Parse Event Raw Data to D3 Events

This command can only be executed within an event/incident playbook. It is an asynchronous command designed to parse input raw data events to create D3 events.

Reader Note

Please note that this command is only applicable within an event Playbook.

Implementation	System
Command Category	Cyber Utility
Tags	EVENT EVENT INGESTION

Inputs

Parameter Name	Required/Optional	Description	Sample Data
Event Data	Optional	The input raw data of events	JSON `[ { "eventType": "Webhook Event 1001", "Description": "This is a webhook event.", "SourceIPAddress": "10.10.0.116", "SourceHostname": "adi", "SourceType": "Internal Endpoint", "Filename": "loginscript", "ProcessName": "net.exe", "ProcessCommandLine": "admin localgroup", "ParentProcessName": "" } ]`
Integration Source	Optional	The name of the integration from which the events ingest	`cTest_Webhook`
Is Directly Correlated	Optional	Whether events are directly correlated to the incident	`No`
Run MITRE TTP Search	Optional	Choose whether the system automatically maps tactic & techniques on newly ingested events. Default value is True	NO SAMPLE DATA
Run Event Automation Rules	Optional	Choose whether the system executes Event Automation Rules for dismissal and escalation. Default value is True	NO SAMPLE DATA

Output

Key Fields

Important key-value pairs extracted from Raw Data.

SAMPLE DATA

JSON

{
  "Count": [1],
  "EventIDs": [4031]
}

Return Data

The returned result of this command. If some required parameters are not defined, this returned data could be empty. The returned result can be passed down directly to a subsequent command in playbooks.

SAMPLE DATA

JSON

Succeed

Context Data

The response data from the utility command.

SAMPLE DATA

JSON

[
    {
        "Event ID": 4031,
        "Description": "This is a webhook event.",
        "Event Type": "Webhook Event 1001",
        "Filename": "loginscript",
        "Parent process name": "",
        "Process command line": "admin localgroup",
        "Process Name": "net.exe",
        "Source hostname": "adi",
        "Source IP address": "10.10 .0 .116",
        "Source type": "Internal Endpoint",
        "Source vendor name": "",
        "Tactics": "Lateral Movement",
        "Techniques": "Logon Scripts"
    }
]

Remote Command API

The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.

Request

POST

CODE

https:/{base_url}/{api_namespace}/api/Command/ParseRawDataToEvents

Headers

Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.

Request Body

JSON

{
  "Username": <Username here>,
  "Site": <Site here>,
  "CommandParams": {
    "Event Data": [
      {
        "eventType": <Event Type here>,
        "Description": <Description here>,
        "SourceIPAddress": <Source IP Address here>,
        "SourceHostname": <Source Hostname here>,
        "SourceType": <Source Type here>,
        "Filename": <Filename here>,
        "ProcessName": <Process Name here>,
        "ProcessCommandLine": <Process Command Line here>,
        "ParentProcessName": <Parent Process Name here>
      }
    ],
    "Integration Source": <Integration Source here>,
    "Is Directly Correlated": <Is Directly Correlated here>,
    "Run MITRE TTP Search": <Run MITRE TTP Search here>,
    "Run Event Automation Rules": <Run Event Automation Rules here>
  }
}

Body Parameters

Parameter Name	Type	Required/Optional	Description
Username	`String`	Required	The username of your D3 SOAR account.
Site	`String`	Required	The D3 SOAR site to run the remote command.
Event Data	`JSON Array`	Optional	The input raw data of events
Integration Source	`Text`	Optional	The name of the integration from which the events ingest
Is Directly Correlated	`Text`	Optional	Whether events are directly correlated to the incident
Run MITRE TTP Search	`Text`	Optional	Choose whether the system automatically maps tactic & techniques on newly ingested events. Default value is True
Run Event Automation Rules	`Text`	Optional	Choose whether the system executes Event Automation Rules for dismissal and escalation. Default value is True

Sample Request

SAMPLE DATA

JSON

{
  "Username": "Admin",
  "Site": "Security Operations",
  "CommandParams": {
    "Event Data": [
      {
        "eventType": "Webhook Event 1001",
        "Description": "This is a webhook event.",
        "SourceIPAddress": "10.10.0.116",
        "SourceHostname": "adi",
        "SourceType": "Internal Endpoint",
        "Filename": "loginscript",
        "ProcessName": "net.exe",
        "ProcessCommandLine": "admin localgroup",
        "ParentProcessName": ""
      }
    ],
    "Integration Source": "cTest_Webhook",
    "Is Directly Correlated": "No",
    "Run MITRE TTP Search": null,
    "Run Event Automation Rules": null
  }
}

Response

Response Fields

Field Name	Type	Description
error	`Text`	The error message if the API request has failed.
keyFields	`JSON Object`	The key fields from the API request.
returnData	`Text`	The return data from the API request.
contextData	`JSON Array`	The context data from the API request.

Sample Response

JSON

{
    "error": "",
    "keyFields": {
        "Count": [1],
        "EventIDs": [4031]
    },
    "returnData": "Succeed",
    "contextData": [
        {
            "Event ID": 4031,
            "Description": "This is a webhook event.",
            "Event Type": "Webhook Event 1001",
            "Filename": "loginscript",
            "Parent process name": "",
            "Process command line": "admin localgroup",
            "Process Name": "net.exe",
            "Source hostname": "adi",
            "Source IP address": "10.10.0.116",
            "Source type": "Internal Endpoint",
            "Source vendor name": "",
            "Tactics": "Lateral Movement",
            "Techniques": "Logon Scripts"
        }
    ]
}