Skip to main content
Skip table of contents

Add Investigation Details

LAST UPDATED: AUG 06, 2024

Add details to an incident investigation with HTML rich text. Optionally add IOA or IOC details via JSON format.

Implementation

System

Command Category

System Utility

Tags

INCIDENT

Inputs

Parameter Name

Required/Optional

Description

Sample Data

Incident Number

Required

The incident number to add investigation details to.

20221207-11

Investigation Section

Required

The section to add the investigation details to.

Findings: IOA (Indicator of Attack)

Investigation Detail Content

Required

The investigation details in HTML rich text.

This is an IOA.

Investigation Detail in JSON

Optional

Optional JSON field for creating IOA and IOCs. The IOA and IOCs created will be displayed in link analysis.

CODE
{
    "Name": "The fake invoice scam",
    "Type": "Phishing email",
    "DetectedUtcTime": "2023-04-12T12:00:00",
    "RelationData": [
        {
            "Type": "Relationship",
            "Direction": "BiDirectional",
            "Label": "Attack",
            "Properties": {
                "property1": "value1",
                "property2": "value2"
            },
            "Start": {
                "Type": "Artifact",
                "Subtype": "Username",
                "Name": "Sample User A",
                "Properties": {
                    "property1": "value1",
                    "property2": "value2"
                }
            },
            "End": {
                "Type": "Artifact",
                "Subtype": "Username",
                "Name": "Sample User B",
                "Properties": {
                    "property1": "value1",
                    "property2": "value2"
                }
            }
        },
        {
            "Type": "Relationship",
            "Direction": "Reverse",
            "Label": "Attack",
            "Properties": {
                "property1": "value1",
                "property2": "value2"
            },
            "Start": [
                {
                    "Type": "Artifact",
                    "Subtype": "Host Name",
                    "Name": "Host Name A",
                    "Properties": {
                        "property1": "value1",
                        "property2": "value2"
                    }
                }
            ],
            "End": [
                {
                    "Type": "Artifact",
                    "Subtype": "Host Name",
                    "Name": "Host Name B",
                    "Properties": {
                        "property1": "value1",
                        "property2": "value2"
                    }
                }
            ]
        }
    ]
}

Editing Type

Required

Choose whether to add a new investigation detail or overwrite all existing details.

Overwrite

Output

Return Data

The returned result of this command. If some required parameters are not defined, this returned data could be empty. The returned result can be passed down directly to a subsequent command in playbooks.

CODE
Successful
Context Data

The response data from the utility command.

