Upload File To Incident - Blink Documentation

Add a file attachment to an incident.

External DocumentationTo learn more, visit the Palo Alto Cortex Xsoar documentation.

Parameters

Parameter	Description
Field	The name of the field to hold the details of the attachment in.
File Comment	A comment to add to the file.
File Identifier	The file identifier of the attachment. You can create a file identifier using the Set File Variable action.
File Name	The name of the file.
Incident ID	The ID of the incident to upload file attachment to.
Investigate	Select to create an investigation.
Show Media File	Select whether to show media files.

Example Output

{
	"id": "294018",
	"version": -1,
	"cacheVersn": 0,
	"modified": "2025-04-27T09:43:07.284Z",
	"sizeInBytes": 0,
	"dbotCreatedBy": "user@company.com",
	"CustomFields": {
		"actionsoncampaignincidents": "Close",
		"actionsonlowsimilarityincidents": "Add To Campaign",
		"bmcassignee": [
			{}
		],
		"bmccustomer": [
			{}
		],
		"bmcrequester": [
			{}
		],
		"chronicleautoblockentities": "Yes",
		"chronicleskipentityisolation": "Yes",
		"containmentsla": {
			"accumulatedPause": 0,
			"breachTriggered": false,
			"dueDate": "0001-01-01T00:00:00Z",
			"endDate": "0001-01-01T00:00:00Z",
			"lastPauseDate": "0001-01-01T00:00:00Z",
			"runStatus": "idle",
			"sla": 30,
			"slaStatus": -1,
			"startDate": "0001-01-01T00:00:00Z",
			"totalDuration": 0
		},
		"crowdstrikefalconbehaviourpatterndispositiondetails": [
			{},
			{},
			{}
		],
		"datadogcloudsiem": [
			{},
			{},
			{}
		],
		"dataminrpulserelatedterms": [
			{},
			{},
			{}
		],
		"dbotmirrordirection": "",
		"decyfirdatadetails": [
			{},
			{},
			{}
		],
		"detectionsla": {
			"accumulatedPause": 0,
			"breachTriggered": false,
			"dueDate": "0001-01-01T00:00:00Z",
			"endDate": "0001-01-01T00:00:00Z",
			"lastPauseDate": "0001-01-01T00:00:00Z",
			"runStatus": "idle",
			"sla": 20,
			"slaStatus": -1,
			"startDate": "0001-01-01T00:00:00Z",
			"totalDuration": 0
		},
		"domaintoolsirisdetect": [
			{},
			{},
			{}
		],
		"dsassets": [
			{},
			{},
			{}
		],
		"dscomments": [
			{},
			{},
			{}
		],
		"emaildeletefrombrand": "Unspecified",
		"emaildeletetype": "soft",
		"endpoint": [
			{}
		],
		"externalid": "294018",
		"extrahoprevealxdetectiondevices": [
			{},
			{},
			{}
		],
		"extrahoprevealxmitretechniques": [
			{},
			{},
			{}
		],
		"filerelationships": [
			{},
			{},
			{}
		],
		"fortisiemattacktactics": [
			{},
			{}
		],
		"fortisiemevents": [
			{}
		],
		"incidentduration": {
			"accumulatedPause": 0,
			"breachTriggered": false,
			"dueDate": "0001-01-01T00:00:00Z",
			"endDate": "0001-01-01T00:00:00Z",
			"lastPauseDate": "0001-01-01T00:00:00Z",
			"runStatus": "idle",
			"sla": 0,
			"slaStatus": -1,
			"startDate": "0001-01-01T00:00:00Z",
			"totalDuration": 0
		},
		"incidentrdpachehuntingstringssimilarity": [
			{},
			{},
			{}
		],
		"incidentrdpcachehuntingstringsifter": [
			{},
			{},
			{}
		],
		"inventasource": [
			{}
		],
		"isactive": "true",
		"microsoft365defendercomments": [
			{},
			{},
			{}
		],
		"microsoftsentinelowner": [],
		"qintelqwatchexposures": [
			{},
			{},
			{}
		],
		"remediationsla": {
			"accumulatedPause": 0,
			"breachTriggered": false,
			"dueDate": "0001-01-01T00:00:00Z",
			"endDate": "0001-01-01T00:00:00Z",
			"lastPauseDate": "0001-01-01T00:00:00Z",
			"runStatus": "idle",
			"sla": 7200,
			"slaStatus": -1,
			"startDate": "0001-01-01T00:00:00Z",
			"totalDuration": 0
		},
		"riskiqautoexcludewhitelistedipaddress": "Yes",
		"riskiqautowhitelistipaddress": "Yes",
		"rsametasevents": [],
		"rsarawlogslist": [],
		"saassecuritycategory": "no_reason",
		"saassecurityremediationtype": "Remove public sharing",
		"saassecuritystate": "open",
