IncidentWrapper is an extension of the Incident entity, which includes an additional field of changed-status for the web client
|
ShardID
optional
|
Long
|
format: int64 |
|
account
optional
|
String
|
Account holds the tenant name so that slicing and dicing on the master can leverage bleve |
|
activated
optional
|
Date
|
When was this activated format: date-time |
|
activatingingUserId
optional
|
String
|
The user that activated this investigation |
|
allRead
optional
|
Boolean
|
|
|
allReadWrite
optional
|
Boolean
|
|
|
attachment
optional
|
array[Attachment] | Attachments |
|
autime
optional
|
Long
|
AlmostUniqueTime is an attempt to have a unique sortable ID for an incident format: int64 |
|
cacheVersn
optional
|
Long
|
format: int64 |
|
canvases
optional
|
array[String]
|
Canvases of the incident |
|
category
optional
|
String
|
Category |
|
changeStatus
optional
|
String
|
|
|
closeNotes
optional
|
String
|
Notes for closing the incident |
|
closeReason
optional
|
String
|
The reason for closing the incident (select from existing predefined values) |
|
closed
optional
|
Date
|
When was this closed format: date-time |
|
closingUserId
optional
|
String
|
The user ID that closed this investigation |
|
created
optional
|
Date
|
format: date-time |
|
dbotCreatedBy
optional
|
String
|
Who has created this event - relevant only for manual incidents |
|
dbotCurrentDirtyFields
optional
|
array[String]
|
For mirroring, manage a list of current dirty fields so that we can send delta to outgoing integration |
|
dbotDirtyFields
optional
|
array[String]
|
For mirroring, manage a list of dirty fields to not override them from the source of the incident |
|
dbotMirrorDirection
optional
|
String
|
DBotMirrorDirection of how to mirror the incident (in/out/both) |
|
dbotMirrorId
optional
|
String
|
DBotMirrorID of a remote system we are syncing with |
|
dbotMirrorInstance
optional
|
String
|
DBotMirrorInstance name of a mirror integration instance |
|
dbotMirrorLastSync
optional
|
Date
|
The last time we synced this incident even if we did not update anything format: date-time |
|
dbotMirrorTags
optional
|
array[String]
|
The entry tags I want to sync to remote system |
|
details
optional
|
String
|
The details of the incident - reason, etc. |
|
droppedCount
optional
|
Long
|
DroppedCount ... format: int64 |
|
dueDate
optional
|
Date
|
SLA format: date-time |
|
feedBased
optional
|
Boolean
|
If this incident was triggered by a feed job |
|
hasRole
optional
|
Boolean
|
Internal field to make queries on role faster |
|
highlight
optional
|
map[String, array[String]]
|
|
|
id
optional
|
String
|
|
|
indexName
optional
|
String
|
|
|
insights
optional
|
Integer
|
format: uint64 |
|
investigationId
optional
|
String
|
Investigation that was opened as a result of the incoming event |
|
isDebug
optional
|
Boolean
|
IsDebug ... |
|
isPlayground
optional
|
Boolean
|
IsPlayGround |
|
labels
optional
|
array[Label] | Labels related to incident - each label is composed of a type and value |
|
lastJobRunTime
optional
|
Date
|
If this incident was triggered by a job, this would be the time the previous job started format: date-time |
|
lastOpen
optional
|
Date
|
format: date-time |
|
linkedCount
optional
|
Long
|
LinkedCount ... format: int64 |
|
linkedIncidents
optional
|
array[String]
|
LinkedIncidents incidents that were marked as linked by user |
|
modified
optional
|
Date
|
format: date-time |
|
name
optional
|
String
|
Incident Name - given by user |
|
notifyTime
optional
|
Date
|
Incdicates when last this field was changed with a value that supposed to send a notification format: date-time |
|
numericId
optional
|
Long
|
format: int64 |
|
occurred
optional
|
Date
|
When this incident has really occurred format: date-time |
|
openDuration
optional
|
Long
|
Duration incident was open format: int64 |
|
owner
optional
|
String
|
The user who owns this incident |
|
parent
optional
|
String
|
Parent |
|
phase
optional
|
String
|
Phase |
|
playbookId
optional
|
String
|
The associated playbook for this incident |
|
previousAllRead
optional
|
Boolean
|
|
|
previousAllReadWrite
optional
|
Boolean
|
|
|
previousRoles
optional
|
array[String]
|
Do not change this field manually |
|
primaryTerm
optional
|
Long
|
format: int64 |
|
rawCategory
optional
|
String
|
|
|
rawCloseReason
optional
|
String
|
The reason for closing the incident (select from existing predefined values) |
|
rawJSON
optional
|
String
|
|
|
rawName
optional
|
String
|
Incident RawName |
|
rawPhase
optional
|
String
|
RawPhase |
|
rawType
optional
|
String
|
Incident raw type |
|
reason
optional
|
String
|
The reason for the resolve |
|
reminder
optional
|
Date
|
When if at all to send a reminder format: date-time |
|
roles
optional
|
array[String]
|
The role assigned to this investigation |
|
runStatus
optional
|
String
|
RunStatus of a job |
|
sequenceNumber
optional
|
Long
|
format: int64 |
|
severity
optional
|
Double
|
Severity is the incident severity format: double |
|
sizeInBytes
optional
|
Long
|
format: int64 |
|
sla
optional
|
Double
|
SLAState is the incident sla at closure time format: double |
|
sortValues
optional
|
array[String]
|
|
|
sourceBrand
optional
|
String
|
SourceBrand ... |
|
sourceInstance
optional
|
String
|
SourceInstance ... |
|
status
optional
|
Double
|
IncidentStatus is the status of the incident format: double |
|
syncHash
optional
|
String
|
|
|
todoTaskIds
optional
|
array[String]
|
ToDoTaskIDs list of to do task ids |
|
type
optional
|
String
|
Incident type |
|
version
optional
|
Long
|
format: int64 |
|
xsoarHasReadOnlyRole
optional
|
Boolean
|
|
|
xsoarPreviousReadOnlyRoles
optional
|
array[String]
|
|
|
xsoarReadOnlyRoles
optional
|
array[String]
|