": "",
"autime": 1713700028107000000,
"type": "Unclassified",
"rawType": "Unclassified",
"name": "My test incident",
"rawName": "My test incident",
"status": 0,
"custom_status": "",
"resolution_status": "",
"reason": "",
"created": "2024-04-21T11:47:08.107Z",
"occurred": "2024-04-21T11:47:08.107982676Z",
"closed": "0001-01-01T00:00:00Z",
"sla": 0,
"severity": 2,
"investigationId": "",
"labels": [
{
"value": "",
"type": "Instance"
},
{
"value": "Manual",
"type": "Brand"
}
],
"attachment": null,
"details": "My test incident",
"openDuration": 0,
"lastOpen": "0001-01-01T00:00:00Z",
"closingUserId": "",
"owner": "",
"activated": "0001-01-01T00:00:00Z",
"closeReason": "",
"rawCloseReason": "",
"closeNotes": "",
"playbookId": "playbook0",
"dueDate": "2024-05-01T11:47:08.107988742Z",
"reminder": "0001-01-01T00:00:00Z",
"runStatus": "",
"notifyTime": "0001-01-01T00:00:00Z",
"phase": "",
"rawPhase": "",
"isPlayground": false,
"rawJSON": "",
"parent": "",
"parentXDRIncident": "",
"retained": false,
"category": "",
"rawCategory": "",
"linkedIncidents": null,
"linkedCount": 0,
"droppedCount": 0,
"sourceInstance": "",
"sourceBrand": "Manual",
"canvases": null,
"lastJobRunTime": "0001-01-01T00:00:00Z",
"feedBased": false,
"dbotMirrorId": "",
"dbotMirrorInstance": "",
"dbotMirrorDirection": "",
"dbotDirtyFields": null,
"dbotCurrentDirtyFields": null,
"dbotMirrorTags": null,
"dbotMirrorLastSync": "0001-01-01T00:00:00Z",
"isDebug": false
}