Parse Event Raw Data to D3 Events
This command can only be executed within an event/incident playbook. It is an asynchronous command designed to parse input raw data events to create D3 events.
Reader Note
Please note that this command is only applicable within an event Playbook.
Implementation | System |
Command Category | Cyber Utility |
Tags | EVENT EVENT INGESTION |
Inputs
Parameter Name | Required/Optional | Description | Sample Data |
---|---|---|---|
Event Data | Optional | The input raw data of events |
JSON
|
Integration Source | Optional | The name of the integration from which the events ingest |
|
Is Directly Correlated | Optional | Whether events are directly correlated to the incident |
|
Run MITRE TTP Search | Optional | Choose whether the system automatically maps tactic & techniques on newly ingested events. Default value is True | NO SAMPLE DATA |
Run Event Automation Rules | Optional | Choose whether the system executes Event Automation Rules for dismissal and escalation. Default value is True | NO SAMPLE DATA |
Output
Remote Command API
The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.
Request
POST
https:/{base_url}/{api_namespace}/api/Command/ParseRawDataToEvents
Headers
Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.
Request Body
{
"Username": <Username here>,
"Site": <Site here>,
"CommandParams": {
"Event Data": [
{
"eventType": <Event Type here>,
"Description": <Description here>,
"SourceIPAddress": <Source IP Address here>,
"SourceHostname": <Source Hostname here>,
"SourceType": <Source Type here>,
"Filename": <Filename here>,
"ProcessName": <Process Name here>,
"ProcessCommandLine": <Process Command Line here>,
"ParentProcessName": <Parent Process Name here>
}
],
"Integration Source": <Integration Source here>,
"Is Directly Correlated": <Is Directly Correlated here>,
"Run MITRE TTP Search": <Run MITRE TTP Search here>,
"Run Event Automation Rules": <Run Event Automation Rules here>
}
}
Body Parameters
Parameter Name | Type | Required/Optional | Description |
---|---|---|---|
Username |
| Required | The username of your D3 SOAR account. |
Site |
| Required | The D3 SOAR site to run the remote command. |
Event Data |
| Optional | The input raw data of events |
Integration Source |
| Optional | The name of the integration from which the events ingest |
Is Directly Correlated |
| Optional | Whether events are directly correlated to the incident |
Run MITRE TTP Search |
| Optional | Choose whether the system automatically maps tactic & techniques on newly ingested events. Default value is True |
Run Event Automation Rules |
| Optional | Choose whether the system executes Event Automation Rules for dismissal and escalation. Default value is True |
Sample Request
SAMPLE DATA
{
"Username": "Admin",
"Site": "Security Operations",
"CommandParams": {
"Event Data": [
{
"eventType": "Webhook Event 1001",
"Description": "This is a webhook event.",
"SourceIPAddress": "10.10.0.116",
"SourceHostname": "adi",
"SourceType": "Internal Endpoint",
"Filename": "loginscript",
"ProcessName": "net.exe",
"ProcessCommandLine": "admin localgroup",
"ParentProcessName": ""
}
],
"Integration Source": "cTest_Webhook",
"Is Directly Correlated": "No",
"Run MITRE TTP Search": null,
"Run Event Automation Rules": null
}
}
Response
Response Fields
Field Name | Type | Description |
---|---|---|
error |
| The error message if the API request has failed. |
keyFields |
| The key fields from the API request. |
returnData |
| The return data from the API request. |
contextData |
| The context data from the API request. |
Sample Response
{
"error": "",
"keyFields": {
"Count": [1],
"EventIDs": [4031]
},
"returnData": "Succeed",
"contextData": [
{
"Event ID": 4031,
"Description": "This is a webhook event.",
"Event Type": "Webhook Event 1001",
"Filename": "loginscript",
"Parent process name": "",
"Process command line": "admin localgroup",
"Process Name": "net.exe",
"Source hostname": "adi",
"Source IP address": "10.10.0.116",
"Source type": "Internal Endpoint",
"Source vendor name": "",
"Tactics": "Lateral Movement",
"Techniques": "Logon Scripts"
}
]
}