Hello,
It seems like you are using the PATCH /orgs/{org_id}/incidents/{inc_id} REST API.
The in-product REST API Reference shows that the expected input is a PatchDTO
So your custom field isn't treated any differently than builtin fields. Your JSON should look something like:
{
"changes": [
{
"field": { "name": "plan_status" },
"old_value": { "text": "A" },
"new_value": { "text": "C" }
},
{
"field": { "name": "resolution_id" },
"old_value": { "object": null },
"new_value": { "object": 10 }
},
{
"field": { "name": "resolution_summary" },
"old_value": { "text": null },
"new_value": { "text": "Reason for closure" }
},
{
"field": { "name": "action" },
"old_value": { "text": <OLD VALUE> },
"new_value": { "text": "test" }
}
}
The actual values for your custom field "action" depends on its type.
One thing that can help is the fact that the SOAR UI uses the same REST API. In particular, editing an incident field and clicking save will invoke this PATCH endpoint. So all your need to do is to turn on the network tools in your brower, and observe what the request that the SOAR UI sends to SOAR.
Hope that helps!
------------------------------
Howard Lu
------------------------------
Original Message:
Sent: Thu April 17, 2025 05:49 AM
From: abd el rahman Hamed
Subject: This is how I close an incident using the REST API
Hello Mark,
I am trying to follow your instruction on the custom fields but I am facing a problem :
The body :
{
"changes": [
{
"field": { "name": "plan_status" },
"old_value": { "text": "A" },
"new_value": { "text": "C" }
},
{
"field": { "name": "resolution_id" },
"old_value": { "object": null },
"new_value": { "object": 10 }
},
{
"field": { "name": "resolution_summary" },
"old_value": { "text": null },
"new_value": { "text": "Reason for closure" }
}
],
"properties": {
"action": "test"
}
}
The error i am getting:
"message": "Unable to process the supplied JSON. The field 'properties' is not recognized. The error occurred at line #19 and column #18.",
Would it be possible to help ?
------------------------------
abd el rahman Hamed
Original Message:
Sent: Fri February 11, 2022 08:43 AM
From: Mark Scherfling
Subject: This is how I close an incident using the REST API
Hi Leonardo,
Thanks for the example. The json payload is correct for the default 'on-close' defined fields. 'on-close' incident fields are customizable and may include custom incident fields as well. In that case, add them under "properties" hierarchy as:
"properties": {
"custom_field": "value"
}
------------------------------
Mark Scherfling
Original Message:
Sent: Wed January 26, 2022 02:07 PM
From: Leonardo Kenji Shikida
Subject: This is how I close an incident using the REST API
Just in case, someone needs, because it was not clear for me just inspecting the documentation.
https://resilient.localdomain/rest/orgs/201/incidents/30246?return_dto=true
{
"changes": [
{
"field": {"name":"plan_status"},
"old_value": {"text":"A"},
"new_value": {"text":"C"}
},
{
"field": {"name":"resolution_id"},
"old_value": {"object":null},
"new_value": {"object":10}
},
{
"field": {"name":"resolution_summary"},
"old_value": {"text":null},
"new_value": {"text":"reason here"}
}
]
}
------------------------------
[]
Leonardo Kenji Shikida
------------------------------