Create or update an incident

Cortex XSOAR 8 API
post /xsoar/public/v1/incident

Manually create a new Cortex XSOAR incident or update an existing one.

To update an existing incident, you must update the version parameter. For more information on updating the version parameter, see Optimistic locking and versioning.

To update incident custom fields, they must be in lowercase and without spaces. For example, "Scan IP" should be "scanip". To get the actual key name, you can go to Cortex XSOAR CLI and run /incident_add and look for the key that you would like to update.

Use createInvestigation: true to start the investigation process automatically upon creating the new incident. This will also run the appropriate playbook based on the incident type.

Request headers
Authorization
String
required
{api_key}
Example: authorization_example
x-xdr-auth-id
String
required
{api_key_id}
Example: xXdrAuthId_example
Body parameters
closeNotesString

Notes for closing the incident.

closeReasonString

The reason for closing the incident (select from existing predefined values).

closedStringdate-time

Use createInvestigation: true to start the investigation process automatically upon creating the new incident. This will also run the appropriate playbook based on the incident type. Use 'createInvestigation: false

createInvestigationBoolean

Use createInvestigation: true to start the investigation process automatically upon creating the new incident. This will also run the appropriate playbook based on the incident type.

detailsString

The details of the incident.

labelsArray

Labels related to incident - each label is composed of a type and value

[
typeString
valueString
]
modifiedStringdate-time

Date modified.

nameString

Incident name.

playbookIdString

The associated playbook for this incident.

rawJSONString
reasonString

The reason an incident was closed.

severityNumberdouble

Severity is the incident severity

Example:2
slaNumberdouble

SLAState is the incident SLA at closure time, in minutes.

statusNumberdouble

IncidentStatus is the status of the incident

Example:2
typeString

Incident type.

Example:"Unclassified"
REQUEST BODY
{ "severity": 2, "reason": "reason", "closeNotes": "closeNotes", "sla": 0.8008281904610115, "rawJSON": "rawJSON", "type": "Unclassified", "createInvestigation": true, "labels": [ { "type": "type", "value": "value" }, { "type": "type", "value": "value" } ], "playbookId": "playbookId", "name": "name", "closed": "2000-01-23T04:56:07.000+00:00", "modified": "2000-01-23T04:56:07.000+00:00", "details": "details", "closeReason": "closeReason", "status": 2 }
{ "details": "My test incident", "name": "My test incident", "severity": 2, "type": "Unclassified" }
CURL
curl -X 'POST'
-H 'Accept: application/json'
-H 'Content-Type: application/json'
-H 'Authorization: authorization_example' -H 'x-xdr-auth-id: xXdrAuthId_example'
'https://api-yourfqdn/xsoar/public/v1/incident'
-d '{ "severity" : 2, "reason" : "reason", "closeNotes" : "closeNotes", "sla" : 0.8008281904610115, "rawJSON" : "rawJSON", "type" : "Unclassified", "createInvestigation" : true, "labels" : [ { "type" : "type", "value" : "value" }, { "type" : "type", "value" : "value" } ], "playbookId" : "playbookId", "name" : "name", "closed" : "2000-01-23T04:56:07.000+00:00", "modified" : "2000-01-23T04:56:07.000+00:00", "details" : "details", "closeReason" : "closeReason", "status" : 2 }'
Responses

OK

Body
ShardIDIntegerint64
accountString

Account holds the tenant name so that slicing and dicing on the master can leverage bleve

activatedStringdate-time

When was this activated

activatingingUserIdString

The user that activated this investigation

allReadBoolean
allReadWriteBoolean
attachmentArray

Attachments

[
descriptionString
isTempPathBoolean
nameString
pathString
showMediaFileBoolean
typeString
]
autimeIntegerint64

AlmostUniqueTime is an attempt to have a unique sortable ID for an incident

cacheVersnIntegerint64
canvasesArray[string]

Canvases of the incident

categoryString

Category

changeStatusString
closeNotesString

Notes for closing the incident

closeReasonString

The reason for closing the incident (select from existing predefined values)

closedStringdate-time

When was this closed

closingUserIdString

The user ID that closed this investigation

createdStringdate-time
dbotCreatedByString

Who has created this event - relevant only for manual incidents

dbotCurrentDirtyFieldsArray[string]

For mirroring, manage a list of current dirty fields so that we can send delta to outgoing integration

dbotDirtyFieldsArray[string]

