Cortex XDR is the world's first detection and response app that natively integrates network, endpoint and cloud data to stop sophisticated attacks.
To sync incidents between Demisto and Cortex XDR, you should use the XDRSyncScript script, which you can find in the automation page.
- Fetch incidents from XDR
- Get a list of incidents from XDR
- Update incident in XDR
You need to collect several pieces of information in order to configure the integration on Demisto.
- In your Cortex XDR platform, go to Settings.
- Click the +New Key button in the top right corner
- Generate a key of type Advanced.
- Copy and paste the key.
- From the ID column, copy the Key ID.
- In your Cortex XDR platform, go to Settings.
- Click the Copy URL button in the top right corner.
- Navigate to Settings > Integrations > Servers & Services.
- Search for Palo Alto Networks Cortex XDR - Investigation and Response .
-
Click Add instance to
create and configure a new integration instance.
- Name: a textual name for the integration instance.
- Fetch incidents
- Incident type
- Server URL (copy url from XDR - press ? to see more info)
- API Key ID
- API Key
- Trust any certificate (insecure)
- Use system proxy
- First fetch timestamp ( , e.g., 12 hours, 7 days)
- Click Test to validate the URLs, token, and connection.
incident_id:31 creation_time:1564594008755 modification_time:1566339537617 detection_time:null status:new severity:low description:6 'Microsoft Windows RPC Fragment Evasion Attempt' alerts detected by PAN NGFW on 6 hosts assigned_user_mail:null assigned_user_pretty_name:null alert_count:6 low_severity_alert_count:0 med_severity_alert_count:6 high_severity_alert_count:0 user_count:1 host_count:6 notes:null resolve_comment:null manual_severity:low manual_description:null xdr_url:https://1111.paloaltonetworks.com/incident-view/31
You can execute these commands from the Demisto CLI, as part of an automation,
or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room
with the command details.
- Get a list of incidents: xdr-get-incidents
- Get extra data for an incident: xdr-get-incident-extra-data
- Update an incident: xdr-update-incident
Returns a list of incidents, which you can filter by a list of incident IDs (max 100), the time the incident was last modified, and the time the incident was created. If you pass multiple filtering arguments, they will be concatenated using the AND condition. The OR condition is not supported.
xdr-get-incidents
| Argument Name | Description | Required |
|---|---|---|
| lte_creation_time | Time format 2019-12-31T23:59:00. | Optional |
| gte_creation_time | Returned incidents that were created on or after the specified date/time, in the format 2019-12-31T23:59:00. | Optional |
| lte_modification_time | Filters returned incidents that were created on or before the specified date/time, in the format 2019-12-31T23:59:00. | Optional |
| gte_modification_time | Filters returned incidents that were modified on or after the specified date/time, in the format 2019-12-31T23:59:00. | Optional |
| incident_id_list | An array or CSV string of incident IDs. | Optional |
| since_creation_time | Filters returned incidents that were created on or after the specified date/time range, for example, 1 month, 2 days, 1 hour, and so on. | Optional |
| since_modification_time | Filters returned incidents that were modified on or after the specified date/time range, for example, 1 month, 2 days, 1 hour, and so on. | Optional |
| sort_by_modification_time | Sorts returned incidents by the date/time that the incident was last modified ("asc" - ascending, "desc" - descending). | Optional |
| sort_by_creation_time | Sorts returned incidents by the date/time that the incident was created ("asc" - ascending, "desc" - descending). | Optional |
| page | Page number (for pagination). The default is 0 (the first page). | Optional |
| limit | Maximum number of incidents to return per page. The default and maximum is 100. | Optional |
| Path | Type | Description |
|---|---|---|
