Last updated: AUG 06, 2024
Add details to an incident investigation with HTML rich text. Optionally add IOA or IOC details via JSON format.
|
Implementation |
System |
|
Command Category |
System Utility |
|
Tags |
incident |
Inputs
|
Parameter Name |
Required/Optional |
Description |
Sample Data |
|---|---|---|---|
|
Incident Number |
Required |
The incident number to add investigation details to. |
20221207-11 |
|
Investigation Section |
Required |
The section to add the investigation details to. |
Findings: IOA (Indicator of Attack) |
|
Investigation Detail Content |
Required |
The investigation details in HTML rich text. |
This is an IOA. |
|
Investigation Detail in JSON |
Optional |
Optional JSON field for creating IOA and IOCs. The IOA and IOCs created will be displayed in link analysis. |
|
|
Editing Type |
Required |
Choose whether to add a new investigation detail or overwrite all existing details. |
Overwrite |
Output
Remote Command API
The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.
Request
POST
https://{base_url}/{api_namespace}/api/Command/AddInvestigationDetails
Headers
Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.
Request Body
{
"Username": "<Username here>",
"Site": "<Site here>",
"CommandParams": {
"Incident Number": "<Incident Number here>",
"Investigation Section": "<Investigation Section here>",
"Investigation Detail Content": "<Investigation Detail Content here>",
"Investigation Detail in JSON": "<Investigation Detail in JSON here>",
"Editing Type": "<Editing Type here>"
}
}
Body Parameters
|
Parameter Name |
Type |
Required/Optional |
Description |
|---|---|---|---|
|
Username |
|
Required |
The username of your D3 SOAR account. |
|
Site |
|
Required |
The D3 SOAR site to run the remote command. |
|
Incident Number |
|
Required |
The incident number to add investigation details to. |
|
Investigation Section |
|
Required |
The section to add the investigation details to. |
|
Investigation Detail Content |
|
Required |
The investigation details in HTML rich text. |
|
Investigation Detail in JSON |
|
Optional |
Optional JSON field for creating IOA and IOCs. The IOA and IOCs created will be displayed in link analysis. |
|
Editing Type |
|
Required |
Choose whether to add a new investigation detail or overwrite all existing details. |
Sample Request
SAMPLE DATA
{
"Username": "Admin",
"Site": "Security Operations",
"CommandParams": {
"Incident Number": "20221207-11",
"Investigation Section": "Findings: IOA (Indicator of Attack)",
"Investigation Detail Content": "This is an IOA.",
"Investigation Detail in JSON": {
"Name": "The fake invoice scam",
"Type": "Phishing email",
"DetectedUtcTime": "2023-04-12T12:00:00",
"RelationData": [
{
"Type": "Relationship",
"Direction": "BiDirectional",
"Label": "Attack",
"Properties": {
"property1": "value1",
"property2": "value2"
},
"Start": {
"Type": "Artifact",
"Subtype": "Username",
"Name": "Sample User A",
"Properties": {
"property1": "value1",
"property2": "value2"
}
},
"End": {
"Type": "Artifact",
"Subtype": "Username",
"Name": "Sample User B",
"Properties": {
"property1": "value1",
"property2": "value2"
}
}
},
{
"Type": "Relationship",
"Direction": "Reverse",
"Label": "Attack",
"Properties": {
"property1": "value1",
"property2": "value2"
},
"Start": [
{
"Type": "Artifact",
"Subtype": "Host Name",
"Name": "Host Name A",
"Properties": {
"property1": "value1",
"property2": "value2"
}
}
],
"End": [
{
"Type": "Artifact",
"Subtype": "Host Name",
"Name": "Host Name B",
"Properties": {
"property1": "value1",
"property2": "value2"
}
}
]
}
]
},
"Editing Type": "Overwrite"
}
}
Response
Response Fields
|
Field Name |
Type |
Description |
|---|---|---|
|
error |
|
The error message if the API request has failed. |
|
returnData |
|
The return data from the API request. |
|
contextData |
|
The context data from the API request. |
Sample Response
{
"error": "",
"returnData": "Successful",
"contextData": "[
{
"ID": 30,
"IncidentId": 25,
"TypeId": 201,
"Creator": 1,
"LastModifiedBy": 1,
"CreatedUtcTime": "2023-04-11T21:18:47.460",
"CreatedTime": "2023-04-11T22:18:00",
"LastModifiedUtcTime": "2023-04-13T22:19:04.513",
"LastModifiedTime": "2023-04-13T23:19:00",
"InvestigationDetail": [
{
"ID": 112,
"InvestigationId": 30,
"AddedBy": 1,
"LastModifiedBy": 1,
"RuntimeTaskId": -1,
"Content": "<p>This is an IOA 22. </p>",
"Data": "{\n \"Name\":\"The fake invoice scam\",\n \"Type\":\"Phishing email\",\n \"DetectedUtcTime\":\"2023-04-12T12:00:00\",\n \"RelationData\":[\n {\n \"Type\":\"Relationship\",\n \"Direction\":\"BiDirectional\",\n \"Label\":\"Attack\",\n \"Properties\":{\n \"property1\":\"value1\",\n \"property2\":\"value2\"\n },\n \"Start\":{\n \"Type\":\"Artifact\",\n \"Subtype\":\"Username\",\n \"Name\":\"Sample User A\",\n \"Properties\":{\n \"property1\":\"value1\",\n \"property2\":\"value2\"\n }\n },\n \"End\":{\n \"Type\":\"Artifact\",\n \"Subtype\":\"Username\",\n \"Name\":\"Sample User B\",\n \"Properties\":{\n \"property1\":\"value1\",\n \"property2\":\"value2\"\n }\n }\n },\n {\n \"Type\":\"Relationship\",\n \"Direction\":\"Reverse\",\n \"Label\":\"Attack\",\n \"Properties\":{\n \"property1\":\"value1\",\n \"property2\":\"value2\"\n },\n \"Start\":[\n {\n \"Type\":\"Artifact\",\n \"Subtype\":\"Host Name\",\n \"Name\":\"Host Name A\",\n \"Properties\":{\n \"property1\":\"value1\",\n \"property2\":\"value2\"\n }\n }\n ],\n \"End\":[\n {\n \"Type\":\"Artifact\",\n \"Subtype\":\"Host Name\",\n \"Name\":\"Host Name B\",\n \"Properties\":{\n \"property1\":\"value1\",\n \"property2\":\"value2\"\n }\n }\n ]\n }\n ]\n}",
"Type": 0,
"CreatedUtcTime": "2023-04-13T22:19:04.513",
"CreatedTime": "2023-04-13T23:19:00",
"LastModifiedUtcTime": "2023-04-13T22:19:04.513",
"LastModifiedTime": "2023-04-13T23:19:00",
"IsDeleted": false,
"IndicatorGuid": ""
}
]
}
]"
}