Trustwave Fusion
LAST UPDATED: OCTOBER 24, 2025
Overview
Trustwave Fusion is a cloud-native cybersecurity platform that centralizes threat detection, incident response, and compliance management. It provides a unified interface where customers can manage tickets, track investigation status, exchange comments, and securely handle attachments.
D3 SOAR is providing REST operations to function with Trustwave Fusion.
Trustwave Fusion is available for use in:
Connection
Gather the following information to connect D3 SOAR to Trustwave Fusion.
Parameter | Description | Example |
Server URL | The base URL of the Trustwave Fusion API. | https://api.fusion.trustwave.com |
API Key | A valid API key used to authenticate requests to the Trustwave Fusion API. | ***** |
API Version | The version of the API to use. The default is v2. | v2 |
Configuring D3 SOAR to Work with Trustwave Fusion
Log in to D3 SOAR.
Find the Trustwave Fusion integration.
Navigate to Configuration on the top header menu.
Click on the Integration icon on the left sidebar.
Type Trustwave Fusion in the search box to find the integration, then click it to select it.
Click on the + Connection button on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to Trustwave Fusion.
Connection Name: The desired name for the connection.
Site: The site on which to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
Recipient site for events from connections Shared to Internal Sites: This field is displayed when Share to Internal Sites is selected for the Site field, allowing selection of the internal site for deploying the integration connection.
Agent Name (Optional): The proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
Description (Optional): The description for the connection.
Tenant (Optional): When configuring the connection from a master tenant site, users can choose the specific tenant sites with which to share the connection. Once this setting is enabled, users can filter and select the desired tenant sites from the dropdowns to share the connection.
Active: The checkbox that enables the connection to be used when selected.
Configure User Permissions: Defines which users have access to the connection.
System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
1. Input the Server URL. The default value is https://api.fusion.trustwave.com.
2. Input the API Key from the Trustwave Fusion platform.
3. Input the API Version. The default value is v2.
Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Refer to the password vault connection guide if needed.
Connection Health Check: Periodically checks the connection status by scheduling the Test Connection command at the specified interval (in minutes). Available only for active connections, this feature also allows configuring email notifications for failed attempts.
Test the connection.
Click on the Test Connection button to verify credentials and connectivity. A success alert displays Passed with a green checkmark. If the connection fails, review the parameters and retry.
Click OK to close the alert window.
Click + Add to create and add the configured connection.
Commands
Trustwave Fusion includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command function, users can execute these commands independently for playbook troubleshooting.
Integration API Note
For more information about the Trustwave Fusion API, refer to the Trustwave Fusion API reference.
Note for Time-related parameters
The input format of time-related parameters may vary based on user account settings, which may cause the sample data in commands to differ from what is displayed. To adjust the time format, follow these steps:
Navigate to Configuration Application Settings. Select Date/Time Format.
Choose the desired date and time format, then click on the Save button.
The selected time format will now be visible when configuring Date/Time command input parameters.
Add Ticket Comment
Adds a comment to the specified ticket.
READER NOTE
Ticket ID is a required parameter to run this command.
Run the Fetch Event command to obtain the Ticket ID. Ticket IDs can be found in the raw data at $.Result[*].number.
Input
Input Parameter | Required/Optional | Description | Example |
Ticket ID | Required | The ID of the ticket to which the comment will be added. Ticket ID can be obtained using the Fetch Event command. | IN*****07 |
Comment | Required | The content of the comment to add. | Test comment |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Add Ticket Comment failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trustwave Fusion portal. Refer to the HTTP Status Code Registry for details. | Status Code: 401. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Unauthorized. |
Error Sample Data Add Ticket Comment failed. Status Code: 401. Message: Unauthorized. |
Fetch Event
Retrieves events from the platform based on specified criteria.
Input
Input Parameter | Required/Optional | Description | Example |
Start Time | Optional | The start time of the event search range in the yyyy-MM-dd HH:mm:ss format. By default, the value is 24 hours before the current time. | 2025-08-01 00:00:00 |
End Time | Optional | The end time of the event search range in the yyyy-MM-dd HH:mm:ss format. By default, the value is the current time. | 2025-09-01 00:00:00 |
Query Time Type | Optional | The timestamp field used to filter events. Valid options are:
By default, the value is set to UpdatedOn. | UpdatedOn |
Number of Event(s) Fetched | Optional | The maximum number of events to return. By default, the value is 20. | 20 |
Type | Optional | Filters retrieved events by type. Valid options are:
| Case |
Status | Optional | Filters retrieved events by status. Valid options are:
| New |
Priority | Optional | Filters retrieved events by priority. Valid options are:
| High |
Impact | Optional | Filters retrieved events by impact level. Valid options are:
| High |
Urgency | Optional | Filters retrieved events by urgency. Valid options are:
| High |
Output
To view the sample output data for all commands, refer to this article.