CODE
[
    {
        "ID": 30,
        "IncidentId": 25,
        "TypeId": 201,
        "Creator": 1,
        "LastModifiedBy": 1,
        "CreatedUtcTime": "2023-04-11T21:18:47.460",
        "CreatedTime": "2023-04-11T22:18:00",
        "LastModifiedUtcTime": "2023-04-13T22:19:04.513",
        "LastModifiedTime": "2023-04-13T23:19:00",
        "InvestigationDetail": [
            {
                "ID": 112,
                "InvestigationId": 30,
                "AddedBy": 1,
                "LastModifiedBy": 1,
                "RuntimeTaskId": -1,
                "Content": "<p>This is an IOA 22.&nbsp;</p>",
                "Data": "{\n    \"Name\":\"The fake invoice scam\",\n    \"Type\":\"Phishing email\",\n    \"DetectedUtcTime\":\"2023-04-12T12:00:00\",\n    \"RelationData\":[\n        {\n            \"Type\":\"Relationship\",\n            \"Direction\":\"BiDirectional\",\n            \"Label\":\"Attack\",\n            \"Properties\":{\n                \"property1\":\"value1\",\n                \"property2\":\"value2\"\n            },\n            \"Start\":{\n                \"Type\":\"Artifact\",\n                \"Subtype\":\"Username\",\n                \"Name\":\"Sample User A\",\n                \"Properties\":{\n                    \"property1\":\"value1\",\n                    \"property2\":\"value2\"\n                }\n            },\n            \"End\":{\n                \"Type\":\"Artifact\",\n               \"Subtype\":\"Username\",\n                \"Name\":\"Sample User B\",\n                \"Properties\":{\n                    \"property1\":\"value1\",\n                    \"property2\":\"value2\"\n                }\n            }\n        },\n        {\n            \"Type\":\"Relationship\",\n            \"Direction\":\"Reverse\",\n            \"Label\":\"Attack\",\n            \"Properties\":{\n                \"property1\":\"value1\",\n                \"property2\":\"value2\"\n            },\n            \"Start\":[\n                {\n                    \"Type\":\"Artifact\",\n                    \"Subtype\":\"Host Name\",\n                    \"Name\":\"Host Name A\",\n                    \"Properties\":{\n                        \"property1\":\"value1\",\n                        \"property2\":\"value2\"\n                    }\n                }\n            ],\n            \"End\":[\n                {\n                    \"Type\":\"Artifact\",\n                    \"Subtype\":\"Host Name\",\n                    \"Name\":\"Host Name B\",\n                    \"Properties\":{\n                        \"property1\":\"value1\",\n                        \"property2\":\"value2\"\n                    }\n                }\n            ]\n        }\n    ]\n}",
                "Type": 0,
                "CreatedUtcTime": "2023-04-13T22:19:04.513",
                "CreatedTime": "2023-04-13T23:19:00",
                "LastModifiedUtcTime": "2023-04-13T22:19:04.513",
                "LastModifiedTime": "2023-04-13T23:19:00",
                "IsDeleted": false,
                "IndicatorGuid": ""
            }
        ]
    }
]

Remote Command API

The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.

Request

POST

CODE
https://{base_url}/{api_namespace}/api/Command/AddInvestigationDetails

Headers

Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.

Request Body

CODE
{
  "Username": "<Username here>",
  "Site": "<Site here>",
  "CommandParams": {
    "Incident Number": "<Incident Number here>",
    "Investigation Section": "<Investigation Section here>",
    "Investigation Detail Content": "<Investigation Detail Content here>",
    "Investigation Detail in JSON": "<Investigation Detail in JSON here>",
    "Editing Type": "<Editing Type here>"
  }
}

Body Parameters

Parameter Name

Type

Required/Optional

Description

Username

string

Required

The username of your D3 SOAR account.

Site

string

Required

The D3 SOAR site to run the remote command.

Incident Number

string

Required

The incident number to add investigation details to.

Investigation Section

string

Required

The section to add the investigation details to.

Investigation Detail Content

string

Required

The investigation details in HTML rich text.

Investigation Detail in JSON

JSON Object

Optional

Optional JSON field for creating IOA and IOCs. The IOA and IOCs created will be displayed in link analysis.

Editing Type

string

Required

Choose whether to add a new investigation detail or overwrite all existing details.

Sample Request

SAMPLE DATA

CODE
{
  "Username": "Admin",
  "Site": "Security Operations",
  "CommandParams": {
    "Incident Number": "20221207-11",
    "Investigation Section": "Findings: IOA (Indicator of Attack)",
    "Investigation Detail Content": "This is an IOA.",
    "Investigation Detail in JSON": {
      "Name": "The fake invoice scam",
      "Type": "Phishing email",
      "DetectedUtcTime": "2023-04-12T12:00:00",
      "RelationData": [
        {
          "Type": "Relationship",
          "Direction": "BiDirectional",
          "Label": "Attack",
          "Properties": {
            "property1": "value1",
            "property2": "value2"
          },
          "Start": {
            "Type": "Artifact",
            "Subtype": "Username",
            "Name": "Sample User A",
            "Properties": {
              "property1": "value1",
              "property2": "value2"
            }
          },
          "End": {
            "Type": "Artifact",
            "Subtype": "Username",
            "Name": "Sample User B",
            "Properties": {
              "property1": "value1",
              "property2": "value2"
            }
          }
        },
        {
          "Type": "Relationship",
          "Direction": "Reverse",
          "Label": "Attack",
          "Properties": {
            "property1": "value1",
            "property2": "value2"
          },
          "Start": [
            {
              "Type": "Artifact",
              "Subtype": "Host Name",
              "Name": "Host Name A",
              "Properties": {
                "property1": "value1",
                "property2": "value2"
              }
            }
          ],
          "End": [
            {
              "Type": "Artifact",
              "Subtype": "Host Name",
              "Name": "Host Name B",
              "Properties": {
                "property1": "value1",
                "property2": "value2"
              }
            }
          ]
        }
      ]
    },
    "Editing Type": "Overwrite"
  }
}