		"saassecuritystatus": "open-new",
		"securitypolicymatch": [
			{}
		],
		"selectaction": "Close",
		"servicenowbusinessimpact": "1 - Critical",
		"servicenowcategory": "Inquiry / Help",
		"servicenowimpact": "1 - High",
		"servicenownotify": "Send Email",
		"servicenowpriority": "1 - Critical",
		"servicenowseverity": "1 - High",
		"servicenowsircategory": "Confidential personal identity data exposure",
		"servicenowsirstate": "New",
		"servicenowstate": "1 - New",
		"servicenowurgency": "1 - High",
		"similarincidentsdbot": [
			{}
		],
		"spycloudcompassdevicedata": [
			{},
			{},
			{}
		],
		"suspiciousexecutions": [
			{},
			{},
			{}
		],
		"timetoassignment": {
			"accumulatedPause": 0,
			"breachTriggered": false,
			"dueDate": "0001-01-01T00:00:00Z",
			"endDate": "0001-01-01T00:00:00Z",
			"lastPauseDate": "0001-01-01T00:00:00Z",
			"runStatus": "idle",
			"sla": 0,
			"slaStatus": -1,
			"startDate": "0001-01-01T00:00:00Z",
			"totalDuration": 0
		},
		"triagesla": {
			"accumulatedPause": 0,
			"breachTriggered": false,
			"dueDate": "0001-01-01T00:00:00Z",
			"endDate": "0001-01-01T00:00:00Z",
			"lastPauseDate": "0001-01-01T00:00:00Z",
			"runStatus": "idle",
			"sla": 30,
			"slaStatus": -1,
			"startDate": "0001-01-01T00:00:00Z",
			"totalDuration": 0
		},
		"urlsslverification": [],
		"xdralertsearchresults": [
			{},
			{},
			{}
		],
		"xdrinvestigationresults": [
			{},
			{},
			{},
			{
				"columnheader1": ""
			},
			{},
			{
				"columnheader1": ""
			},
			{},
			{}
		],
		"xpanseserviceclassifications": [
			{},
			{},
			{}
		],
		"xpanseservicevalidation": [
			{
				"columnheader1": ""
			},
			{},
			{}
		]
	},
	"account": "",
	"autime": 1745746984163000000,
	"type": "default_type",
	"rawType": "default_type",
	"name": "VhAYsOwx",
	"rawName": "VhAYsOwx",
	"status": 1,
	"custom_status": "",
	"resolution_status": "",
	"reason": "",
	"created": "2025-04-27T09:43:04.163Z",
	"occurred": "2025-04-27T09:43:04.551517754Z",
	"closed": "0001-01-01T00:00:00Z",
	"sla": 0,
	"severity": 1,
	"investigationId": "",
	"labels": [
		{
			"value": "user@company.com",
			"type": "Instance"
		},
		{
			"value": "Manual",
			"type": "Brand"
		}
	],
	"attachment": [
		{
			"name": "TUdZ0Ddm.text",
			"type": "text/plain",
			"path": "294018_c1790a2c-61d7-4ac8-8329-8883d70dae50_TUdZ0Ddm.text",
			"description": "",
			"showMediaFile": false,
			"isTempPath": false
		}
	],
	"details": "",
	"openDuration": 0,
	"lastOpen": "0001-01-01T00:00:00Z",
	"closingUserId": "",
	"owner": "",
	"activated": "0001-01-01T00:00:00Z",
	"closeReason": "",
	"rawCloseReason": "",
	"closeNotes": "",
	"playbookId": "",
	"dueDate": "0001-01-01T00:00:00Z",
	"reminder": "0001-01-01T00:00:00Z",
	"runStatus": "",
	"notifyTime": "0001-01-01T00:00:00Z",
	"phase": "",
	"rawPhase": "",
	"isPlayground": false,
	"rawJSON": "",
	"parent": "",
	"parentXDRIncident": "",
	"retained": false,
	"exported": false,
	"category": "",
	"rawCategory": "",
	"linkedIncidents": [],
	"linkedCount": 0,
	"droppedCount": 0,
	"sourceInstance": "user@company.com",
	"sourceBrand": "Manual",
	"canvases": null,
	"lastJobRunTime": "0001-01-01T00:00:00Z",
	"feedBased": false,
	"dbotMirrorId": "",
	"dbotMirrorInstance": "",
	"dbotMirrorDirection": "",
	"dbotDirtyFields": null,
	"dbotCurrentDirtyFields": null,
	"dbotMirrorTags": null,
	"dbotMirrorLastSync": "0001-01-01T00:00:00Z",
	"isDebug": false,
	"dedupID": "",
	"haIntegrationEventID": "",
	"haOriginalID": "",
	"changeStatus": "",
	"insights": 0
}

Workflow Library Example

Upload File to Incident with Palo Alto Cortex Xsoar and Send Results Via Email

Preview this Workflow on desktop

Integrations

​Parameters

​Example Output

​Workflow Library Example

Parameters

Example Output

Workflow Library Example