New Incident
Triggers a workflow on every new incident that matches the filter.
info
Automations based on this trigger will search for new events every 5 minutes.
Parameters
| Parameter | Description |
|---|---|
| Filters | A comma separated list of filter objects. For further information on filter objects, please refer to Cortex XDR Documentation.For example:[]. |
Sample Event
{
"incident_id": "<incident ID>",
"incident_name": "test",
"creation_time": 1577024425126,
"modification_time": 1577024425126,
"detection_time": null,
"status": "resolved_known_issue",
"severity": "medium",
"description": "Memory Corruption Exploit generated by XDR Agent",
"assigned_user_mail": null,
"assigned_user_pretty_name": null,
"alert_count": 1,
"low_severity_alert_count": 0,
"med_severity_alert_count": 1,
"high_severity_alert_count": 0,
"critical_severity_alert_count": 0,
"user_count": 1,
"host_count": 1,
"notes": null,
"resolve_comment": null,
"resolved_timestamp": 1577024425126,
"manual_severity": null,
"manual_description": "Memory Corruption Exploit generated by XDR Agent",
"xdr_url": "https://<link to incident>",
"starred": false,
"hosts": [
"<host ID>"
],
"users": [
"test_1",
"test_2"
],
"incident_sources": [
"XDR Agent",
"XDR BIOC"
],
"rule_based_score": 342,
"manual_score": null,
"wildfire_hits": 0,
"alerts_grouping_status": "Enabled",
"mitre_tactics_ids_and_names": [
"TA0004 - Privilege Escalation",
"TA0005 - Defense Evasion",
"TA0006 - Credential Access"
],
"mitre_techniques_ids_and_names": [
"T1001.001 - Data Obfuscation: Junk Data",
"T1001.002 - Data Obfuscation: Steganography",
"T1001.003 - Data Obfuscation: Protocol Impersonation"
],
"alert_categories": [
"Credential Access",
"Exploit",
"Spyware Detected via Anti-Spyware profile"
],
"original_tags": [
"DS:PANW/NGFW",
"EG:acme-2",
"EG:Acme group",
"DS:PANW/XDR Agent"
],
"tags": [
"EG:Acme group",
"DS:PANW/NGFW",
"DS:PANW/XDR Agent",
"EG:acme-2"
],
"starred_manually": true
}