Response

Response Fields

Field Name

Type

Description

error

string

The error message if the API request has failed.

returnData

string

The return data from the API request.

contextData

array<JSON Object>

The context data from the API request.

Sample Response

CODE
{
    "error": "",
    "returnData": "Successful",
    "contextData": "[
    {
        "ID": 30,
        "IncidentId": 25,
        "TypeId": 201,
        "Creator": 1,
        "LastModifiedBy": 1,
        "CreatedUtcTime": "2023-04-11T21:18:47.460",
        "CreatedTime": "2023-04-11T22:18:00",
        "LastModifiedUtcTime": "2023-04-13T22:19:04.513",
        "LastModifiedTime": "2023-04-13T23:19:00",
        "InvestigationDetail": [
            {
                "ID": 112,
                "InvestigationId": 30,
                "AddedBy": 1,
                "LastModifiedBy": 1,
                "RuntimeTaskId": -1,
                "Content": "<p>This is an IOA 22.&nbsp;</p>",
                "Data": "{\n    \"Name\":\"The fake invoice scam\",\n    \"Type\":\"Phishing email\",\n    \"DetectedUtcTime\":\"2023-04-12T12:00:00\",\n    \"RelationData\":[\n        {\n            \"Type\":\"Relationship\",\n            \"Direction\":\"BiDirectional\",\n            \"Label\":\"Attack\",\n            \"Properties\":{\n                \"property1\":\"value1\",\n                \"property2\":\"value2\"\n            },\n            \"Start\":{\n                \"Type\":\"Artifact\",\n                \"Subtype\":\"Username\",\n                \"Name\":\"Sample User A\",\n                \"Properties\":{\n                    \"property1\":\"value1\",\n                    \"property2\":\"value2\"\n                }\n            },\n            \"End\":{\n                \"Type\":\"Artifact\",\n               \"Subtype\":\"Username\",\n                \"Name\":\"Sample User B\",\n                \"Properties\":{\n                    \"property1\":\"value1\",\n                    \"property2\":\"value2\"\n                }\n            }\n        },\n        {\n            \"Type\":\"Relationship\",\n            \"Direction\":\"Reverse\",\n            \"Label\":\"Attack\",\n            \"Properties\":{\n                \"property1\":\"value1\",\n                \"property2\":\"value2\"\n            },\n            \"Start\":[\n                {\n                    \"Type\":\"Artifact\",\n                    \"Subtype\":\"Host Name\",\n                    \"Name\":\"Host Name A\",\n                    \"Properties\":{\n                        \"property1\":\"value1\",\n                        \"property2\":\"value2\"\n                    }\n                }\n            ],\n            \"End\":[\n                {\n                    \"Type\":\"Artifact\",\n                    \"Subtype\":\"Host Name\",\n                    \"Name\":\"Host Name B\",\n                    \"Properties\":{\n                        \"property1\":\"value1\",\n                        \"property2\":\"value2\"\n                    }\n                }\n            ]\n        }\n    ]\n}",
                "Type": 0,
                "CreatedUtcTime": "2023-04-13T22:19:04.513",
                "CreatedTime": "2023-04-13T23:19:00",
                "LastModifiedUtcTime": "2023-04-13T22:19:04.513",
                "LastModifiedTime": "2023-04-13T23:19:00",
                "IsDeleted": false,
                "IndicatorGuid": ""
            }
        ]
    }
  ]"
}

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.