For mirroring, manage a list of dirty fields to not override them from the source of the incident

dbotMirrorDirectionString

DBotMirrorDirection of how to mirror the incident (in/out/both)

dbotMirrorIdString

DBotMirrorID of a remote system we are syncing with

dbotMirrorInstanceString

DBotMirrorInstance name of a mirror integration instance

dbotMirrorLastSyncStringdate-time

The last time we synced this incident even if we did not update anything

dbotMirrorTagsArray[string]

The entry tags I want to sync to remote system

detailsString

The details of the incident - reason, etc.

droppedCountIntegerint64

DroppedCount ...

dueDateStringdate-time

SLA

feedBasedBoolean

If this incident was triggered by a feed job

hasRoleBoolean

Internal field to make queries on role faster

highlightObject
Additional propertiesArray[string]
idString
indexNameString
insightsIntegeruint64
investigationIdString

Investigation that was opened as a result of the incoming event

isDebugBoolean

IsDebug ...

isPlaygroundBoolean

IsPlayGround

labelsArray

Labels related to incident - each label is composed of a type and value

[
typeString
valueString
]
lastJobRunTimeStringdate-time

If this incident was triggered by a job, this would be the time the previous job started

lastOpenStringdate-time
linkedCountIntegerint64

LinkedCount ...

linkedIncidentsArray[string]

LinkedIncidents incidents that were marked as linked by user

modifiedStringdate-time
nameString

Incident Name - given by user

notifyTimeStringdate-time

Incdicates when last this field was changed with a value that supposed to send a notification

numericIdIntegerint64
occurredStringdate-time

When this incident has really occurred

openDurationIntegerint64

Duration incident was open

ownerString

The user who owns this incident

parentString

Parent

phaseString

Phase

playbookIdString

The associated playbook for this incident

previousAllReadBoolean
previousAllReadWriteBoolean
previousRolesArray[string]

Do not change this field manually

primaryTermIntegerint64
rawCategoryString
rawCloseReasonString

The reason for closing the incident (select from existing predefined values)

rawJSONString
rawNameString

Incident RawName

rawPhaseString

RawPhase

rawTypeString

Incident raw type

reasonString

The reason for the resolve

reminderStringdate-time

When if at all to send a reminder

rolesArray[string]

The role assigned to this investigation

runStatusString

Run status of a job.

sequenceNumberIntegerint64
severityNumberdouble

Severity is the incident severity

Example:2
sizeInBytesIntegerint64
slaNumberdouble

SLAState is the incident SLA at closure time, in minutes.

sortValuesArray[string]
sourceBrandString

SourceBrand ...

sourceInstanceString

SourceInstance ...

statusNumberdouble

IncidentStatus is the status of the incident

Example:2
syncHashString
todoTaskIdsArray[string]

