Create Or Update Incident - Blink Documentation

Create or update incident. Note: To update existing incident, version must be updated.

External DocumentationTo learn more, visit the Palo Alto Cortex Xsoar documentation.

Basic Parameters

Parameter	Description
Details	The details to set to the incident.
Name	The name of the incident to create or update.
Playbook ID	The associated `Cortex XSOAR` playbook for this incident.
Severity	The severity of the incident to create or update. Valid range is `0-4`.
Status	The status of the incident. Valid range is `0-2`.
Type	The type of the incident to create or update.

Advanced Parameters

Parameter	Description
Close Notes	Closing notes to add to the incident.
Close Reason	The reason for closing the incident. Note: Use predefined closing reasons values.
Closed	The closing time to set to the incident.
Create Investigation	Select to start the investigation process automatically upon creating.
Custom Fields	A JSON object of incident fields to set. Important Notes: - Keys must be the field display names converted to lowercase with spaces removed (e.g., `Scan IP` → `scanip`). - If a custom field was created after the incident, it may not appear on that incident until you set a value or update it; ensure the field is associated with the incident type/layout. - Admins create and map incident fields (and add them to layouts) via Incident Fields settings.
Labels	An array of labels to add to the incident. For Example: `[ { “type”: “example-type”, “value”: “example-value” } ]`
Modified	The closing time to set to the incident.
Raw JSON	A JSON object to add to the created or updated incident.
Reason	The reason for closing incident.
SLA	The incident SLA at closure time - in minutes.

