.png)
Add Investigation Details
LAST UPDATED: AUG 06, 2024
Add details to an incident investigation with HTML rich text. Optionally add IOA or IOC details via JSON format.
Implementation | System |
Command Category | System Utility |
Tags | INCIDENT |
Inputs
Parameter Name | Required/Optional | Description | Sample Data |
|---|---|---|---|
Incident Number | Required | The incident number to add investigation details to. | 20221207-11 |
Investigation Section | Required | The section to add the investigation details to. | Findings: IOA (Indicator of Attack) |
Investigation Detail Content | Required | The investigation details in HTML rich text. | This is an IOA. |
Investigation Detail in JSON | Optional | Optional JSON field for creating IOA and IOCs. The IOA and IOCs created will be displayed in link analysis. |
CODE
|
Editing Type | Required | Choose whether to add a new investigation detail or overwrite all existing details. | Overwrite |
Output
Remote Command API
The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.
Request
POST
https://{base_url}/{api_namespace}/api/Command/AddInvestigationDetailsHeaders
Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.
Request Body
{
"Username": "<Username here>",
"Site": "<Site here>",
"CommandParams": {
"Incident Number": "<Incident Number here>",
"Investigation Section": "<Investigation Section here>",
"Investigation Detail Content": "<Investigation Detail Content here>",
"Investigation Detail in JSON": "<Investigation Detail in JSON here>",
"Editing Type": "<Editing Type here>"
}
}Body Parameters
Parameter Name | Type | Required/Optional | Description |
|---|---|---|---|
Username |
| Required | The username of your D3 SOAR account. |
Site |
| Required | The D3 SOAR site to run the remote command. |
Incident Number |
| Required | The incident number to add investigation details to. |
Investigation Section |
| Required | The section to add the investigation details to. |
Investigation Detail Content |
| Required | The investigation details in HTML rich text. |
Investigation Detail in JSON |
| Optional | Optional JSON field for creating IOA and IOCs. The IOA and IOCs created will be displayed in link analysis. |
Editing Type |
| Required | Choose whether to add a new investigation detail or overwrite all existing details. |
Sample Request
SAMPLE DATA
{
"Username": "Admin",
"Site": "Security Operations",
"CommandParams": {
"Incident Number": "20221207-11",
"Investigation Section": "Findings: IOA (Indicator of Attack)",
"Investigation Detail Content": "This is an IOA.",
"Investigation Detail in JSON": {
"Name": "The fake invoice scam",
"Type": "Phishing email",
"DetectedUtcTime": "2023-04-12T12:00:00",
"RelationData": [
{
"Type": "Relationship",
"Direction": "BiDirectional",
"Label": "Attack",
"Properties": {
"property1": "value1",
"property2": "value2"
},
"Start": {
"Type": "Artifact",
"Subtype": "Username",
"Name": "Sample User A",
"Properties": {
"property1": "value1",
"property2": "value2"
}
},
"End": {
"Type": "Artifact",
"Subtype": "Username",
"Name": "Sample User B",
"Properties": {
"property1": "value1",
"property2": "value2"
}
}
},
{
"Type": "Relationship",
"Direction": "Reverse",
"Label": "Attack",
"Properties": {
"property1": "value1",
"property2": "value2"
},
"Start": [
{
"Type": "Artifact",
"Subtype": "Host Name",
"Name": "Host Name A",
"Properties": {
"property1": "value1",
"property2": "value2"
}
}
],
"End": [
{
"Type": "Artifact",
"Subtype": "Host Name",
"Name": "Host Name B",
"Properties": {
"property1": "value1",
"property2": "value2"
}
}
]
}
]
},
"Editing Type": "Overwrite"
}
}Response
Response Fields
Field Name | Type | Description |
|---|---|---|
error |
| The error message if the API request has failed. |
returnData |
| The return data from the API request. |
contextData |
| The context data from the API request. |
Sample Response
{
"error": "",
"returnData": "Successful",
"contextData": "[
{
"ID": 30,
"IncidentId": 25,
"TypeId": 201,
"Creator": 1,
"LastModifiedBy": 1,
"CreatedUtcTime": "2023-04-11T21:18:47.460",
"CreatedTime": "2023-04-11T22:18:00",
"LastModifiedUtcTime": "2023-04-13T22:19:04.513",
"LastModifiedTime": "2023-04-13T23:19:00",
"InvestigationDetail": [
{
"ID": 112,
"InvestigationId": 30,
"AddedBy": 1,
"LastModifiedBy": 1,
"RuntimeTaskId": -1,
"Content": "<p>This is an IOA 22. </p>",
"Data": "{\n \"Name\":\"The fake invoice scam\",\n \"Type\":\"Phishing email\",\n \"DetectedUtcTime\":\"2023-04-12T12:00:00\",\n \"RelationData\":[\n {\n \"Type\":\"Relationship\",\n \"Direction\":\"BiDirectional\",\n \"Label\":\"Attack\",\n \"Properties\":{\n \"property1\":\"value1\",\n \"property2\":\"value2\"\n },\n \"Start\":{\n \"Type\":\"Artifact\",\n \"Subtype\":\"Username\",\n \"Name\":\"Sample User A\",\n \"Properties\":{\n \"property1\":\"value1\",\n \"property2\":\"value2\"\n }\n },\n \"End\":{\n \"Type\":\"Artifact\",\n \"Subtype\":\"Username\",\n \"Name\":\"Sample User B\",\n \"Properties\":{\n \"property1\":\"value1\",\n \"property2\":\"value2\"\n }\n }\n },\n {\n \"Type\":\"Relationship\",\n \"Direction\":\"Reverse\",\n \"Label\":\"Attack\",\n \"Properties\":{\n \"property1\":\"value1\",\n \"property2\":\"value2\"\n },\n \"Start\":[\n {\n \"Type\":\"Artifact\",\n \"Subtype\":\"Host Name\",\n \"Name\":\"Host Name A\",\n \"Properties\":{\n \"property1\":\"value1\",\n \"property2\":\"value2\"\n }\n }\n ],\n \"End\":[\n {\n \"Type\":\"Artifact\",\n \"Subtype\":\"Host Name\",\n \"Name\":\"Host Name B\",\n \"Properties\":{\n \"property1\":\"value1\",\n \"property2\":\"value2\"\n }\n }\n ]\n }\n ]\n}",
"Type": 0,
"CreatedUtcTime": "2023-04-13T22:19:04.513",
"CreatedTime": "2023-04-13T23:19:00",
"LastModifiedUtcTime": "2023-04-13T22:19:04.513",
"LastModifiedTime": "2023-04-13T23:19:00",
"IsDeleted": false,
"IndicatorGuid": ""
}
]
}
]"
}