Fetch Event Field Mapping
See Field Mappings.
The Trustwave Fusion system integration includes pre-configured field mappings for the default event source.
The Default Event Source is the default system-provided set of field mappings applied when the fetch event command is executed. It includes a Main Event JSON Path, which is the JSONPath expression that points to the base array of event objects. The source field path continues from this array to locate the required data.
The Main Event JSON Path can be viewed by clicking on the Edit Event Source button.
Main Event JSON Path: $.Results
The Results array contains the event objects. Within each object, the key number denotes the Unique Event Key field. As such, the full JSONPath expression to extract the Unique Event Key is $.Results[*].number.
The pre-configured field mappings are detailed below:
Field Name | Source Field |
Channel | .channel |
Contact Name | .contactName |
Contact Type | .contactType |
Contact Username | .contactUsername |
Impact | .impact |
Organization ID | .orgId |
Product Name | .productName |
Related Ticket | .relatedTicket |
Resolution Code | .resolutionCode |
Resolution Notes | .resolutionNotes |
Urgency | .urgency |
Event category | .category |
Unique Event Key | .number |
Event Type | .type |
Start Time | .k2 |
Description | .description |
Source Priority | .priority |
Status | .state |
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Fetch Event failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trustwave Fusion portal. Refer to the HTTP Status Code Registry for details. | Status Code: 401. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Unauthorized. |
Error Sample Data Fetch Event failed. Status Code: 401. Message: Unauthorized. |
Get Ticket Details
Retrieves details of specified tickets.
READER NOTE
Ticket ID is a required parameter to run this command.
Run the Fetch Event command to obtain the Ticket ID. Ticket IDs can be found in the raw data at $.Result[*].number.
Input
Input Parameter | Required/Optional | Description | Example |
Ticket IDs | Required | The IDs of tickets for which to retrieve details. Ticket IDs can be obtained using the Fetch Event command. |
JSON
|
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Ticket Details failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trustwave Fusion portal. Refer to the HTTP Status Code Registry for details. | Status Code: 401. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Unauthorized. |
Error Sample Data Get Ticket Details failed. Status Code: 401. Message: Unauthorized. |
Upload Attachments
Uploads documents to the specified ticket. Each upload creates a new attachment and duplicate filenames are allowed. The maximum file size is 20 MB per file.
READER NOTE
Ticket ID is a required parameter to run this command.
Run the Fetch Event command to obtain the Ticket ID. Ticket IDs can be found in the raw data at $.Result[*].number.
D3 File IDs and D3 File Source
It is not recommended to use the Test Command feature with the Upload Attachments command as it is designed for dynamic input files in Playbooks, Incident Attachments, and Artifact Attachments. There is a simple workaround to test the command:
Navigate to Configuration on the top bar menu.
Click on Utility Commands on the left sidebar menu.
Use the search box to find and select the Create a File from input Text Array command.
Click on the Test tab.
Input the required information for the parameters
Click on the Test Command button. A D3 File ID will appear in the output data after the file has been successfully created. The D3 File Source of the created file will be Playbook File.
Input
Input Parameter | Required/Optional | Description | Example |
Ticket ID | Required | The ID of the ticket to which the documents will be uploaded. Ticket ID can be obtained using the Fetch Event command. | IN*****07 |
File Names | Required | The list of file names to be uploaded. Each file name must match the corresponding document included in the request. |
JSON
|
D3 File IDs | Required | The file ID of the file source. |
JSON
|
D3 File Source | Required | The file source of the files to upload. The options for file sources are:
| Playbook File |
Output
To view the sample output data for all commands, refer to this article.
Error Handling
If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Upload Attachments failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trustwave Fusion portal. Refer to the HTTP Status Code Registry for details. | Status Code: 401. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Unauthorized. |
Error Sample Data Upload Attachments failed. Status Code: 401. Message: Unauthorized. |
Test Connection
Allows users to perform a health check on an integration connection. Users can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.
Input
N/A
Output
Output Type | Description | Return Data Type |
Return Data | Indicates one of the possible command execution states: Successful or Failed. The Failed state can be triggered by any of the following errors:
More details about an error can be viewed in the Error tab. | String |
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Test Connection failed. Failed to check the connector. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trustwave Fusion portal. Refer to the HTTP Status Code Registry for details. | Status Code: 401. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Unauthorized. |
Error Sample Data Test Connection failed. Failed to check the connector. Status Code: 401. Message: Unauthorized. |