Save and Link Artifacts to Incident
LAST UPDATED: AUG 29, 2024
Links a new artifact to an incident, or updates an existing one.
Implementation | System |
Command Category | System Utility |
Tags | INCIDENT INCIDENT LINKING |
Inputs
Parameter Name | Required/Optional | Description | Sample Data |
---|---|---|---|
Artifact Type | Optional | The type of the artifact(s). The command supports both system and user-defined artifact types. System composite artifact types include: Internal Endpoint, External Endpoint, URL, File, User, Email Address, Process, Service, Module, Driver, Signature, Certificate, Registry. System single-field artifact types include: Username, Filename, File Hash SHA256, File Hash MD5, File Hash SHA1, Process Guid, Signature Identity, Host Name, Internal Endpoint Domain Name, Internal IP, External Endpoint Domain Name, External IP, Registry Key. If this parameter is left blank, the command will automatically detect and match system composite artifact types based on the values provided in Artifact Fields. | Internal Endpoint |
Artifact Fields | Optional | For user-defined artifacts, an Identity field needs to be added to the collection of fields. |
CODE
|
Incident Number | Optional | The unique identifier of the incident to be linked. | 20220114-11 |
Output
Remote Command API
The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.
Request
POST
https:/{base_url}/{api_namespace}/api/Command/SaveArtifactForIncident
Headers
Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.
Request Body
{
"Username": "<Username here>",
"Site": "<Site here>",
"CommandParams": {
"Artifact Type": "<Artifact Type here>",
"Artifact Fields": "<Artifact Fields here>",
"Incident Number": "<Incident Number here>"
}
}
Body Parameters
Parameter Name | Type | Required/Optional | Description |
---|---|---|---|
Username |
| Required | The username of your D3 SOAR account. |
Site |
| Required | The D3 SOAR site to run the remote command. |
Artifact Type |
| Optional | The type of the artifact(s). The command supports both system artifact and user-defined artifact types. System composite artifact types include: URL, User, File, ExternalEndpoint, InternalEndpoint, EmailAddress, Process, Service, Module, Driver, Signature, Certificate, Registry. System single-field artifact types include: Username, Filename, File Hash SHA256, File Hash MD5, File Hash SHA1, Process Guid, Signature Identity, Host Name, Internal Endpoint Domain Name, Internal IP, External Endpoint Domain Name, External IP, Registry Key. If this parameter is left blank, the command will automatically detect and match system composite artifact types based on the values provided in Artifact Fields. |
Artifact Fields |
| Optional | For user-defined artifacts, an Identity field needs to be added to the collection of fields. |
Incident Number |
| Optional | The unique identifier of the incident to be linked. |
Sample Request
SAMPLE DATA
{
"Username": "Admin",
"Site": "Security Operations",
"CommandParams": {
"Artifact Type": null,
"Artifact Fields": [
{
"URL": "http://example.com",
"Reputation": "Low"
},
{
"UserName": "Administrator"
},
{
"FileName": "playbookfile.exe",
"FilePath": "C:\\Windows\\System32\\playbookfile.exe",
"SHA256": "2afa7715181f03b6fe5acd7c82b8e818303a5de567af1a83d8c283010af2db44",
"MD5": "b0778a411c26f7b9b9ef5db8ed99566e",
"SHA1": "62678242ac69a2fb5cfa6a2cc3256fd8229fd7f4",
"Reputation": "High"
},
{
"External_HostName": "D3Admin",
"External_HostFQDN": "D3Admin.example.ca",
"Reputation": "Medium",
"External_IPAddress": "0:0:1:0:0:aaaa:cd9:d0a"
},
{
"Internal_HostName": "D3Example",
"Internal_HostFQDN": "D3Example.example.ca",
"Internal_IPAddress": "192.168.2.112"
},
{
"EmailAddress": "admin@example.com"
},
{
"ProcessGuid": "1589170327575",
"ProcessName": "powershell.exe",
"ProcessID": "21721",
"ProcessIntegrityLevel": "",
"ProcessCurrentDirectory": "",