ToDoTaskIDs list of to do task ids

typeString

Incident type

versionIntegerint64
xsoarHasReadOnlyRoleBoolean
xsoarPreviousReadOnlyRolesArray[string]
xsoarReadOnlyRolesArray[string]
RESPONSE
{ "id": "178791", "version": 0, "cacheVersn": 0, "modified": "1970-01-01T00:00:00Z", "sizeInBytes": 0, "CustomFields": { "bmcassignee": [ {} ], "bmccustomer": [ {} ], "bmcrequester": [ {} ], "containmentsla": { "accumulatedPause": 0, "breachTriggered": false, "dueDate": "0001-01-01T00:00:00Z", "endDate": "0001-01-01T00:00:00Z", "lastPauseDate": "0001-01-01T00:00:00Z", "runStatus": "idle", "sla": 30, "slaStatus": -1, "startDate": "0001-01-01T00:00:00Z", "totalDuration": 0 }, "crowdstrikefalconbehaviourpatterndispositiondetails": [ {}, {}, {} ], "datadogcloudsiem": [ {}, {}, {} ], "dataminrpulserelatedterms": [ {}, {}, {} ], "decyfirdatadetails": [ {}, {}, {} ], "detectionsla": { "accumulatedPause": 0, "breachTriggered": false, "dueDate": "0001-01-01T00:00:00Z", "endDate": "0001-01-01T00:00:00Z", "lastPauseDate": "0001-01-01T00:00:00Z", "runStatus": "idle", "sla": 20, "slaStatus": -1, "startDate": "0001-01-01T00:00:00Z", "totalDuration": 0 }, "domaintoolsirisdetect": [ {}, {}, {} ], "endpoint": [ {} ], "externalid": "178791", "extrahoprevealxdetectiondevices": [ {}, {}, {} ], "extrahoprevealxmitretechniques": [ {}, {}, {} ], "filerelationships": [ {}, {}, {} ], "fortisiemattacktactics": [ {}, {} ], "fortisiemevents": [ {} ], "incidentduration": { "accumulatedPause": 0, "breachTriggered": false, "dueDate": "0001-01-01T00:00:00Z", "endDate": "0001-01-01T00:00:00Z", "lastPauseDate": "0001-01-01T00:00:00Z", "runStatus": "idle", "sla": 0, "slaStatus": -1, "startDate": "0001-01-01T00:00:00Z", "totalDuration": 0 }, "incidentrdpachehuntingstringssimilarity": [ {}, {}, {} ], "incidentrdpcachehuntingstringsifter": [ {}, {}, {} ], "inventasource": [ {} ], "microsoftsentinelowner": [], "qintelqwatchexposures": [ {}, {}, {} ], "remediationsla": { "accumulatedPause": 0, "breachTriggered": false, "dueDate": "0001-01-01T00:00:00Z", "endDate": "0001-01-01T00:00:00Z", "lastPauseDate": "0001-01-01T00:00:00Z", "runStatus": "idle", "sla": 7200, "slaStatus": -1, "startDate": "0001-01-01T00:00:00Z", "totalDuration": 0 }, "rsametasevents": [], "rsarawlogslist": [], "securitypolicymatch": [ {} ], "similarincidentsdbot": [ {} ], "spycloudcompassdevicedata": [ {}, {}, {} ], "suspiciousexecutions": [ {}, {}, {} ], "timetoassignment": { "accumulatedPause": 0, "breachTriggered": false, "dueDate": "0001-01-01T00:00:00Z", "endDate": "0001-01-01T00:00:00Z", "lastPauseDate": "0001-01-01T00:00:00Z", "runStatus": "idle", "sla": 0, "slaStatus": -1, "startDate": "0001-01-01T00:00:00Z", "totalDuration": 0 }, "triagesla": { "accumulatedPause": 0, "breachTriggered": false, "dueDate": "0001-01-01T00:00:00Z", "endDate": "0001-01-01T00:00:00Z", "lastPauseDate": "0001-01-01T00:00:00Z", "runStatus": "idle", "sla": 30, "slaStatus": -1, "startDate": "0001-01-01T00:00:00Z", "totalDuration": 0 }, "urlsslverification": [], "xdralertsearchresults": [ {}, {}, {} ], "xdrinvestigationresults": [ {}, {}, {}, { "columnheader1": "" }, {}, { "columnheader1": "" }, {}, {} ], "xpanseserviceclassifications": [ {}, {}, {} ], "xpanseservicevalidation": [ { "columnheader1": "" }, {}, {} ] }, "account": "", "autime": 1713700028107000000, "type": "Unclassified", "rawType": "Unclassified", "name": "My test incident", "rawName": "My test incident", "status": 0, "custom_status": "", "resolution_status": "", "reason": "", "created": "2024-04-21T11:47:08.107Z", "occurred": "2024-04-21T11:47:08.107982676Z", "closed": "0001-01-01T00:00:00Z", "sla": 0, "severity": 2, "investigationId": "", "labels": [ { "value": "", "type": "Instance" }, { "value": "Manual", "type": "Brand" } ], "attachment": null, "details": "My test incident", "openDuration": 0, "lastOpen": "0001-01-01T00:00:00Z", "closingUserId": "", "owner": "", "activated": "0001-01-01T00:00:00Z", "closeReason": "", "rawCloseReason": "", "closeNotes": "", "playbookId": "playbook0", "dueDate": "2024-05-01T11:47:08.107988742Z", "reminder": "0001-01-01T00:00:00Z", "runStatus": "", "notifyTime": "0001-01-01T00:00:00Z", "phase": "", "rawPhase": "", "isPlayground": false, "rawJSON": "", "parent": "", "parentXDRIncident": "", "retained": false, "category": "", "rawCategory": "", "linkedIncidents": null, "linkedCount": 0, "droppedCount": 0, "sourceInstance": "", "sourceBrand": "Manual", "canvases": null, "lastJobRunTime": "0001-01-01T00:00:00Z", "feedBased": false, "dbotMirrorId": "", "dbotMirrorInstance": "", "dbotMirrorDirection": "", "dbotDirtyFields": null, "dbotCurrentDirtyFields": null, "dbotMirrorTags": null, "dbotMirrorLastSync": "0001-01-01T00:00:00Z", "isDebug": false }