Thread: Create incident action in 7

  1. #1
    cslye NNTP User

    Has anyone written a javascript version of the Create Incident action?
    In Sentinel 6.1 there was an action which you could use in a correlation
    rule to open an internal incident and define all of the params such as
    workflow etc. In 7, there is no action that I see available to do

    I mostly have a script using the api done to do this, but dont know the
    best way to associate the event at incident creation time since I am
    only passing parameters and not passing an object like you would in a
    javascript ation. Looking at the javascript API I do not see any docs
    for Incident, so I don't know how I can create a sdk based action

  2. #2
    DCorlette NNTP User

    Although this is actually possible, and could be used if you wanted to
    do something very custom with the Incident, the native "Create Incident"
    action does still exist - it's just a little harder to find than

    1) Log into the Sentinel Control Center, click on the Configuration
    tab, then the Configuration menu, then select "Action Manager" from the
    2) In the Action Manager, click on the "+ Add" button to add a new
    Action instance
    3) Configure the Action with the "Create Incident" action and specify
    any details (like a name)
    4) Go back to the Web UI, create or edit a new correlation rule, and
    now you should see your new Action in the dropdown.

    What's happening here is that you have to pre-configure an instance of
    each Action before it will show up in the list that can be attached to
    correlation rules. In prior versions of Sentinel, there were a few
    Actions that you could configure at the time you attached them to the
    rule, but that was also a bit confusing.

