Skip to main content
Skip table of contents

Data Ingestion

LAST UPDATED: DEC 16, 2024

The Data Ingestion module shows a complete list of all ingested events and incidents by data sources. This module is divided into two tabs:

  • Event Intake

  • Incident Intake

Group 409.png

Intake Methods for Data Sources

There are three methods you can use to ingest data into D3 SOAR:

  • Schedule: Schedule a Fetch Event/Incident Command to ingest data

  • Webhook: Use a webhook to push data into the system

  • File: Upload Files to ingest Event data (For details on how to ingest data by file upload, please refer to Investigation Dashboard)

UI Structure

Group 339.png

The Data Ingestion module’s UI contains the following components:

Data Ingestion List

This section displays the list of configured Data Ingestion schedules. You can find two different types of Data Ingestion methods here: Schedule and Webhook. At the top of the section, there is a search bar to help you search for the schedule you need.

Data ingestion schedules are sorted by integration by default, but you can also sort by sites. Sorting by sites will nest all integrations and data ingestion schedules under that particular site.

Schedule Log

This section displays the list of logs of past runs of the selected schedule. Here, you can see all past runs of this schedule and filter them by time and status.

Data Ingestion Details

This section shows all the log details of a specific run. The information is categorized into five tabs: Input Data, Output Data, Raw Data, Event List, Incident List (only in Incident Intake), and Error Log.

Data Ingestion Card

A data ingestion card displays the schedule’s Site information and Connection information. There are a few actions you can take on a Schedule:

Action

Description

Stop

This action stops this schedule.

Clone

Clone this schedule’s configuration.

View

View the current configuration for this fetched schedule.

Delete

Delete this schedule and its associated logs.

READER NOTE

You cannot restart a stopped schedule, but you can clone a stopped schedule to run it again.

In addition, the status tag on the right displays the current state of the fetch Schedule:

Status

Description

This indicates that the fetch schedule is currently active and running.

This indicates that the Fetch schedule has been manually stopped.

READER NOTE

Creating a new Ingestion Method for an Incident Intake is similar to the Event Intake instructions above. The only difference is that you will need to select the Incident Intake tab instead of the Event Intake.

Configuring Fetch Event Data Ingestion

Below are instructions on how to configure Schedule and Webhook as Intake Methods. Data ingestion by files can be done in the Investigation Dashboard.

Schedule

To configure a new Fetch Event schedule:

  1. Click on the Event Intake tab.

  2. Click on the + icon and select Schedule.

bd78f825-eac2-4ab5-8b56-f365813f3269.png
  1. Select the desired Integration.

  2. (Optional) Setup Event Field Mapping.

  1. Select a Connection.

  2. Set the Interval. This determines how often the schedule executes. 

  3. Set the Schedule Job Tolerance Scope. This setting defines a tolerance window, in minutes, for data ingestion processes. This window helps prevent data loss by accounting for the delay between when data is created in a third-party product and when it becomes available through its API. When this setting has a value, data will be ingested starting from {Start Time - Tolerance Scope}. This tolerance scope is calculated independently and does not affect the "Tolerance Scope" command parameter.

READER NOTE

Configuring a large value for the Schedule Job Tolerance Scope parameter, in conjunction with a short Interval time for the data intake schedule, may lead to an increase in the volume of ingested data. This is due to the increased frequency of data ingestion and the risk of re-ingesting events, including those that have already been re-ingested in previous cycles. This situation contributes to accelerated database storage consumption.

Adjust the tolerance scope carefully to maintain a balance between data completeness and storage efficiency.

  1. Select a Data Formatter custom utility command to transform the ingested event data.

  2. Select an Event Playbook that you wish to run on this scheduled data ingestion.

  3. Check the box to enable the automatic mapping of ingested events from the data source to MITRE tactics and techniques.

  4. Check the box to allow event automation rules to be applied for dismissing or escalating the ingested events from the data source.

  5. Fill in the inputs for the Fetch Event command in Command Details. (Command details may vary depending on the integration)

  6. Click on Save & Run.

RESULT

The new Data Source will be displayed as a card on the left hand side and the schedule will start running.

Webhook

The Webhook ingestion method allows the Integration to send event or incident data (in JSON format) to be investigated in the D3 vSOC platform. This allows real-time, controlled event or incident data ingestion for SOC teams, and offers greater flexibility.

The following is a general how-to for setting an Event Ingestion webhook.

READER NOTE

Incident ingestion in webhook will look and function similarly. We recommend referring to this how-to for setting up an incident intake command as well.

  1. Click on the Event Intake tab.

  2. Click on the + icon and select Webhook.

69dbbf4c-7652-4bf5-84bf-fcd56921477c.png
  1. Select the desired Integration.

  2. Select the applicable Site(s).

  3. Select the Authentication Method.

  4. (Optional) Set up Event Field Mapping.

Authentication Method: API Key

  1. For the selected site, you can select an existing key or generate a new one for authentication. To select existing keys, click on a key under "Existing Keys". To generate a new key, click on the + button in the top right corner.

    Group 411.png
  2. If you are generating a new key, enter an alias for your key, then click Generate.

  3. For detailed information about configuring the API key, refer to the Authentication Method: API Keys subsection under Event/Incident Intake in the Webhook Configuration Guide document.

Authentication Method: JSON Web Token (JWT)

  1. For the selected site, you can select an existing key or generate a new one for authentication. To select existing keys, click on a key under "Existing Keys". To generate a new key, click on the + button adjacent to the site name.

    Group 343.png
  2. If you are generating a new key, enter an alias for your key. You have the option to allow all users to view the key. Click Generate

  3. For detailed information about configuring the JSON web token, refer to the JSON Web Token Authentication subsection under Event/Incident Intake in the Webhook Configuration Guide document.

Cloning an Existing Fetch Schedule

  1. Click on the copy button of the schedule you want to clone.

READER NOTE

The copy button is only available when a schedule is in the Stopped state.

  1. In the Clone Data Source window, update the input parameters you would like to change, if any. Integration and Intake Method cannot be changed for a clone.

  2. Click on Clone and Start.

RESULT

The new fetch schedule will be created and appear above the previous fetch schedule card.

View Fetch Schedule Logs

Clicking on any of the Data Sources will display a time log and the imported data on the right-hand side.

Group 344.png

You can narrow down this log by date range and/or by status using the filters provided at the top of the list. At a glance, you can view if a run was successful by looking at the icon on the right side of the date and time.

Status

Description

Done

This indicates that the run was successful and Event data has been received.

Done (No Data)

This indicates that the run was successful but no Event data was received.

Error

This indicates that the run was unsuccessful.

Running

This indicates that the run is initiated but there are tasks that haven't run yet.

The data of each run is displayed on the right-most panel, split into tabs:

  1. Input Data: Input parameters of the fetch Event/Incident command

  2. Output Data: Event/Incident data from this scheduled fetch run

  3. Raw Data: Original data pass into the system

  4. Event List: List of Events ingested into the system

  5. Error Log (Only shows if there is error): All error data when the run is unsuccessful

  6. Playbook (Only Playbook Implementation): Runtime Playbook configured for this schedule

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.