Overview
This node, Create Related Info To Case Soar, is designed to add related information to a specific case in a SOAR (Security Orchestration, Automation, and Response) system via its API. It allows users to specify the case by its code and attach various types of related info such as indicators, groups, or victims with detailed subtypes.
Common scenarios where this node is beneficial:
- Enriching a security incident case with additional context like IP addresses, domains, or email indicators.
- Associating threat actor groups or malware campaigns to an ongoing investigation.
- Adding victim details such as affected accounts or computers to a case for better tracking.
Practical example:
A SOC analyst investigating a phishing campaign can use this node to add email indicators and associated threat actor groups to the case, helping automate and document the enrichment process within their SOAR platform.
Properties
| Name | Meaning |
|---|---|
| Url of Soar API | The endpoint URL for the SOAR API service where related info will be posted. |
| Case Code | Identifier of the case to which the related info will be added. |
| Type | The category of the related info. Options: INDICATOR, GROUP, VICTIM. |
| Sub Type | Specific subtype depending on the selected Type: |
- For INDICATOR: DOMAIN, EMAIL, HASH, IP, URL |
|
- For GROUP: CAMPAIGN, MALWARE, THREAT_ACTOR |
|
- For VICTIM: ACCOUNT, COMPUTER, WEBSITE |
|
| Value | The actual value of the related info (e.g., an IP address, domain name, or account identifier). |
| Tenancy Code | Optional tenancy code associated with the case, if applicable. |
Output
The node outputs an array of JSON objects, each corresponding to an input item processed. Each output object contains:
success: Boolean indicating whether the related info was successfully created.response: The raw response from the SOAR API after creating the related info.caseCode: The case code to which the info was added.- In case of failure:
error: Error message describing what went wrong.statusCode: HTTP status code returned by the API.response: Additional response data or error details from the API.caseName: (If available) the case name parameter used during the request.
The node does not output binary data.
Dependencies
- Requires access to a SOAR API endpoint that accepts POST requests to create related info.
- Needs an API authentication token credential configured in n8n to authorize requests.
- The node expects the SOAR API to accept a JSON body with fields:
case_code,type,sub_type,value, and optionallytenancy_code. - The HTTP request includes a custom header
"Accept-Language": "vi"indicating Vietnamese language preference.
Troubleshooting
Common issues:
- Authentication failures: If the API token is invalid or missing, the node will fail to authenticate with the SOAR API.
- Invalid URL or network errors: Incorrect SOAR API URL or connectivity issues will cause request failures.
- Incorrect case codes or values: Providing non-existent case codes or malformed values may result in API errors.
- Unsupported type or subtype combinations: Selecting incompatible type-subtype pairs might cause the API to reject the request.
Error messages and resolutions:
- Errors include detailed messages with HTTP status codes and API response bodies.
- If the node is set to continue on failure, it logs errors and outputs failure details per item.
- Otherwise, it throws a descriptive error including the request parameters and response content.
- To resolve errors, verify the correctness of all input parameters, ensure valid credentials, and confirm the SOAR API endpoint is reachable and functioning.
Links and References
- [SOAR Platform API Documentation] (Please refer to your SOAR vendor's official API docs for exact endpoint and payload specifications.)
- n8n HTTP Request Node Documentation
- n8n Custom Node Development Guide
If you need further assistance with this node or integration, consulting the SOAR platform support or community forums is recommended.