| PaloAltoNetworksXDR.Incident.incident_id | String | Unique ID assigned to each returned incident. |
| PaloAltoNetworksXDR.Incident.manual_severity | String | Incident severity assigned by the user. This does not affect the calculated severity (LOW, MEDIUM, HIGH). |
| PaloAltoNetworksXDR.Incident.manual_description | String | Incident description provided by the user. |
| PaloAltoNetworksXDR.Incident.assigned_user_mail | String | Email address of the assigned user. |
| PaloAltoNetworksXDR.Incident.high_severity_alert_count | String | Number of alerts with the severity HIGH. |
| PaloAltoNetworksXDR.Incident.host_count | number | Number of hosts involved in the incident. |
| PaloAltoNetworksXDR.Incident.xdr_url | String | A link to the incident view on XDR. |
| PaloAltoNetworksXDR.Incident.assigned_user_pretty_name | String | Full name of the user assigned to the incident. |
| PaloAltoNetworksXDR.Incident.alert_count | number | Total number of alerts in the incident. |
| PaloAltoNetworksXDR.Incident.med_severity_alert_count | number | Number of alerts with the severity MEDIUM. |
| PaloAltoNetworksXDR.Incident.user_count | number | Number of users involved in the incident. |
| PaloAltoNetworksXDR.Incident.severity | String | Calculated severity of the incident (LOW, MEDIUM, HIGH). |
| PaloAltoNetworksXDR.Incident.low_severity_alert_count | String | Number of alerts with the severity LOW. |
| PaloAltoNetworksXDR.Incident.status | String | Current status of the incident (NEW, UNDER_INVESTIGATION, RESOLVED_THREAT_HANDLED, RESOLVED_KNOWN_ISSUE, RESOLVED_DUPLICATE, RESOLVED_FALSE_POSITIVE, RESOLVED_OTHER). |
| PaloAltoNetworksXDR.Incident.description | String | Dynamic calculated description of the incident. |
| PaloAltoNetworksXDR.Incident.resolve_comment | String | Comments entered by the user when the incident was resolved. |
| PaloAltoNetworksXDR.Incident.notes | String | Comments entered by the user regarding the incident. |
| PaloAltoNetworksXDR.Incident.creation_time | date | Date and time the incident was created on XDR. |
| PaloAltoNetworksXDR.Incident.detection_time | date | Date and time that the first alert occurred in the incident. |
| PaloAltoNetworksXDR.Incident.modification_time | date | Date and time that the incident was last modified. |
!xdr-get-incidents incident_id_list="30,12,33"
!xdr-get-incidents since_creation_time="3 month" sort_by_creation_time="asc" page="0" limit="3"
{
"PaloAltoNetworksXDR.Incident": [
{
"host_count": 6,
"incident_id": "1",
"manual_severity": null,
"description": "'SMB: User Password Brute Force Attempt' along with 8 other alerts generated by PAN NGFW detected on 6 hosts",
"severity": "high",
"modification_time": 1566994926897,
"assigned_user_pretty_name": "Michael Foo",
"notes": null,
"creation_time": 1564423080364,
"alert_count": 9,
"med_severity_alert_count": 5,
"detection_time": null,
"assigned_user_mail": "[email protected]",
"resolve_comment": "some comment",
"status": "resolved_false_positive",
"user_count": 1,
"xdr_url": "https://1111.paloaltonetworks.com/incident-view/1",
"low_severity_alert_count": 0,
"high_severity_alert_count": 4,
"manual_description": null
},
{
"host_count": 1,
"incident_id": "2",
"manual_severity": null,
"description": "7 'SIP INVITE Method Request Flood Attempt' alerts detected by PAN NGFW on host 10.54.12.6 ",
"severity": "high",
"modification_time": 1565263085359,
"assigned_user_pretty_name": "Michael Foo",
"notes": null,
"creation_time": 1564424187325,
"alert_count": 7,
"med_severity_alert_count": 0,
"detection_time": null,
"assigned_user_mail": "[email protected]",
"resolve_comment": "Possible white list and FP",
"status": "resolved_other",
"user_count": 1,
"xdr_url": "https://1111.paloaltonetworks.com/incident-view/2",
"low_severity_alert_count": 0,
"high_severity_alert_count": 7,
"manual_description": null
},
{
"host_count": 7,
"incident_id": "3",
"manual_severity": null,
"description": "'HTTP Unauthorized Brute Force Attack' along with 25 other alerts generated by PAN NGFW detected on 7 hosts",
