.png)
Add Tactics & Techniques To Events
LAST UPDATED: AUG 19, 2024
Apply tactics/techniques to events
Implementation | System |
Command Category | Cyber Utility |
Tags | EVENT TACTICS & TECHNIQUES |
Inputs
Parameter Name | Required/Optional | Description | Sample Data |
|---|---|---|---|
Event IDs | Required | The ID of events to which the tactics and techniques will be added |
CODE
|
Tactics | Required | Tactics to set to the specified events |
CODE
|
Techniques | Required | Techniques to set to the specified events |
CODE
|
Output
Remote Command API
The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.
Request
POST
{
"Username": "Admin",
"Site": "Security Operations",
"CommandParams": {
"Event IDs": [
60250,
60251
],
"Tactics": [
"Initial Access",
"TA0002",
"TA0003"
],
"Techniques": [
"Valid Accounts: Cloud Accounts",
"T1569",
"Traffic Signaling: Port Knocking"
]
}
}Headers
Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.
Request Body
{
"Username": <Username here>,
"Site": <Site here>,
"CommandParams": {
"Event IDs": <Event IDs here>,
"Tactics": <Tactics here>,
"Techniques": <Techniques here>
}
}Body Parameters
Parameter Name | Type | Required/Optional | Description |
|---|---|---|---|
Username |
| Required | The username of your D3 SOAR account. |
Site |
| Required | The D3 SOAR site to run the remote command. |
Event IDs |
| Required | The ID of events to which the tactics and techniques will be added |
Tactics |
| Required | Tactics to set to the specified events |
Techniques |
| Required | Techniques to set to the specified events |
Sample Request
SAMPLE DATA
{
"Username": "Admin",
"Site": "Security Operations",
"CommandParams": {
"Event IDs": [
60250,
60251
],
"Tactics": [
"Initial Access",
"TA0002",
"TA0003"
],
"Techniques": [
"Valid Accounts: Cloud Accounts",
"T1569",
"Traffic Signaling: Port Knocking"
]
}
}Response
Response Fields
Field Name | Type | Description |
|---|---|---|
error |
| The error message if the API request has failed. |
returnData |
| The return data from the API request. |
contextData |
| The context data from the API request. |
Sample Response
{
"error": "",
"returnData": "Successful",
"contextData": [
{
"EventId": 60250,
"techniques": [
{
"TacticId": "7FF86A9E-205A-E911-80CE-64006A25830F",
"TacticName": "Persistence",
"TechniqueId": "C395F016-2E88-EB11-B54B-1062E50C63BF",
"TechniqueName": "Traffic Signaling: Port Knocking"
},
{
"TacticId": "7DF86A9E-205A-E911-80CE-64006A25830F",
"TacticName": "Initial Access",
"TechniqueId": "F095F016-2E88-EB11-B54B-1062E50C63BF",
"TechniqueName": "Valid Accounts: Cloud Accounts"
},
{
"TacticId": "7FF86A9E-205A-E911-80CE-64006A25830F",
"TacticName": "Persistence",
"TechniqueId": "F095F016-2E88-EB11-B54B-1062E50C63BF",
"TechniqueName": "Valid Accounts: Cloud Accounts"
},
{
"TacticId": "7EF86A9E-205A-E911-80CE-64006A25830F",
"TacticName": "Execution",
"TechniqueId": "0D96F016-2E88-EB11-B54B-1062E50C63BF",
"TechniqueName": "System Services"
}
]
},
{
"EventId": 60251,
"techniques": [
{
"TacticId": "7FF86A9E-205A-E911-80CE-64006A25830F",
"TacticName": "Persistence",
"TechniqueId": "C395F016-2E88-EB11-B54B-1062E50C63BF",
"TechniqueName": "Traffic Signaling: Port Knocking"
},
{
"TacticId": "7DF86A9E-205A-E911-80CE-64006A25830F",
"TacticName": "Initial Access",
"TechniqueId": "F095F016-2E88-EB11-B54B-1062E50C63BF",
"TechniqueName": "Valid Accounts: Cloud Accounts"
},
{
"TacticId": "7FF86A9E-205A-E911-80CE-64006A25830F",
"TacticName": "Persistence",
"TechniqueId": "F095F016-2E88-EB11-B54B-1062E50C63BF",
"TechniqueName": "Valid Accounts: Cloud Accounts"
},
{
"TacticId": "7EF86A9E-205A-E911-80CE-64006A25830F",
"TacticName": "Execution",
"TechniqueId": "0D96F016-2E88-EB11-B54B-1062E50C63BF",
"TechniqueName": "System Services"
}
]
}
]
}