Overview
This node, "Create Related Info To Case Soar," is designed to add related information to a case in a SOAR (Security Orchestration, Automation, and Response) system via its API. It allows users to specify details such as the case code, type of related info (e.g., indicator, group, victim), subtype, and the actual value to be associated with the case.
Common scenarios where this node is beneficial include:
- Enriching security cases with additional context like IP addresses, domains, or threat actor groups.
- Automating the process of updating cases with new indicators or victim information from other systems.
- Integrating SOAR platforms into broader security workflows for streamlined incident response.
For example, a user could automatically add an IP address indicator related to a phishing campaign case, or append a malware group to a specific investigation case.
Properties
| Name | Meaning |
|---|---|
| Url of Soar API | The endpoint URL for the SOAR API service where related info will be posted. |
| Case Code | Identifier of the case to which the related information will be added. |
| Type | The category of the related info; options are: INDICATOR, GROUP, VICTIM. |
| Sub Type | Specific subtype based on the selected Type: |
| - For INDICATOR: DOMAIN, EMAIL, HASH, IP, URL | |
| - For GROUP: CAMPAIGN, MALWARE, THREAT_ACTOR | |
| - For VICTIM: ACCOUNT, COMPUTER, WEBSITE | |
| Value | The actual value of the related information to associate with the case (e.g., an IP address). |
| Tenancy Code | Optional tenancy code for the case, if applicable. |
Output
The node outputs an array of JSON objects, each corresponding to an input item processed. Each output object contains:
success: Boolean indicating whether the creation of related info was successful.response: The full response returned by the SOAR API upon creating the related info (present only if successful).caseCode: The case code used in the request.error: Error message string if the operation failed (present only if unsuccessful).
No binary data is produced by this node.
Dependencies
- Requires access to a SOAR API endpoint that accepts POST requests to create related info.
- Requires an API authentication token credential to authorize requests to the SOAR API.
- The node expects the SOAR API to accept a JSON body with fields:
case_code,type,sub_type,value, and optionallytenancy_code. - The HTTP request includes a header
"Accept-Language": "vi", indicating Vietnamese language preference.
Troubleshooting
Common issues:
- Invalid or missing API endpoint URL will cause connection failures.
- Incorrect or expired API token will result in authorization errors.
- Providing invalid case codes or unsupported types/subtypes may cause the SOAR API to reject the request.
- Network connectivity problems can prevent successful API calls.
Error messages:
- Errors during the HTTP request are logged with details including error message, status code, response body, and URL.
- If the node is set to continue on failure, it will output the error message per item instead of stopping execution.
- To resolve errors, verify the correctness of the API URL, credentials, and input parameters. Check network connectivity and SOAR API documentation for valid values.
Links and References
- [SOAR Platform API Documentation] (Please refer to your SOAR vendor's official API docs for detailed usage)
- n8n HTTP Request Node Documentation
- n8n Node Development Guide