"severity": "high",
"modification_time": 1566812108905,
"assigned_user_pretty_name": "Michael Foo",
"notes": null,
"creation_time": 1564424454867,
"alert_count": 26,
"med_severity_alert_count": 0,
"detection_time": null,
"assigned_user_mail": "[email protected]",
"resolve_comment": null,
"status": "new",
"user_count": 1,
"xdr_url": "https://1111.paloaltonetworks.com/incident-view/3",
"low_severity_alert_count": 0,
"high_severity_alert_count": 26,
"manual_description": null
}
]
}
| alert_count | assigned_user_mail | assigned_user_pretty_name | creation_time | description | detection_time | high_severity_alert_count | host_count | incident_id | low_severity_alert_count | manual_description | manual_severity | med_severity_alert_count | modification_time | notes | resolve_comment | severity | status | user_count | xdr_url |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 9 | [email protected] | Michael Foo | 1564423080364 | 'SMB: User Password Brute Force Attempt' along with 8 other alerts generated by PAN NGFW detected on 6 hosts | 4 | 6 | 1 | 0 | 5 | 1566994926897 | some comment | high | resolved_false_positive | 1 | https://1111.paloaltonetworks.com/incident-view/1 | ||||
| 7 | [email protected] | Michael Foo | 1564424187325 | 7 'SIP INVITE Method Request Flood Attempt' alerts detected by PAN NGFW on host 10.54.12.6 | 7 | 1 | 2 | 0 | 0 | 1565263085359 | Possible white list and FP | high | resolved_other | 1 | https://1111.paloaltonetworks.com/incident-view/2 | ||||
| 26 | [email protected] | Michael Foo | 1564424454867 | 'HTTP Unauthorized Brute Force Attack' along with 25 other alerts generated by PAN NGFW detected on 7 hosts | 26 | 7 | 3 | 0 | 0 | 1566812108905 | high | new | 1 | https://1111.paloaltonetworks.com/incident-view/3 |
Returns additional data for the specified incident, for example, related alerts, file artifacts, network artifacts, and so on.
FILL IN REQUIRED PERMISSIONS HERE
xdr-get-incident-extra-data
| Argument Name | Description | Required |
|---|---|---|
| incident_id | The ID of the incident for which to get additional data. | Required |
| alerts_limit | Maximum number of alerts to return. Default is 1,000. | Optional |
| Path | Type | Description |
|---|---|---|
| PaloAltoNetworksXDR.Incident.incident_id | String | Unique ID assigned to each returned incident. |
| PaloAltoNetworksXDR.Incident.manual_severity | String | Incident severity assigned by the user. This does not affect the calculated severity (LOW, MEDIUM, HIGH). |
| PaloAltoNetworksXDR.Incident.manual_description | String | Incident description provided by the user. |
| PaloAltoNetworksXDR.Incident.assigned_user_mail | String | Email address of the assigned user. |
| PaloAltoNetworksXDR.Incident.high_severity_alert_count | String | Number of alerts with the severity HIGH. |
| PaloAltoNetworksXDR.Incident.host_count | number | Number of hosts involved in the incident |
| PaloAltoNetworksXDR.Incident.xdr_url | String | A link to the incident view on XDR. |
| PaloAltoNetworksXDR.Incident.assigned_user_pretty_name | String | Full name of the user assigned to the incident. |
| PaloAltoNetworksXDR.Incident.alert_count | number | Total number of alerts in the incident. |
| PaloAltoNetworksXDR.Incident.med_severity_alert_count | number | Number of alerts with the severity MEDIUM. |
| PaloAltoNetworksXDR.Incident.user_count | number | Number of users involved in the incident. |
| PaloAltoNetworksXDR.Incident.severity | String | Calculated severity of the incident (LOW, MEDIUM, HIGH). |
| PaloAltoNetworksXDR.Incident.low_severity_alert_count | String | Number of alerts with the severity LOW. |
| PaloAltoNetworksXDR.Incident.status | String | Current status of the incident (NEW, UNDER_INVESTIGATION, RESOLVED_THREAT_HANDLED, RESOLVED_KNOWN_ISSUE, RESOLVED_DUPLICATE, RESOLVED_FALSE_POSITIVE, RESOLVED_OTHER). |
| PaloAltoNetworksXDR.Incident.description | String | Dynamic calculated description of the incident. |