Example Output

{
	"id": "178791",
	"version": 0,
	"cacheVersn": 0,
	"modified": "1970-01-01T00:00:00Z",
	"sizeInBytes": 0,
	"CustomFields": {
		"bmcassignee": [
			{}
		],
		"bmccustomer": [
			{}
		],
		"bmcrequester": [
			{}
		],
		"containmentsla": {
			"accumulatedPause": 0,
			"breachTriggered": false,
			"dueDate": "0001-01-01T00:00:00Z",
			"endDate": "0001-01-01T00:00:00Z",
			"lastPauseDate": "0001-01-01T00:00:00Z",
			"runStatus": "idle",
			"sla": 30,
			"slaStatus": -1,
			"startDate": "0001-01-01T00:00:00Z",
			"totalDuration": 0
		},
		"crowdstrikefalconbehaviourpatterndispositiondetails": [
			{},
			{},
			{}
		],
		"datadogcloudsiem": [
			{},
			{},
			{}
		],
		"dataminrpulserelatedterms": [
			{},
			{},
			{}
		],
		"decyfirdatadetails": [
			{},
			{},
			{}
		],
		"detectionsla": {
			"accumulatedPause": 0,
			"breachTriggered": false,
			"dueDate": "0001-01-01T00:00:00Z",
			"endDate": "0001-01-01T00:00:00Z",
			"lastPauseDate": "0001-01-01T00:00:00Z",
			"runStatus": "idle",
			"sla": 20,
			"slaStatus": -1,
			"startDate": "0001-01-01T00:00:00Z",
			"totalDuration": 0
		},
		"domaintoolsirisdetect": [
			{},
			{},
			{}
		],
		"endpoint": [
			{}
		],
		"externalid": "178791",
		"extrahoprevealxdetectiondevices": [
			{},
			{},
			{}
		],
		"extrahoprevealxmitretechniques": [
			{},
			{},
			{}
		],
		"filerelationships": [
			{},
			{},
			{}
		],
		"fortisiemattacktactics": [
			{},
			{}
		],
		"fortisiemevents": [
			{}
		],
		"incidentduration": {
			"accumulatedPause": 0,
			"breachTriggered": false,
			"dueDate": "0001-01-01T00:00:00Z",
			"endDate": "0001-01-01T00:00:00Z",
			"lastPauseDate": "0001-01-01T00:00:00Z",
			"runStatus": "idle",
			"sla": 0,
			"slaStatus": -1,
			"startDate": "0001-01-01T00:00:00Z",
			"totalDuration": 0
		},
		"incidentrdpachehuntingstringssimilarity": [
			{},
			{},
			{}
		],
		"incidentrdpcachehuntingstringsifter": [
			{},
			{},
			{}
		],
		"inventasource": [
			{}
		],
		"microsoftsentinelowner": [],
		"qintelqwatchexposures": [
			{},
			{},
			{}
		],
		"remediationsla": {
			"accumulatedPause": 0,
			"breachTriggered": false,
			"dueDate": "0001-01-01T00:00:00Z",
			"endDate": "0001-01-01T00:00:00Z",
			"lastPauseDate": "0001-01-01T00:00:00Z",
			"runStatus": "idle",
			"sla": 7200,
			"slaStatus": -1,
			"startDate": "0001-01-01T00:00:00Z",
			"totalDuration": 0
		},
		"rsametasevents": [],
		"rsarawlogslist": [],
		"securitypolicymatch": [
			{}
		],
		"similarincidentsdbot": [
			{}
		],
		"spycloudcompassdevicedata": [
			{},
			{},
			{}
		],
		"suspiciousexecutions": [
			{},
			{},
			{}
		],
		"timetoassignment": {
			"accumulatedPause": 0,
			"breachTriggered": false,
			"dueDate": "0001-01-01T00:00:00Z",
			"endDate": "0001-01-01T00:00:00Z",
			"lastPauseDate": "0001-01-01T00:00:00Z",
			"runStatus": "idle",
			"sla": 0,
			"slaStatus": -1,
			"startDate": "0001-01-01T00:00:00Z",
			"totalDuration": 0
		},
		"triagesla": {
			"accumulatedPause": 0,
			"breachTriggered": false,
			"dueDate": "0001-01-01T00:00:00Z",
			"endDate": "0001-01-01T00:00:00Z",
			"lastPauseDate": "0001-01-01T00:00:00Z",
			"runStatus": "idle",
			"sla": 30,
			"slaStatus": -1,
			"startDate": "0001-01-01T00:00:00Z",
			"totalDuration": 0
		},
		"urlsslverification": [],
		"xdralertsearchresults": [
			{},
			{},
			{}
		],
		"xdrinvestigationresults": [
			{},
			{},
			{},
			{
				"columnheader1": ""
			},
			{},
			{
				"columnheader1": ""
			},
			{},
			{}
		],
		"xpanseserviceclassifications": [
			{},
			{},
			{}
		],
		"xpanseservicevalidation": [
			{
				"columnheader1": ""
			},
			{},
			{}
		]
	},
	"account": "",
	"autime": 1713700028107000000,
	"type": "Unclassified",
	"rawType": "Unclassified",
	"name": "My test incident",
	"rawName": "My test incident",
	"status": 0,
	"custom_status": "",
	"resolution_status": "",
	"reason": "",
	"created": "2024-04-21T11:47:08.107Z",
	"occurred": "2024-04-21T11:47:08.107982676Z",
	"closed": "0001-01-01T00:00:00Z",
	"sla": 0,
	"severity": 2,
	"investigationId": "",
	"labels": [
		{
			"value": "",
			"type": "Instance"
		},
		{
			"value": "Manual",
			"type": "Brand"
		}
	],
	"attachment": null,
	"details": "My test incident",
	"openDuration": 0,
	"lastOpen": "0001-01-01T00:00:00Z",
	"closingUserId": "",
	"owner": "",
	"activated": "0001-01-01T00:00:00Z",
	"closeReason": "",
	"rawCloseReason": "",
	"closeNotes": "",
	"playbookId": "playbook0",
	"dueDate": "2024-05-01T11:47:08.107988742Z",
	"reminder": "0001-01-01T00:00:00Z",
	"runStatus": "",
	"notifyTime": "0001-01-01T00:00:00Z",
	"phase": "",
	"rawPhase": "",
	"isPlayground": false,
	"rawJSON": "",
	"parent": "",
	"parentXDRIncident": "",
	"retained": false,
	"category": "",
	"rawCategory": "",
	"linkedIncidents": null,
	"linkedCount": 0,
	"droppedCount": 0,
	"sourceInstance": "",
	"sourceBrand": "Manual",
	"canvases": null,
	"lastJobRunTime": "0001-01-01T00:00:00Z",
	"feedBased": false,
	"dbotMirrorId": "",
	"dbotMirrorInstance": "",
	"dbotMirrorDirection": "",
	"dbotDirtyFields": null,
	"dbotCurrentDirtyFields": null,
	"dbotMirrorTags": null,
	"dbotMirrorLastSync": "0001-01-01T00:00:00Z",
	"isDebug": false
}

Workflow Library Example

Create or Update Incident with Palo Alto Cortex Xsoar and Send Results Via Email

Preview this Workflow on desktop

Integrations

​Basic Parameters

​Advanced Parameters

​Example Output

​Workflow Library Example

Basic Parameters

Advanced Parameters

Example Output

Workflow Library Example