New Incident

Triggers a workflow on every new incident that matches the filter.

info

Automations based on this trigger will search for new events every 5 minutes.

Parameters

Parameter Description

Filters A comma separated list of filter objects. For further information on filter objects, please refer to Cortex XDR Documentation.

For example:
 { "field": "incident_id_list", "operator": "in", "value": [ "<incident ID>", "<incident ID>" ] } , { "field": "description", "operator": "contains", "value": "memory" } 
Note: You don't need to wrap the list with [].

Parameter	Description
Filters	A comma separated list of filter objects. For further information on `filter objects`, please refer to Cortex XDR Documentation. For example: `<br/>{<br/> "field": "incident_id_list",<br/> "operator": "in",<br/> "value": [<br/> "<incident ID>",<br/> "<incident ID>"<br/> ]<br/>}<br/>,<br/>{<br/> "field": "description",<br/> "operator": "contains",<br/> "value": "memory"<br/>}<br/>` Note: You don't need to wrap the list with `[]`.

Sample Event

{
    "incident_id": "<incident ID>",
    "incident_name": "test",
    "creation_time": 1577024425126,
    "modification_time": 1577024425126,
    "detection_time": null,
    "status": "resolved_known_issue",
    "severity": "medium",
    "description": "Memory Corruption Exploit generated by XDR Agent",
    "assigned_user_mail": null,
    "assigned_user_pretty_name": null,
    "alert_count": 1,
    "low_severity_alert_count": 0,
    "med_severity_alert_count": 1,
    "high_severity_alert_count": 0,
    "critical_severity_alert_count": 0,
    "user_count": 1,
    "host_count": 1,
    "notes": null,
    "resolve_comment": null,
    "resolved_timestamp": 1577024425126,
    "manual_severity": null,
    "manual_description": "Memory Corruption Exploit generated by XDR Agent",
    "xdr_url": "https://<link to incident>",
    "starred": false,
    "hosts": [
        "<host ID>"
    ],
    "users": [
        "test_1",
        "test_2"
    ],
    "incident_sources": [
        "XDR Agent",
        "XDR BIOC"
    ],
    "rule_based_score": 342,
    "manual_score": null,
    "wildfire_hits": 0,
    "alerts_grouping_status": "Enabled",
    "mitre_tactics_ids_and_names": [
        "TA0004 - Privilege Escalation",
        "TA0005 - Defense Evasion",
        "TA0006 - Credential Access"
    ],
    "mitre_techniques_ids_and_names": [
        "T1001.001 - Data Obfuscation: Junk Data",
        "T1001.002 - Data Obfuscation: Steganography",
        "T1001.003 - Data Obfuscation: Protocol Impersonation"
    ],
    "alert_categories": [
        "Credential Access",
        "Exploit",
        "Spyware Detected via Anti-Spyware profile"
    ],
    "original_tags": [
        "DS:PANW/NGFW",
        "EG:acme-2",
        "EG:Acme group",
        "DS:PANW/XDR Agent"
    ],
    "tags": [
        "EG:Acme group",
        "DS:PANW/NGFW",
        "DS:PANW/XDR Agent",
        "EG:acme-2"
    ],
    "starred_manually": true
}

New Incident

Parameters​

Sample Event​

Parameters

Sample Event