| PaloAltoNetworksXDR.Incident.resolve_comment | String | Comments entered by the user when the incident was resolved. |
| PaloAltoNetworksXDR.Incident.notes | String | Comments entered by the user regarding the incident. |
| PaloAltoNetworksXDR.Incident.creation_time | date | Date and time the incident was created on XDR. |
| PaloAltoNetworksXDR.Incident.detection_time | date | Date and time that the first alert occurred in the incident. |
| PaloAltoNetworksXDR.Incident.modification_time | date | Date and time that the incident was last modified. |
| PaloAltoNetworksXDR.Incident.alerts.category | String | Category of the alert, for example, Spyware Detected via Anti-Spyware profile. |
| PaloAltoNetworksXDR.Incident.alerts.action_pretty | String | The action that triggered the alert. |
| PaloAltoNetworksXDR.Incident.alerts.description | String | Textual description of the alert. |
| PaloAltoNetworksXDR.Incident.alerts.severity | String | Severity of the alert. |
| PaloAltoNetworksXDR.Incident.alerts.host_ip | String | Host IP involved in the alert. |
| PaloAltoNetworksXDR.Incident.alerts.source | String | Source of the alert. |
| PaloAltoNetworksXDR.Incident.alerts.user_name | String | User name involved with the alert. |
| PaloAltoNetworksXDR.Incident.alerts.alert_id | String | Unique ID for each alert. |
| PaloAltoNetworksXDR.Incident.alerts.host_name | String | Host name involved in the alert. |
| PaloAltoNetworksXDR.Incident.alerts.detection_timestamp | date | Date and time that the alert occurred. |
| PaloAltoNetworksXDR.Incident.alerts.name | String | Calculated name of the alert. |
| PaloAltoNetworksXDR.Incident.network_artifacts.network_remote_port | number | The remote port related to the artifact. |
| PaloAltoNetworksXDR.Incident.network_artifacts.alert_count | number | Number of alerts related to the artifact. |
| PaloAltoNetworksXDR.Incident.network_artifacts.network_remote_ip | String | The remote IP related to the artifact. |
| PaloAltoNetworksXDR.Incident.network_artifacts.is_manual | boolean | Whether the artifact was created by the user (manually). |
| PaloAltoNetworksXDR.Incident.network_artifacts.network_domain | String | The domain related to the artifact. |
| PaloAltoNetworksXDR.Incident.network_artifacts.type | String | The artifact type, for example, IP. |
| PaloAltoNetworksXDR.Incident.file_artifacts.file_signature_status | String | Digital signature status of the file. |
| PaloAltoNetworksXDR.Incident.file_artifacts.is_process | boolean | Whether the file artifact is related to a process execution. |
| PaloAltoNetworksXDR.Incident.file_artifacts.file_name | String | Name of the file. |
| PaloAltoNetworksXDR.Incident.file_artifacts.file_wildfire_verdict | String | The file verdict, calculated by Wildfire. |
| PaloAltoNetworksXDR.Incident.file_artifacts.alert_count | number | Number of alerts related to the artifact. |
| PaloAltoNetworksXDR.Incident.file_artifacts.is_malicious | boolean | Whether the artifact is malicious, decided by the Wildfire verdict. |
| PaloAltoNetworksXDR.Incident.file_artifacts.is_manual | boolean | Whether the artifact was created by the user (manually). |
| PaloAltoNetworksXDR.Incident.file_artifacts.type | String | The artifact type, for example, hash. |
| PaloAltoNetworksXDR.Incident.file_artifacts.file_sha256 | String | SHA-256 hash of the file |
!xdr-get-incident-extra-data incident_id="1" alerts_limit="10"
{
"PaloAltoNetworksXDR.Incident": {
"host_count": 6,
"manual_severity": null,
"xdr_url": "https://1111.paloaltonetworks.com/incident-view/1",
"assigned_user_pretty_name": "Michael Foo",
"alert_count": 9,
"med_severity_alert_count": 5,
"detection_time": null,
"user_count": 1,
"severity": "high",
"alerts": [
{
"category": "Vulnerability",
"action_pretty": "Detected (Raised An Alert)",
"description": "Vulnerability Exploit Detection",
"severity": "high",
"host_ip": "10.54.12.6",
"source": "PAN NGFW",
"alert_id": "1",
"host_name": "10.54.12.6",
"detection_timestamp": 1564408244000,
"action": "DETECTED_4",
"user_name": null,
