Add Incident Timeline Entry
LAST UPDATED: SEPT 18, 2024
Adds a new timeline entry to an incident, enhancing its chronological record with key information.
READER NOTE
This utility command is for vSOC versions 16.8 and above. Clients on earlier versions may not have access to this command. Contact D3 to obtain access.
Implementation | Python |
Command Category | System Utility |
Tags | INCIDENT TIMELINE |
Inputs
Parameter Name | Required/Optional | Description | Sample Data |
---|---|---|---|
Incident Number | Required | The incident number corresponding to an incident to which the timeline entry will be added. | 20240223-1 |
Time | Optional | The specific date and time when the event associated with the timeline entry occurred, adjusted to the incident's time zone. | 2024-05-15 14:32:00 |
Note | Optional | Additional remarks or important information related to the timeline entry that may provide context or insights. | Initial detection through network monitoring tools. |
Event Type | Optional | The category or classification of the event within the incident, indicating the nature of the activity. | Unauthorized Access |
Tactic & Technique | Optional | The strategic approach and specific methods used in the incident, aligned with recognized frameworks for categorizing cyber threats. | Collection / Data from Local System |
Risk | Optional | The severity or potential impact of the event, typically classified into categories such as ZeroRisk, Low, Medium, High, or N/A | High |
Description | Optional | A detailed account or explanation of the event, providing in-depth information about what occurred. | An unknown actor accessed the system through a vulnerable web application, exploiting a SQL injection flaw to gain unauthorized access. |
Summary | Optional | A concise overview of the event, highlighting key points and essential details without going into extensive detail. | SQL injection attack detected, leading to unauthorized access and data exposure. |
Output
Remote Command API
The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.
Request
POST
https://{base_url}/{api_namespace}/api/Command/AddIncidentTimelineEntry
Headers
Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.
Request Body
{
"Username": <Username here>,
"Site": <Site here>,
"CommandParams": {
"Incident Number": <Incident Number here>,
"Time": <Time here>,
"Note": <Note here>,
"Event Type": <Event Type here>,
"Tactic & Technique": <Tactic & Technique here>,
"Risk": <here>,
"Description": <Description here>,
"Summary": <Summary here>
}
}
Body Parameters
Parameter Name | Type | Required/Optional | Description |
---|---|---|---|
Username |
| Required | The username of your D3 SOAR account. |
Site |
| Required | The D3 SOAR site to run the remote command. |
Incident Number |
| Required | The incident number for which the timeline entries will be retrieved. |
Time |
| Optional | The specific date and time when the event associated with the timeline entry occurred, adjusted to the incident's time zone. |
Note |
| Optional | Additional remarks or important information related to the timeline entry that may provide context or insights. |
Event Type |
| Optional | The category or classification of the event within the incident, indicating the nature of the activity. |
Tactic & Technique |
| Optional | The strategic approach and specific methods used in the incident, aligned with recognized frameworks for categorizing cyber threats. |
Risk |
| Optional | The severity or potential impact of the event, typically classified into categories such as ZeroRisk, Low, Medium, High, or N/A. |
Description |
| Optional | A detailed account or explanation of the event, providing in-depth information about what occurred. |
Summary |
| Optional | A concise overview of the event, highlighting key points and essential details without going into extensive detail. |
Sample Request
SAMPLE DATA
{
"Username": "<Username here>",
"Site": "Security Operations",
"CommandParams": {
"Incident Number": "20240223-1",
"Time": "2024-05-15 14:32:00",
"Note": "Initial detection through network monitoring tools.",
"Event Type": "Unauthorized Access",
"Tactic & Technique": "Collection / Data from Local System",
"Risk": "High",
"Description": "An unknown actor accessed the system through a vulnerable web application, exploiting a SQL injection flaw to gain unauthorized access.",
"Summary": "SQL injection attack detected, leading to unauthorized access and data exposure."
}
}
Response
Response Fields
Field Name | Type | Description |
---|---|---|
error |
| The error message if the API request has failed. |
returnData |
| The return data from the API request. |
Sample Response
{
"error": "",
"returnData": {
"Status": "Successful",
"Data": {
"TimelineID": 39
}
}
}