New Incident - Blink Documentation

Triggers a workflow on every new incident that matches the filter.

Workflows based on this trigger will search for new events every 5 minutes.

Parameters

Parameter Description

Filters

Parameter	Description
Filters	A comma separated list of filter objects. For further information on `filter objects`, please refer to Cortex XDR Documentation. For example: `{ “field”: “incident_id_list”, “operator”: “in”, “value”: [ “incident_id”, “incident_id” ] } , { “field”: “description”, “operator”: “contains”, “value”: “memory” }` Note: You don’t need to wrap the list with `[]`.

A comma separated list of filter objects. For further information on filter objects, please refer to Cortex XDR Documentation.

For example:

{
  “field”: “incident_id_list”,
  “operator”: “in”,
  “value”: [
    “incident_id”,
    “incident_id”
  ]
}
,
{
  “field”: “description”,
  “operator”: “contains”,
  “value”: “memory”
}

Note: You don’t need to wrap the list with [].

Sample Event

{
	"incident_id": "<incident ID>",
	"incident_name": "test",
	"creation_time": 1577024425126,
	"modification_time": 1577024425126,
	"detection_time": null,
	"status": "resolved_known_issue",
	"severity": "medium",
	"description": "Memory Corruption Exploit generated by XDR Agent",
	"assigned_user_mail": null,
	"assigned_user_pretty_name": null,
	"alert_count": 1,
	"low_severity_alert_count": 0,
	"med_severity_alert_count": 1,
	"high_severity_alert_count": 0,
	"critical_severity_alert_count": 0,
	"user_count": 1,
	"host_count": 1,
	"notes": null,
	"resolve_comment": null,
	"resolved_timestamp": 1577024425126,
	"manual_severity": null,
	"manual_description": "Memory Corruption Exploit generated by XDR Agent",
	"xdr_url": "https://<link to incident>",
	"starred": false,
	"hosts": [
		"<host ID>"
	],
	"users": [
		"test_1",
		"test_2"
	],
	"incident_sources": [
		"XDR Agent",
		"XDR BIOC"
	],
	"rule_based_score": 342,
	"manual_score": null,
	"wildfire_hits": 0,
	"alerts_grouping_status": "Enabled",
	"mitre_tactics_ids_and_names": [
		"TA0004 - Privilege Escalation",
		"TA0005 - Defense Evasion",
		"TA0006 - Credential Access"
	],
	"mitre_techniques_ids_and_names": [
		"T1001.001 - Data Obfuscation: Junk Data",
		"T1001.002 - Data Obfuscation: Steganography",
		"T1001.003 - Data Obfuscation: Protocol Impersonation"
	],
	"alert_categories": [
		"Credential Access",
		"Exploit",
		"Spyware Detected via Anti-Spyware profile"
	],
	"original_tags": [
		"DS:PANW/NGFW",
		"EG:acme-2",
		"EG:Acme group",
		"DS:PANW/XDR Agent"
	],
	"tags": [
		"EG:Acme group",
		"DS:PANW/NGFW",
		"DS:PANW/XDR Agent",
		"EG:acme-2"
	],
	"starred_manually": true
}

Integrations

​Parameters

​Sample Event

Parameters

Sample Event