Add Incident Timeline Entry‎‎ ‎

POST /Command/AddIncidentTimelineEntry

This command adds a new timeline entry to an incident along with any associated metadata, enhancing the detailed record of the incident's chronological events and relevant information.

Request

Authentication: API keys or JSON web tokens (JWT)

Body Parameters

Parameter Name	Type	Required/Optional	Description
Username	`string`	Required	The username of your D3 SOAR account.
Site	`string`	Required	The D3 SOAR site to run the remote command.
Incident Number	`string`	Required	The incident number for which the timeline entry will be added.
Time	`string`	Optional	The specific date and time when the event associated with the timeline entry occurred, adjusted to the incident's time zone.
Note	`string`	Optional	Additional remarks or important information related to the timeline entry that may provide context or insights.
Event Type	`string`	Optional	The category or classification of the event within the incident, indicating the nature of the activity.
Tactic & Technique	`string`	Optional	The strategic approach and specific methods used in the incident, aligned with recognized frameworks for categorizing cyber threats.
Risk	`string`	Optional	The severity or potential impact of the event, typically classified into categories such as ZeroRisk, Low, Medium, High, or N/A
Description	`string`	Optional	A detailed account or explanation of the event, providing in-depth information about what occurred.
Summary	`string`	Optional	A concise overview of the event, highlighting key points and essential details without going into extensive detail.

READER NOTE

For Date/Time parameter Time, all times and timestamps must follow the format: yyyy-mm-dd hh:mm:ss.

e.g. May 15, 2024, 2:32 PM should be written as 2024-05-15 14:32:00.

Body Sample Data

application/json

JSON

{
  "Username": "Admin",
  "Site": "Security Operations",
  "CommandParams": {
    "Incident Number": "20240223-1",
    "Time": "2024-05-15 14:32:00",
    "Note": "Initial detection through network monitoring tools.",
    "Event Type": "Unauthorized Access",
    "Tactic & Technique": "Collection / Data from Local System",
    "Risk": "High",
    "Description": "An unknown actor accessed the system through a vulnerable web application, exploiting a SQL injection flaw to gain unauthorized access.",
    "Summary": "SQL injection attack detected, leading to unauthorized access and data exposure."
  }
}

Response

200 OK

application/json

Response Fields

Field Name	Type	Description
error	`string`	The error message if the command execution failed.
returnData	`JSON Object`	The return data from the API request.

Sample Data

{
    "error": "",
    "returnData": "{
      "Status": "Successful",
      "Data": {
          "incidentNumber": "20230714-3",
          "Tags": [
              "test4",
              "test5",
              "test6",
              "test7"
          ],
          "modifiedDate": "7/14/2023 5:03:05 PM",
          "result": "Successful",
          "modifiedBy": "Jackie xxx"
      }
  }"
}

400 BadRequest

application/json

Response Fields

Field Name	Type	Description
Error	`string`	A error message when the API request fails.

Sample Data

JSON

{"Error": "The body of the request must be a valid JSON object"}

401 Unauthorized

application/json

Response Fields

Field Name	Type	Description
Error	`string`	A error message when the API request fails.

Sample Data

JSON

{"Error": "Invalid authentication key."}

429 TooManyRequests

application/json

Response Fields

Field Name	Type	Description
Error	`string`	A error message when the API request fails.

Sample Data

JSON

{"Error": "The request exceeds rate limits or is otherwise blocked by rate limiting policies."}

500 InternalServerError

application/json

Response Fields

Field Name	Type	Description
Error	`string`	A error message when the API request fails.

Sample Data

JSON

{"Error": "Unexpected Error."}