Update Incident Status from SIEM to Cloud Connector
You can update the incident status from your SIEM to Skyhigh Cloud Connector.
To update the incident status, run the following curl command:
curl -k -X POST \
https://CC symbolic server name:port/incidentStatus/update \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-d '[
{
"incidentId": "incidentType-incidentNumber",
"changeRequests":{ "WORKFLOW_STATUS": "status" }},
//to add multiple incidents, add a curly bracket followed by the incidentId and ChangeReuest
{
"incidentId": "incidentType-incidentNumber",
"changeRequests":{ "WORKFLOW_STATUS": "status" }}
]
'
Example:
curl -k -X POST \
https://t5617-168678303.do.devshn.net:8459/incidentStatus/update \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-d '[
{
"incidentId": "DLP-234",
"changeRequests":{ "WORKFLOW_STATUS": "Resolved" }},
{
"incidentId": "DLP-231",
"changeRequests":{ "WORKFLOW_STATUS": "Resolved" }}
]
'
Statuses
List of valid status that can be updated:
- Archived
- Escalated
- False positive
- Opened
- Pending
- Resolved
- Suppressed
- Suspended
- Under investigation
- Viewed
List of API Incident Types
- DLP. For DLP Policy Violations.
- ANO. For Anomalies.
- THR. For Threats.
- AUD. For Config Audit Policy violations.
- CAP. For Cloud Access Policy violations.
- MAL. For Malware Policy violations.
- APP. For Connected Apps violations.
- VUL. For Vulnerability Policy violations.