---
title: Incident Tools
description: ''
slug: /help/docs/platform-services/automation-service/app-central/integrations/incident-tools/
canonical: https://www.sumologic.com/help/docs/platform-services/automation-service/app-central/integrations/incident-tools/
---

import useBaseUrl from '@docusaurus/useBaseUrl';

<img src={useBaseUrl('/img/platform-services/automation-service/app-central/logos/incident-tools.png')} alt="Incident Tools icon" width="100"/>

***Version: 1.11  
Updated: April 29, 2026***

:::sumo Cloud SOAR
This integration is only for Cloud SOAR.
:::

Set of scripts to perform actions within Cloud SOAR.

## Actions

* **Add Entity Threat Indicator** (*Custom*) - Mark an Entity with a predefined tag used for classification.
* **Add External Alert to Incident** (*Custom*) - Enrich the incident with external alert data.
* **Add Incident Artifact** (*Custom*) - Add an artifact to an incident.
* **Add Investigators** (*Custom*) - Add investigators to an incident.
* **Add Note** (*Custom*) - Add a note to an incident.
* **Add Users Details** (*Custom*) - Add the user details entity to an incident.
* **Change Incident Folder** (*Custom*) - Change the destination folder for an incident.
* **Change Incident Owner** (*Custom*) - Change the incident's owner.
* **Close Incident** (*Custom*) - Set incident status to closed.
* **Create Entity** (*Custom*) - Create a new entity.
* **Create Incident From Template** (*Custom*) - Create a new incident from an existing incident template.
* **Extract Data And Save Into Attachments** (*Custom*) - Extract data from previous action using fields path, then save as attachments as CSV, JSON or text file.
* **Get Entity** (*Custom*) - Get details about the provided Entity.
* **Get Incident Owner** (*Custom*) - Get the owner of the provided incident.
* **Get Incident** (*Custom*) - Get details of the specified incident.
* **Get War Room Timeline** (*Custom*) - Get the War Room timeline in JSON format for the incident.
* **Incident Daemon** (*Daemon*) - Create an incident.
* **List Entity Incidents** (*Custom*) - List all incidents where the entity is involved in
* **List External Alerts** (*Custom*) - List all external alerts associated with the incident.
* **List Incident Columns** (*Custom*) - List all incident fields.
* **List Users** (*Enrichment*) - List Users.
* **Search Entities** (*Custom*) - Search for Entities.
* **Search Incidents** (*Custom*) - Search for Incidents.
* **Update Entity** (*Custom*) - Update the tags and/or the description of the Entity.
* **Update Incident Date And Time Field** (*Custom*) - Update the date and time Incident field.
* **Update Incident Description** (*Custom*) - Update an incident description.
* **Update Incident Field** (*Custom*) - Update an incident field.
* **Update Incident Fields** (*Custom*) - Update multiple incident fields.
* **Update Incident Phase** (*Custom*) Update the incident phase.

## Configure Incident Tools in Cloud SOAR

import IntegrationsAuth from '../../../../reuse/integrations-authentication.md';
import IntegrationCertificate from '../../../../reuse/automation-service/integration-certificate.md';
import IntegrationEngine from '../../../../reuse/automation-service/integration-engine.md';
import IntegrationLabel from '../../../../reuse/automation-service/integration-label.md';
import IntegrationProxy from '../../../../reuse/automation-service/integration-proxy.md';
import IntegrationTimeout from '../../../../reuse/automation-service/integration-timeout.md';
import CloudSOARAPIURL from '../../../../reuse/automation-service/cloud-soar-api-url.md';
import AccessID from '../../../../reuse/automation-service/access-id.md';
import AccessKey from '../../../../reuse/automation-service/access-key.md';

<IntegrationsAuth/>
* <IntegrationLabel/>
* <CloudSOARAPIURL/>
* <AccessID/>
* <AccessKey/>
* <IntegrationCertificate/>
* <IntegrationTimeout/>
* <IntegrationEngine/>
* <IntegrationProxy/>

<img src={useBaseUrl('/img/platform-services/automation-service/app-central/integrations/misc/incident-tools-configuration.png')} style={{border:'1px solid gray'}} alt="Incident Tools configuration" width="400"/>

## Change Log

* June 1, 2023 - First upload
* July 7, 2023 (v1.2)
    + Updated action: Create Entity
    + Removed leading/trailing spaces
* November 24, 2023 (v1.3)
    + Updated action: Add User Details
        - Enabled incident artifacts feature flag for User Details field (formerly, Users)
        - Added a checkbox to allow the conversion of user details to lower case
    + Changed API endpoint for resource testing
    + Improved error handling
* December 14, 2023 (v1.4) - Added new action: Get Incident
* February 13, 2024 (v1.5) - Fixed typo in the following actions
    + Update Incident Date And Time Field
    + Update Incident Description
    + Update Incident Field
    + Update Incident Fields
* March 4, 2024 (v1.6) - Updated code for compatibility with Python 3.12
* June 4, 2024 (v1.7) 
  * New actions:
    * Add Entity Threat Indicator
    * Add External Alert to Incident
    * Get Entity
    * Get Incident Owner
    * Get War Room Timeline
    * Incident Daemon
    * List Entity Incidents
    * List External Alerts
    * List Incident Columns
    * Search Entities
    * Search Incidents
    * Update Entity
* June 24, 2024 (v1.8) - The **Field ID** and **Field Value** fields are now optional in the **Update Incident Fields** action.
* December 5, 2025 (v1.9) - Added `closing_note` in output field of Get Incident action.
* March 16, 2026 (v1.10) -  Updated action: Create Incident From Template
  * Added auto-assignment of current timestamp to Start Time field when not provided.
  * Enhanced hint text for Incident Label ID and Custom Incident Label fields.
* April 29, 2026 (v1.11) - Upgraded the `python3_generic` Docker image (Python 3.8) to `python3_12_generic` (Python 3.12) to address Python 3.8 end-of-life and improve security and performance.