Create Events
This command can only be executed within an event/incident playbook. It is an asynchronous command designed to facilitate the creation of events within D3 security system.
Reader Note
Please note that this command is only applicable within an incident Playbook.
Implementation | System |
Command Category | System Utility |
Tags | EVENT EVENT INGESTION |
Inputs
Parameter Name | Required/Optional | Description | Sample Data |
---|---|---|---|
Data | Optional | NOT AVAILABLE |
JSON
|
Site | Optional | NOT AVAILABLE |
|
Field Mapping Source | Optional | Choose whether the system automatically maps tactic & techniques on newly ingested events. Default value is True |
|
Run MITRE TTP Search | Optional | Choose whether the system executes Event Automation Rules for dismissal and escalation. Default value is True | NO SAMPLE DATA |
Output
Remote Command API
The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.
Request
POST
https:/{base_url}/{api_namespace}/api/Command/CreateEvents
Headers
Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.
Request Body
{
"Username": <Username here>,
"Site": <Site here>,
"CommandParams": {
"Data": [
{
"id": <ID here>,
"createdDateTime": <Created DateTime here>,
"lastModifiedDateTime": <Last Modified DateTime here>,
"changeKey": <Change Key here>,
"categories": <Categories here>,
"receivedDateTime": <Received DateTime here>,
"sentDateTime": <Sent DateTime here>,
"hasAttachments": <Has Attachments here>,
"internetMessageId": <Internet Message ID here>,
"subject": <Subject here>,
"bodyPreview": <Body Preview here>,
"importance": <Importance here>,
"sender": {
"emailAddress": {
"name": <Sender Name here>,
"address": <Sender Address here>
}
},
"toRecipients": [
{
"emailAddress": {
"name": <Recipient Name here>,
"address": <Recipient Address here>
}
}
]
}
],
"Site": <CommandParams Site here>,
"Field Mapping Source": {
"id": <Field Mapping Source ID here>,
"name": <Field Mapping Source Name here>
},
"Run MITRE TTP Search": <Run MITRE TTP Search here>,
"Run Event Automation Rules": <Run Event Automation Rules here>
}
}
Body Parameters
Parameter Name | Type | Required/Optional | Description |
---|---|---|---|
Username |
| Required | The username of your D3 SOAR account. |
Site |
| Required | The D3 SOAR site to run the remote command. |
Data |
| Optional | NOT AVAILABLE |
Site |
| Optional | NOT AVAILABLE |
Field Mapping Source |
| Optional | Choose whether the system automatically maps tactic & techniques on newly ingested events. Default value is True |
Run MITRE TTP Search |
| Optional | Choose whether the system executes Event Automation Rules for dismissal and escalation. Default value is True |
Sample Request
SAMPLE DATA
{
"Username": "Admin",
"Site": "Security Operations",
"CommandParams": {
"Data": [
{
"id": "AAMkAGEwMTUwYmI5LTdjMTgtNDE2NC05YzRkLTZmY2I2N2_taH4YVAAAAAAEMAAD2UOeEDDdvTIE0MwtaH4YVAAAoqxp3AAA=",
"createdDateTime": "2021-06-01T17:48:19Z",
"lastModifiedDateTime": "2021-07-08T18:08:20Z",
"changeKey": "CQAAABYAAAD2UOeEDDdvTIE0MwtaH4YVAABBspte",
"categories": [],
"receivedDateTime": "2021-06-01T17:48:19Z",
"sentDateTime": "2021-06-01T17:47:55Z",
"hasAttachments": true,
"internetMessageId": "",
"subject": "Report Phishing",
"bodyPreview": "Hong He\r\n\r\nCyber Security System Engineer\r\nD3 Security Management Systems Inc.\r\n\r\nPhone: 1.778.771.3304 ext 107\r\nWebsite: www.d3security.com\r\n\r\n\r\n\r\nDisclaimer: This e-mail may contain confidential information and is intended for the use of the recipient",
"importance": "normal",
"sender": {
"emailAddress": {
"name": "Hong He",
"address": "hhe@d3security.com"
}
},
"toRecipients": [
{
"emailAddress": {
"name": "phish",
"address": "phish@d3cyber.onmicrosoft.com"
}
}
]
}
],
"Site": "CSIRT Client",
"Field Mapping Source": {
"id": 101,
"name": "Office365 Search"
},
"Run MITRE TTP Search": null,
"Run Event Automation Rules": null
}
}
Response
Response Fields
Field Name | Type | Description |
---|---|---|
error |
| The error message if the API request has failed. |
returnData |
| The return data from the API request. |
rawData |
| The raw data from the API request. |
Sample Response
{
"error": "",
"returnData": "true",
"rawData": [
{
"isNew": true,
"eventId": 25239,
"eventGuid": "C1E5EC12-9806-EC11-8455-00155DD3E940",
"data": {
"ID": "25239",
"EventData": {
"id": "AAMkAGEwMTUwYmI5LTdjMTgtNDE2NC05YzRkLTZmY2I2N2_taH4YVAAAAAAEMAAD2UOeEDDdvTIE0MwtaH4YVAAAoqxp3AAA=",
"createdDateTime": "2021-06-01T17:48:19Z",
"lastModifiedDateTime": "2021-07-08T18:08:20Z",
"changeKey": "CQAAABYAAAD2UOeEDDdvTIE0MwtaH4YVAABBspte",
"categories": [],
"receivedDateTime": "2021-06-01T17:48:19Z",
"sentDateTime": "2021-06-01T17:47:55Z",
"hasAttachments": true,
"internetMessageId": "<CAJW03479EfcLw8GijLw4bPUDMdy2goOqPRihd2qgPtQNM5PgQg@mail.gmail.com>",
"subject": "Report Phishing",
"bodyPreview": "Hong He\r\n\r\nCyber Security System Engineer\r\nD3 Security Management Systems Inc.\r\n\r\nPhone: 1.778.771.3304 ext 107\r\nWebsite: www.d3security.com\r\n\r\n\r\n\r\nDisclaimer: This e-mail may contain confidential information and is intended for the use of the recipient",
"importance": "normal",
"sender": {
"emailAddress": {
"name": "Hong He",
"address": "hhe@d3security.com"
}
},
"toRecipients": [
{
"emailAddress": {
"name": "phish",
"address": "phish@d3cyber.onmicrosoft.com"
}
}
],
"eventid": "123456"
},
"UtcEventTime": "2021-08-26 18:04:22",
"EventIntakeTime": "2021-08-26 18:04:22",
"EventType": "Email Alerts",
"LogDescription": "Report Phishing",
"OrigRecipient": "",
"Recipient": "phish@d3cyber.onmicrosoft.com",
"OrigSender": "",
"Sender": "hhe@d3security.com",
"Body": "",
"Subject": "Report Phishing",
"Filename": "",
"EventKey": "AAMkAGEwMTUwYmI5LTdjMTgtNDE2NC05YzRkLTZmY2I2N2_taH4YVAAAAAAEMAAD2UOeEDDdvTIE0MwtaH4YVAAAoqxp3AAA=",
"CcRecipients": "",
"FileContent": "",
"EventSource": "Custom",
"DataSource": "Office365 Search",
"EmailAddress": [
{
"EmailAddress": "hhe@d3security.com",
"IsExternal": "1"
}
]
}
}
]
}