CURLcurl -X POST \ -H "Authorization: [[apiKey]]" \ -H "Accept: application/json" \ -H "Content-Type: application/json,application/xml" \ "https://hostname:443/incident" \ -d '{ "lastOpen" : "2000-01-23T04:56:07.000+00:00", "dbotCreatedBy" : "dbotCreatedBy", "parent" : "parent", "reason" : "reason", "sourceInstance" : "sourceInstance", "sizeInBytes" : 4, "closeNotes" : "closeNotes", "dbotMirrorTags" : [ "dbotMirrorTags", "dbotMirrorTags" ], "dueDate" : "2000-01-23T04:56:07.000+00:00", "linkedCount" : 5, "syncHash" : "syncHash", "type" : "type", "closingUserId" : "closingUserId", "rawPhase" : "rawPhase", "modified" : "2000-01-23T04:56:07.000+00:00", "xsoarReadOnlyRoles" : [ "xsoarReadOnlyRoles", "xsoarReadOnlyRoles" ], "details" : "details", "id" : "id", "closeReason" : "closeReason", "dbotMirrorDirection" : "dbotMirrorDirection", "rawCategory" : "rawCategory", "phase" : "phase", "allReadWrite" : true, "numericId" : 2, "sequenceNumber" : 3, "previousAllRead" : true, "investigationId" : "investigationId", "todoTaskIds" : [ "todoTaskIds", "todoTaskIds" ], "created" : "2000-01-23T04:56:07.000+00:00", "indexName" : "indexName", "notifyTime" : "2000-01-23T04:56:07.000+00:00", "xsoarHasReadOnlyRole" : true, "sla" : 7.386281948385884, "autime" : 6, "rawJSON" : "rawJSON", "version" : 1, "labels" : [ { "type" : "type", "value" : "value" }, { "type" : "type", "value" : "value" } ], "dbotMirrorLastSync" : "2000-01-23T04:56:07.000+00:00", "rawCloseReason" : "rawCloseReason", "previousAllReadWrite" : true, "canvases" : [ "canvases", "canvases" ], "playbookId" : "playbookId", "name" : "name", "hasRole" : true, "dbotCurrentDirtyFields" : [ "dbotCurrentDirtyFields", "dbotCurrentDirtyFields" ], "status" : 1.2315135367772556, "dbotDirtyFields" : [ "dbotDirtyFields", "dbotDirtyFields" ], "rawType" : "rawType", "primaryTerm" : 9, "roles" : [ "roles", "roles" ], "isPlayground" : true, "droppedCount" : 5, "dbotMirrorId" : "dbotMirrorId", "createInvestigation" : true, "isDebug" : true, "feedBased" : true, "highlight" : { "key" : [ "highlight", "highlight" ] }, "activatingingUserId" : "activatingingUserId", "runStatus" : "runStatus", "dbotMirrorInstance" : "dbotMirrorInstance", "owner" : "owner", "severity" : 2.027123023002322, "linkedIncidents" : [ "linkedIncidents", "linkedIncidents" ], "previousRoles" : [ "previousRoles", "previousRoles" ], "occurred" : "2000-01-23T04:56:07.000+00:00", "reminder" : "2000-01-23T04:56:07.000+00:00", "xsoarPreviousReadOnlyRoles" : [ "xsoarPreviousReadOnlyRoles", "xsoarPreviousReadOnlyRoles" ], "cacheVersn" : 1, "openDuration" : 7, "lastJobRunTime" : "2000-01-23T04:56:07.000+00:00", "rawName" : "rawName", "sortValues" : [ "sortValues", "sortValues" ], "ShardID" : 0, "sourceBrand" : "sourceBrand", "allRead" : true, "closed" : "2000-01-23T04:56:07.000+00:00", "category" : "category", "account" : "account", "activated" : "2000-01-23T04:56:07.000+00:00" }' \ -d '' 123456789 aeiou 2000-01-23T04:56:07.000Z aeiou true true 123456789 123456789 aeiou aeiou aeiou aeiou 2000-01-23T04:56:07.000Z aeiou true 2000-01-23T04:56:07.000Z aeiou aeiou aeiou aeiou aeiou aeiou 2000-01-23T04:56:07.000Z aeiou aeiou123456789 2000-01-23T04:56:07.000Z true true UNDEFINED_EXAMPLE_VALUE aeiou aeiou aeiou true true 2000-01-23T04:56:07.000Z 2000-01-23T04:56:07.000Z 123456789 aeiou 2000-01-23T04:56:07.000Z aeiou 2000-01-23T04:56:07.000Z 123456789 2000-01-23T04:56:07.000Z 123456789 aeiou aeiou aeiou aeiou true true aeiou 123456789 aeiou aeiou aeiou aeiou aeiou aeiou aeiou 2000-01-23T04:56:07.000Z aeiou aeiou 123456789 3.149 123456789 3.149 aeiou aeiou aeiou 3.149 aeiou aeiou aeiou 123456789 true aeiou aeiou
Create or update incident according to JSON structure. To update incident custom fields you should lowercase them and remove all spaces. For example: Scan IP -> scanip To get the actual key name you can also go to Cortex XSOAR CLI and run /incident_add and look for the key that you would like to update
Use the 'createInvestigation: true' to start the investigation process automatically. (by running a playbook based on incident type.)