Link Incidents With Related Artifacts
Link incidents that have related artifacts in 3 steps. First, search for relevant artifacts by their type and/or name. With the relevant artifacts identified, specify if incidents should be linked only if they have the exact set of artifacts or if they share any of the artifacts. Lastly, refine the selection by filtering the relevant incidents based on site, status, time range, and by limiting the number of incidents linked.
Reader Note
Please note that this command is only applicable within an incident Playbook.
Implementation | System |
Command Category | System Utility |
Tags | INCIDENT INCIDENT LINKING |
Inputs
Parameter Name | Required/Optional | Description | Sample Data |
---|---|---|---|
Artifact Types | Optional | Specify the types of artifacts you want to search for. |
CODE
|
Artifact Names | Optional | Specify the names of the artifacts you want to search for. |
CODE
|
Incident Link Criteria | Optional | Define how incidents are linked when matching artifacts are found. Any Artifact Match: Link incidents if they share any of the artifacts. Exact Artifact Match: Link incidents only if they share the exact set of artifacts. |
|
Incident Sites | Optional | Specify the array of sites you want the system to search for related incidents. If the incident belongs to an internal site, only internal sites within the array would be searched. If the incident belongs to a client site, only the respective client site within the array would be searched. If there are no sites specified, the system will search according to the site of the incident. |
CODE
|
Incident Status | Optional | Select the status of the incidents you want to search for. |
|
Incident Time Range | Optional | Define the time range for the incident you want to search for. The time range refers to the "Date Created" field of an incident. |
CODE
|
Limit | Optional | Set the maximum number of linked incidents. If no limit is set or limit is greater than 50, only 50 incidents that meet the above conditions will be linked. |
|
Order | Optional | The order (ascending/descending) will determine if the system links the incidents based on their IDs, either from the lowest to the highest or from the highest to the lowest, as defined by the limit. By default, the order is in descending order of IDs. |
|
Output
Remote Command API
The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.
Request
POST
https:/{base_url}/{api_namespace}/api/Command/LinkArtifactsRelatedIncidents
Headers
Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.
Request Body
{
"Username": "<Username here>",
"Site": "<Site here>",
"CommandParams": {
"Artifact Types": "<Artifact Types here>",
"Artifact Names": "<Artifact Names here>",
"Incident Link Criteria": "<Incident Link Criteria here>",
"Incident Sites": "<Incident Sites here>",
"Incident Status": "<Incident Status here>",
"Incident Time Range": "<Incident Time Range here>",
"Limit": "<Limit here>",
"Order": "<Order here>"
}
}
Body Parameters
Parameter Name | Type | Required/Optional | Description |
---|---|---|---|
Username |
| Required | The username of your D3 SOAR account. |
Site |
| Required | The D3 SOAR site to run the remote command. |
Artifact Types |
| Optional | Specify the types of artifacts you want to search for. |
Artifact Names |
| Optional | Specify the names of the artifacts you want to search for. |
Incident Link Criteria |
| Optional | Define how incidents are linked when matching artifacts are found. Any Artifact Match: Link incidents if they share any of the artifacts. Exact Artifact Match: Link incidents only if they share the exact set of artifacts. |
Incident Sites |
| Optional | Specify the array of sites you want the system to search for related incidents. If the incident belongs to an internal site, only internal sites within the array would be searched. If the incident belongs to a client site, only the respective client site within the array would be searched. If there are no sites specified, the system will search according to the site of the incident. |
Incident Status |
| Optional | Select the status of the incidents you want to search for. |
Incident Time Range |
| Optional | Define the time range for the incident you want to search for. The time range refers to the "Date Created" field of an incident. |
Limit |
| Optional | Set the maximum number of linked incidents. If no limit is set or limit is greater than 50, only 50 incidents that meet the above conditions will be linked. |
Order |
| Optional | The order (ascending/descending) will determine if the system links the incidents based on their IDs, either from the lowest to the highest or from the highest to the lowest, as defined by the limit. By default, the order is in descending order of IDs. |
Sample Request
SAMPLE DATA
{
"Username": "Admin",
"Site": "Security Operations",
"CommandParams": {
"Artifact Types": [
"URL"
],
"Artifact Names": [
"www.example.com"
],
"Incident Link Criteria": "Exact Artifact Match",
"Incident Sites": [
"Security Operations"
],
"Incident Status": "Closed",
"Incident Time Range": {
"timeRangeType": "custom range",
"startTime": "2020-06-04 23:02:11",
"endTime": "2020-07-04 23:02:11"
},
"Limit": 50,
"Order": "Descending"
}
}
Response
Response Fields
Field Name | Type | Description |
---|---|---|
error |
| The error message if the API request has failed. |
returnData |
| The return data from the API request. |
contextData |
| The context data from the API request. |
Sample Response
{
"error": "",
"returnData": [
"20230612-8"
],
"contextData": [
{
"Artifact Name": "www.example.com",
"Artifact Type": "URL",
"Incident Case Number": "20230612-8"
}
]
}