"name": "SMB: User Password Brute Force Attempt"
},
{
"category": "Vulnerability",
"action_pretty": "Detected (Raised An Alert)",
"description": "Vulnerability Exploit Detection (#BLVFILE3)",
"severity": "medium",
"host_ip": "10.54.12.6",
"source": "PAN NGFW",
"alert_id": "21",
"host_name": "10.54.12.6,
"detection_timestamp": 1564422346000,
"action": "DETECTED_4",
"user_name": null,
"name": "Microsoft Windows RPC Fragment Evasion Attempt"
},
{
"category": "Vulnerability",
"action_pretty": "Detected (Raised An Alert)",
"description": "Vulnerability Exploit Detection",
"severity": "high",
"host_ip": "10.54.12.6",
"source": "PAN NGFW",
"alert_id": "26",
"host_name": "10.54.12.6",
"detection_timestamp": 1564431024000,
"action": "DETECTED_4",
"user_name": null,
"name": "SMB: User Password Brute Force Attempt"
},
{
"category": "Vulnerability",
"action_pretty": "Detected (Raised An Alert)",
"description": "Vulnerability Exploit Detection",
"severity": "medium",
"host_ip": "10.54.12.6",
"source": "PAN NGFW",
"alert_id": "44",
"host_name": "10.54.12.6",
"detection_timestamp": 1564480944000,
"action": "DETECTED_4",
"user_name": null,
"name": "Microsoft Windows RPC Fragment Evasion Attempt"
},
{
"category": "Vulnerability",
"action_pretty": "Detected (Raised An Alert)",
"description": "Vulnerability Exploit Detection",
"severity": "high",
"host_ip": "10.54.12.6",
"source": "PAN NGFW",
"alert_id": "83",
"host_name": "10.54.12.6",
"detection_timestamp": 1564681179000,
"action": "DETECTED_4",
"user_name": null,
"name": "SMB: User Password Brute Force Attempt"
},
{
"category": "Vulnerability",
"action_pretty": "Detected (Raised An Alert)",
"description": "Vulnerability Exploit Detection (#BLVFILE3)",
"severity": "medium",
"host_ip": "10.54.12.6",
"source": "PAN NGFW",
"alert_id": "113",
"host_name": "10.54.12.6",
"detection_timestamp": 1564868791000,
"action": "DETECTED_4",
"user_name": null,
"name": "Microsoft Windows RPC Fragment Evasion Attempt"
},
{
"category": "Vulnerability",
"action_pretty": "Detected (Raised An Alert)",
"description": "Vulnerability Exploit Detection",
"severity": "high",
"host_ip": "10.54.12.6",
"source": "PAN NGFW",
"alert_id": "121",
"host_name": "10.54.12.6",
"detection_timestamp": 1564943165000,
"action": "DETECTED_4",
"user_name": null,
"name": "SMB: User Password Brute Force Attempt"
},
{
"category": "Vulnerability",
"action_pretty": "Detected (Raised An Alert)",
"description": "Vulnerability Exploit Detection",
"severity": "medium",
"host_ip": "10.54.12.6",
"source": "PAN NGFW",
"alert_id": "135",
"host_name": "10.54.12.6",
"detection_timestamp": 1565027542000,
"action": "DETECTED_4",
"user_name": null,
"name": "Microsoft Windows RPC Fragment Evasion Attempt"
},
{
"category": "Vulnerability",
"action_pretty": "Detected (Raised An Alert)",
"description": "Vulnerability Exploit Detection",
"severity": "medium",
"host_ip": "10.54.12.6",
"source": "PAN NGFW",
"alert_id": "480",
"host_name": "10.54.12.6",
"detection_timestamp": 1565238356000,
"action": "DETECTED_4",
"user_name": null,
"name": "Microsoft Windows RPC Fragment Evasion Attempt"
}
],
"low_severity_alert_count": 0,
"status": "resolved_false_positive",
"description": "'SMB: User Password Brute Force Attempt' along with 8 other alerts generated by PAN NGFW detected on 6 hosts",
"resolve_comment": "some comment",
"creation_time": 1564423080364,
"modification_time": 1566994926897,
"network_artifacts": [
{
"network_remote_port": 445,
"alert_count": 9,
"network_remote_ip": "10.54.12.6",
"is_manual": false,
"network_domain": null,
"type": "IP",
"network_country": null
}
],
"file_artifacts": [],
"manual_description": null,
"incident_id": "1",
"notes": null,
"assigned_user_mail": "[email protected]",
"high_severity_alert_count": 4
}
}