"ProcessCommandLine": "powershell -Command $File=\\C:\\Users\\devin\\AppData\\Local\\Temp\\bbotstage.png\\;$Content=get-content $File;$Contento=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($Content));Set-ExecutionPolicy Bypass -Scope Process -Force;IEX($Contento)",
"ProcessOS": ""
},
{
"ServiceId": "sampleServiceId",
"ServiceName": "sampleServiceName",
"ServiceStartMode": "sampleServiceStartMode",
"ServiceStatus": "sampleServiceStatus"
},
{
"ModuleBaseAddr": "sampleModuleBaseAddr.com"
},
{
"DriverBaseAddr": "sampleDriverBaseAddr.com"
},
{
"Signature": "sampleSignature",
"SignatureID": "sampleSignatureID",
"SignatureSeverity": "Low",
"SignatureSource": "",
"SignatureType": ""
},
{
"CertName": "sampleCertName",
"CertSerial": "sampleCertSerial"
},
{
"RegistryKey": "sampleRegistryKey",
"RegistryPath": "sampleRegistryPath",
"RegistryValueName": "sampleRegistryValueName",
"RegistryValueData": "sampleRegistryValueData",
"RegistryDetails": "sampleRegistryDetails"
},
{
"Identity": "customartifactid",
"Reputation": "High",
"Additional": {
"Action result": "action result update",
"Action result ID": "",
"Action taken": "",
"Affected Machine Name": "affected Machines Name"
}
}
],
"Incident Number": "20220114-11"
}
}
Response
Response Fields
Field Name | Type | Description |
---|---|---|
error |
| The error message if the API request has failed. |
returnData |
| The return data from the API request. |
contextData |
| The context data from the API request. |
Sample Response
{
"error": "",
"returnData": "Successful",
"contextData": [
{
"ArtifactType": "URL",
"Status": "Successful",
"ArtifactName": "http://example.com",
"UpdateOrAdd": "Add",
"ArtifactDetails": {
"URL": "http://example.com",
"Reputation": "Low"
}
},
{
"ArtifactType": "User",
"Status": "Successful",
"ArtifactName": "Administrator",
"UpdateOrAdd": "Update",
"ArtifactDetails": {
"UserName": "Administrator"
}
},
{
"ArtifactType": "File",
"Status": "Successful",
"ArtifactName": "playbookfile.exe",
"UpdateOrAdd": "Update",
"ArtifactDetails": {
"Old": {
"FileName": "playbookfile.exe",
"FilePath": "C:\\Windows\\System32\\playbookfile.exe",
"SHA256": "2afa7715181f03b6fe5acd7c82b8e818303a5de567af1a83d8c283010af2db44",
"MD5": "b0778a411c26f7b9b9ef5db8ed99566e",
"SHA1": "62678242ac69a2fb5cfa6a2cc3256fd8",
"Reputation": "Medium"
},
"New": {
"FileName": "playbookfile.exe",
"FilePath": "C:\\Windows\\System32\\playbookfile.exe",
"SHA256": "2afa7715181f03b6fe5acd7c82b8e818303a5de567af1a83d8c283010af2db44",
"MD5": "b0778a411c26f7b9b9ef5db8ed99566e",
"SHA1": "62678242ac69a2fb5cfa6a2cc3256fd8",
"Reputation": "High"
}
}
},
{
"ArtifactType": "External_Endpoint",
"Status": "Successful",
"ArtifactName": "D3Admin.example.ca",
"UpdateOrAdd": "Update",
"ArtifactDetails": {
"Old": {
"External_HostName": "D3Admin",
"External_HostFQDN": "D3Admin.example.ca",
"External_IPAddress": "66.249.64.167, 0:0:1:0:0:aaaa:cd9:d0a, 0:1:1:1:0:ffff:cd9:d0a",
"Reputation": "High"
},
"New": {
"External_HostName": "D3Admin",
"External_HostFQDN": "D3Admin.example.ca",
"External_IPAddress": "66.249.64.167, 0:0:1:0:0:aaaa:cd9:d0a, 0:1:1:1:0:ffff:cd9:d0a",
"Reputation": "Medium"
}
}
},
{
"ArtifactType": "Internal_Endpoint",
"Status": "Successful",
"ArtifactName": "D3Example.example.ca",
"UpdateOrAdd": "Add",
"ArtifactDetails": {
"Internal_HostName": "D3Example",
"Internal_HostFQDN": "D3Example.example.ca",
"Internal_IPAddress": [
"192.168.2.112"
]
}
},
{
"ArtifactType": "Email",
"Status": "Successful",
"ArtifactName": "admin@example.com",
"UpdateOrAdd": "Update",
"ArtifactDetails": {
"EmailAddress": "admin@example.com"
}
},
{
"ArtifactType":"Process",
"Status":"Successful",
"Artifactname":,
"UpdateOrAdd": "Add",
"ArtifactDetails":{
"ProcessGuid":"1589170327575",
"ProcessName":"powershell.exe",
"ProcessID":"21721",
"ProcessIntegrityLevel":"",
"ProcessCurrentDirectory":"",
"ProcessCommandLine":"powershell -Command $File=\\C:\\Users\\devin\\AppData\\Local\\Temp\\bbotstage.png\\;$Content=get-content $File;$Contento=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($Content));Set-ExecutionPolicy Bypass -Scope Process -Force;IEX($Contento)",
"ProcessOS":""
}
}
]
}