Skip to main content
Skip table of contents

Add Incident Timeline Entry

LAST UPDATED: SEPT 18, 2024

Adds a new timeline entry to an incident, enhancing its chronological record with key information.

READER NOTE

This utility command is for vSOC versions 16.8 and above. Clients on earlier versions may not have access to this command. Contact D3 to obtain access.

Implementation

Python

Command Category

System Utility

Tags

INCIDENT TIMELINE

Inputs

Parameter Name

Required/Optional

Description

Sample Data

Incident Number

Required

The incident number corresponding to an incident to which the timeline entry will be added.

20240223-1

Time

Optional

The specific date and time when the event associated with the timeline entry occurred, adjusted to the incident's time zone.

2024-05-15 14:32:00

Note

Optional

Additional remarks or important information related to the timeline entry that may provide context or insights.

Initial detection through network monitoring tools.

Event Type

Optional

The category or classification of the event within the incident, indicating the nature of the activity.

Unauthorized Access

Tactic & Technique

Optional

The strategic approach and specific methods used in the incident, aligned with recognized frameworks for categorizing cyber threats.

Collection / Data from Local System

Risk

Optional

The severity or potential impact of the event, typically classified into categories such as ZeroRisk, Low, Medium, High, or N/A

High

Description

Optional

A detailed account or explanation of the event, providing in-depth information about what occurred.

An unknown actor accessed the system through a vulnerable web application, exploiting a SQL injection flaw to gain unauthorized access.

Summary

Optional

A concise overview of the event, highlighting key points and essential details without going into extensive detail.

SQL injection attack detected, leading to unauthorized access and data exposure.

Output

Return Data

The returned result of this command. If some required parameters are not defined, this returned data could be empty. The returned result can be passed down directly to a subsequent command in playbooks.

SAMPLE DATA

JSON 
{
    "Status": "Successful",
    "Data": {
        "TimelineID": 39
    }
}

Remote Command API

The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.

Request

POST

CODE 
https://{base_url}/{api_namespace}/api/Command/AddIncidentTimelineEntry

Headers

Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.

Request Body

JSON 
{
  "Username": <Username here>,
  "Site": <Site here>,
  "CommandParams": {
    "Incident Number": <Incident Number here>,
    "Time": <Time here>,
    "Note": <Note here>,
    "Event Type": <Event Type here>,
    "Tactic & Technique": <Tactic & Technique here>,
    "Risk": <here>,
    "Description": <Description here>,
    "Summary": <Summary here>
  }
}

Body Parameters

Parameter Name

Type

Required/Optional

Description

Username

string

Required

The username of your D3 SOAR account.

Site

string

Required

The D3 SOAR site to run the remote command.

Incident Number

string

Required

The incident number for which the timeline entries will be retrieved.

Time

string

Optional

The specific date and time when the event associated with the timeline entry occurred, adjusted to the incident's time zone.

Note

string

Optional

Additional remarks or important information related to the timeline entry that may provide context or insights.

Event Type

string

Optional

The category or classification of the event within the incident, indicating the nature of the activity.

Tactic & Technique

string

Optional

The strategic approach and specific methods used in the incident, aligned with recognized frameworks for categorizing cyber threats.

Risk

string

Optional

The severity or potential impact of the event, typically classified into categories such as ZeroRisk, Low, Medium, High, or N/A.

Description

string

Optional

A detailed account or explanation of the event, providing in-depth information about what occurred.

Summary

string

Optional

A concise overview of the event, highlighting key points and essential details without going into extensive detail.

Sample Request

SAMPLE DATA

JSON 
{
  "Username": "<Username here>",
  "Site": "Security Operations",
  "CommandParams": {
    "Incident Number": "20240223-1",
    "Time": "2024-05-15 14:32:00",
    "Note": "Initial detection through network monitoring tools.",
    "Event Type": "Unauthorized Access",
    "Tactic & Technique": "Collection / Data from Local System",
    "Risk": "High",
    "Description": "An unknown actor accessed the system through a vulnerable web application, exploiting a SQL injection flaw to gain unauthorized access.",
    "Summary": "SQL injection attack detected, leading to unauthorized access and data exposure."
  }
}

Response

Response Fields

Field Name

Type

Description

error

string

The error message if the API request has failed.

returnData

JSON Object

The return data from the API request.

Sample Response

JSON 
{
    "error": "",
    "returnData": {
      "Status": "Successful",
      "Data": {
        "TimelineID": 39
      }
    }
}
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close