| alert_count | assigned_user_mail | assigned_user_pretty_name | creation_time | description | detection_time | high_severity_alert_count | host_count | incident_id | low_severity_alert_count | manual_description | manual_severity | med_severity_alert_count | modification_time | notes | resolve_comment | severity | status | user_count | xdr_url |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 9 | [email protected] | Michael Foo | 1564423080364 | 'SMB: User Password Brute Force Attempt' along with 8 other alerts generated by PAN NGFW detected on 6 hosts | 4 | 6 | 1 | 0 | 5 | 1566994926897 | some comment | high | resolved_false_positive | 1 | https://1111.paloaltonetworks.com/incident-view/1 |
| action | action_pretty | alert_id | category | description | detection_timestamp | host_ip | host_name | name | severity | source | user_name |
|---|---|---|---|---|---|---|---|---|---|---|---|
| DETECTED_4 | Detected (Raised An Alert) | 1 | Vulnerability | Vulnerability Exploit Detection | 1564408244000 | 10.54.12.6 | 10.54.12.6 | SMB: User Password Brute Force Attempt | high | PAN NGFW | |
| DETECTED_4 | Detected (Raised An Alert) | 21 | Vulnerability | Vulnerability Exploit Detection (#BLVFILE3) | 1564422346000 | 10.54.12.6 | 10.54.12.6 | Microsoft Windows RPC Fragment Evasion Attempt | medium | PAN NGFW | |
| DETECTED_4 | Detected (Raised An Alert) | 26 | Vulnerability | Vulnerability Exploit Detection | 1564431024000 | 10.54.12.6 | 10.54.12.6 | SMB: User Password Brute Force Attempt | high | PAN NGFW | |
| DETECTED_4 | Detected (Raised An Alert) | 44 | Vulnerability | Vulnerability Exploit Detection | 1564480944000 | 10.54.12.6 | 10.54.12.6 | Microsoft Windows RPC Fragment Evasion Attempt | medium | PAN NGFW | |
| DETECTED_4 | Detected (Raised An Alert) | 83 | Vulnerability | Vulnerability Exploit Detection | 1564681179000 | 10.54.12.6 | 10.54.12.6 | SMB: User Password Brute Force Attempt | high | PAN NGFW | |
| DETECTED_4 | Detected (Raised An Alert) | 113 | Vulnerability | Vulnerability Exploit Detection (#BLVFILE3) | 1564868791000 | 10.54.12.6 | 10.54.12.6 | Microsoft Windows RPC Fragment Evasion Attempt | medium | PAN NGFW | |
| DETECTED_4 | Detected (Raised An Alert) | 121 | Vulnerability | Vulnerability Exploit Detection | 1564943165000 | 10.54.12.6 | 10.54.12.6 | SMB: User Password Brute Force Attempt | high | PAN NGFW | |
| DETECTED_4 | Detected (Raised An Alert) | 135 | Vulnerability | Vulnerability Exploit Detection | 1565027542000 | 10.54.12.6 | 10.54.12.6 | Microsoft Windows RPC Fragment Evasion Attempt | medium | PAN NGFW | |
| DETECTED_4 | Detected (Raised An Alert) | 480 | Vulnerability | Vulnerability Exploit Detection | 1565238356000 | 10.54.12.6 | 10.54.12.6 | Microsoft Windows RPC Fragment Evasion Attempt | medium | PAN NGFW |
| alert_count | is_manual | network_country | network_domain | network_remote_ip | network_remote_port | type |
|---|---|---|---|---|---|---|
| 9 | false | 10.54.12.6 | 445 | IP |
No entries.
Updates one or more fields of a specified incident. Missing fields will be ignored. To remove the assignment for an incident, pass a null value in assignee email argument.
FILL IN REQUIRED PERMISSIONS HERE
xdr-update-incident
| Argument Name | Description | Required |
|---|---|---|
| incident_id | XDR incident ID. You can get the incident ID from the output of the 'xdr-get-incidents' command or the 'xdr-get-incident-extra-details' command. | Required |
| manual_severity | Severity to assign to the incident (LOW, MEDIUM, or HIGH). | Optional |
| assigned_user_mail | Email address of the user to assigned to the incident. | Optional |
| assigned_user_pretty_name | Full name of the user assigned to the incident. | Optional |
| status | Status of the incident (NEW, UNDER_INVESTIGATION, RESOLVED_THREAT_HANDLED, RESOLVED_KNOWN_ISSUE, RESOLVED_DUPLICATE, RESOLVED_FALSE_POSITIVE, RESOLVED_OTHER). | Optional |
| resolve_comment | Comment explaining why the incident was resolved. This should be set when the incident is resolved. | Optional |
| unassign_user | If true, will remove all assigned users from the incident. | Optional |
There is no context output for this command.
!xdr-update-incident incident_id="1" status="RESOLVED_FALSE_POSITIVE" resolve_comment="some comment"
Incident 1 has been updated