Skip to main content
Skip table of contents

Link Incidents With Related Artifacts

Link incidents that have related artifacts in 3 steps. First, search for relevant artifacts by their type and/or name. With the relevant artifacts identified, specify if incidents should be linked only if they have the exact set of artifacts or if they share any of the artifacts. Lastly, refine the selection by filtering the relevant incidents based on site, status, time range, and by limiting the number of incidents linked.

Reader Note

Please note that this command is only applicable within an incident Playbook.

Implementation

System

Command Category

System Utility

Tags

INCIDENT INCIDENT LINKING

Inputs

Parameter Name

Required/Optional

Description

Sample Data

Artifact Types

Optional

Specify the types of artifacts you want to search for.

CODE 
[
    "URL"
]

Artifact Names

Optional

Specify the names of the artifacts you want to search for.

CODE 
[
    "www.example.com"
]

Incident Link Criteria

Optional

Define how incidents are linked when matching artifacts are found. Any Artifact Match: Link incidents if they share any of the artifacts. Exact Artifact Match: Link incidents only if they share the exact set of artifacts.

Exact Artifact Match

Incident Sites

Optional

Specify the array of sites you want the system to search for related incidents. If the incident belongs to an internal site, only internal sites within the array would be searched. If the incident belongs to a client site, only the respective client site within the array would be searched. If there are no sites specified, the system will search according to the site of the incident.

CODE 
[
    "Security Operations"
]

Incident Status

Optional

Select the status of the incidents you want to search for.

Closed

Incident Time Range

Optional

Define the time range for the incident you want to search for. The time range refers to the "Date Created" field of an incident.

CODE 
{
    "timeRangeType": "custom range",
    "startTime": "2020-06-04 23:02:11",
    "endTime": "2020-07-04 23:02:11"
}

Limit

Optional

Set the maximum number of linked incidents. If no limit is set or limit is greater than 50, only 50 incidents that meet the above conditions will be linked.

50

Order

Optional

The order (ascending/descending) will determine if the system links the incidents based on their IDs, either from the lowest to the highest or from the highest to the lowest, as defined by the limit. By default, the order is in descending order of IDs.

Descending

Output

Return Data

The returned result of this command. If some required parameters are not defined, this returned data could be empty. The returned result can be passed down directly to a subsequent command in playbooks.

SAMPLE DATA

JSON 
[
    "20230612-8"
]
Context Data

The response data from the utility command.

SAMPLE DATA

JSON 
[
    {
        "Artifact Name": "www.example.com",
        "Artifact Type": "URL",
        "Incident Case Number": "20230612-8"
    }
]

Remote Command API

The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.

Request

POST

CODE 
https:/{base_url}/{api_namespace}/api/Command/LinkArtifactsRelatedIncidents

Headers

Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.

Request Body

JSON 
{
  "Username": "<Username here>",
  "Site": "<Site here>",
  "CommandParams": {
    "Artifact Types": "<Artifact Types here>",
    "Artifact Names": "<Artifact Names here>",
    "Incident Link Criteria": "<Incident Link Criteria here>",
    "Incident Sites": "<Incident Sites here>",
    "Incident Status": "<Incident Status here>",
    "Incident Time Range": "<Incident Time Range here>",
    "Limit": "<Limit here>",
    "Order": "<Order here>"
  }
}

Body Parameters

Parameter Name

Type

Required/Optional

Description

Username

String

Required

The username of your D3 SOAR account.

Site

String

Required

The D3 SOAR site to run the remote command.

Artifact Types

Text Array

Optional

Specify the types of artifacts you want to search for.

Artifact Names

Text Array

Optional

Specify the names of the artifacts you want to search for.

Incident Link Criteria

Text

Optional

Define how incidents are linked when matching artifacts are found. Any Artifact Match: Link incidents if they share any of the artifacts. Exact Artifact Match: Link incidents only if they share the exact set of artifacts.

Incident Sites

Text Array

Optional

Specify the array of sites you want the system to search for related incidents. If the incident belongs to an internal site, only internal sites within the array would be searched. If the incident belongs to a client site, only the respective client site within the array would be searched. If there are no sites specified, the system will search according to the site of the incident.

Incident Status

Text

Optional

Select the status of the incidents you want to search for.

Incident Time Range

JSON Object

Optional

Define the time range for the incident you want to search for. The time range refers to the "Date Created" field of an incident.

Limit

Number

Optional

Set the maximum number of linked incidents. If no limit is set or limit is greater than 50, only 50 incidents that meet the above conditions will be linked.

Order

Text

Optional

The order (ascending/descending) will determine if the system links the incidents based on their IDs, either from the lowest to the highest or from the highest to the lowest, as defined by the limit. By default, the order is in descending order of IDs.

Sample Request

SAMPLE DATA

JSON 
{
  "Username": "Admin",
  "Site": "Security Operations",
  "CommandParams": {
    "Artifact Types": [
      "URL"
    ],
    "Artifact Names": [
      "www.example.com"
    ],
    "Incident Link Criteria": "Exact Artifact Match",
    "Incident Sites": [
      "Security Operations"
    ],
    "Incident Status": "Closed",
    "Incident Time Range": {
      "timeRangeType": "custom range",
      "startTime": "2020-06-04 23:02:11",
      "endTime": "2020-07-04 23:02:11"
    },
    "Limit": 50,
    "Order": "Descending"
  }
}

Response

Response Fields

Field Name

Type

Description

error

Text

The error message if the API request has failed.

returnData

Text Array

The return data from the API request.

contextData

JSON Array

The context data from the API request.

Sample Response

JSON 
{
    "error": "",
    "returnData": [
      "20230612-8"
    ],
    "contextData": [
      {
          "Artifact Name": "www.example.com",
          "Artifact Type": "URL",
          "Incident Case Number": "20230612-8"
      }
    ]
}
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close