Incident

Outputs

Incident ID
Incident Name
Appliance ID
Appliance Name
Incident Data (Array)
Total Incident Data
Usernames (Array)
Sources (Array of IPs)
Incident Description
Incident Category
Incident OS
Incident Security Layer
Incident Status
Incident Priority
Incident Created At
Incident Events Count (Num)
Incident Correlated Values (Array of Objects)
Raw Output

Incident Data (Array of Objects)

Example:

Usernames

["root", "john", "mike"]

Often used in Each component (loops), Add notes, Add to watch list, etc.

Sources (Array of IPs)

[168.26.26.26, 123.15.15.15, 45.55.68.3]

Often used in Each component (loops), Add notes, Add to watch list, Whois IP, Threat Intel

Incident Priority

Can be one of:

High
Medium
Low

Incident Created At

2020-09-30T07:16:00.262+00:00

Incident Correlated Values (Array of Objects)

[{"qk":"src","counts":2,"value":"185.132.53.115"}]

PreviousStart Playbook (Required)NextInvestigation

Last updated 4 years ago