Add Tactics & Techniques to Incident
Add MITRE Tactics and Techniques to current incident.
Reader Note
Please note that this command is only applicable within an incident Playbook.
Implementation | System |
Command Category | System Utility |
Tags | INCIDENT |
Inputs
Parameter Name | Required/Optional | Description | Sample Data |
---|---|---|---|
Tactics | Optional | The array of MITRE tactics that to be added to the incident. It's array of MITRE Tactic IDs or Tactic Names. |
CODE
|
Techniques | Optional | The array of MITRE techniques that to be added to the incident. It's array of MITRE Technique IDs or Technique Names. |
CODE
|
Output
Remote Command API
The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.
Request
POST
https:/{base_url}/{api_namespace}/api/Command/AddIncidentTacticTechnique
Headers
Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.
Request Body
{
"Username": "<Username here>",
"Site": "<Site here>",
"CommandParams": {
"Tactics": "<Tactics here>",
"Techniques": "<Techniques here>"
}
}
Body Parameters
Parameter Name | Type | Required/Optional | Description |
---|---|---|---|
Username |
| Required | The username of your D3 SOAR account. |
Site |
| Required | The D3 SOAR site to run the remote command. |
Tactics |
| Optional | The array of MITRE tactics that to be added to the incident. It's array of MITRE Tactic IDs or Tactic Names. |
Techniques |
| Optional | The array of MITRE techniques that to be added to the incident. It's array of MITRE Technique IDs or Technique Names. |
Sample Request
SAMPLE DATA
{
"Username": "Admin",
"Site": "Security Operations",
"CommandParams": {
"Tactics": [
"Persistence",
"Privilege Escalation",
"TA0005",
"TA0043",
"TA0042"
],
"Techniques": [
"Logon Scripts: Logon Script (Windows)",
"Valid Accounts: Domain Accounts",
"T1056.004",
"Input Capture: Web Portal Capture",
"Data Manipulation: Stored Data Manipulation"
]
}
}
Response
Response Fields
Field Name | Type | Description |
---|---|---|
error |
| The error message if the API request has failed. |
returnData |
| The return data from the API request. |
contextData |
| The context data from the API request. |
Sample Response
{
"error": "",
"returnData": "Successful",
"contextData": "[
{
"TacticMid": "TA0003",
"TacticName": "Persistence",
"TechniqueMid": "T1078.002",
"TechniqueName": "Valid Accounts: Domain Accounts"
},
{
"TacticMid": "TA0003",
"TacticName": "Persistence",
"TechniqueMid": "T1037.001",
"TechniqueName": "Logon Scripts: Logon Script (Windows)"
},
{
"TacticMid": "TA0004",
"TacticName": "Privilege Escalation",
"TechniqueMid": "T1078.002",
"TechniqueName": "Valid Accounts: Domain Accounts"
},
{
"TacticMid": "TA0004",
"TacticName": "Privilege Escalation",
"TechniqueMid": "T1037.001",
"TechniqueName": "Logon Scripts: Logon Script (Windows)"
},
{
"TacticMid": "TA0005",
"TacticName": "Defense Evasion",
"TechniqueMid": "T1078.002",
"TechniqueName": "Valid Accounts: Domain Accounts"
},
{
"TacticMid": "TA0042",
"TacticName": "Resource Development",
"TechniqueMid": "",
"TechniqueName": "Unmapped"
},
{
"TacticMid": "TA0043",
"TacticName": "Reconnaissance",
"TechniqueMid": "",
"TechniqueName": "Unmapped"
},
{
"TacticMid": "TA0040",
"TacticName": "Impact",
"TechniqueMid": "T1565.001",
"TechniqueName": "Data Manipulation: Stored Data Manipulation"
},
{
"TacticMid": "TA0006",
"TacticName": "Credential Access",
"TechniqueMid": "T1056.003",
"TechniqueName": "Input Capture: Web Portal Capture"
},
{
"TacticMid": "TA0009",
"TacticName": "Collection",
"TechniqueMid": "T1056.004",
"TechniqueName": "Input Capture: Credential API Hooking"
},
{
"TacticMid": "TA0006",
"TacticName": "Credential Access",
"TechniqueMid": "T1056.004",
"TechniqueName": "Input Capture: Credential API Hooking"
},
{
"TacticMid": "TA0009",
"TacticName": "Collection",
"TechniqueMid": "T1056.003",
"TechniqueName": "Input Capture: Web Portal Capture"
}
]"
}