Overview
This node creates related information entries linked to a specific case in a SOAR (Security Orchestration, Automation, and Response) system via its API. It is useful for enriching cases with additional context such as indicators, groups, or victims, which helps security analysts track and manage incident details more effectively.
Typical use cases include:
- Adding IP addresses, domains, or hashes as indicators related to a security incident.
- Associating threat actor groups or malware campaigns with a case.
- Linking victim information like accounts, computers, or websites to an investigation.
For example, after detecting suspicious activity, you can use this node to add the relevant IP address indicator to the corresponding case in your SOAR platform, enabling automated workflows or further analysis.
Properties
| Name | Meaning |
|---|---|
| Url of Soar API | The endpoint URL for the SOAR API service where related info will be created. |
| Case Code | Identifier of the case to which the related information will be added. |
| Type | The category of the case information. Options: INDICATOR, GROUP, VICTIM. |
| Sub Type | More specific classification based on the selected Type: |
| - For INDICATOR: DOMAIN, EMAIL, HASH, IP, URL | |
| - For GROUP: CAMPAIGN, MALWARE, THREAT_ACTOR | |
| - For VICTIM: ACCOUNT, COMPUTER, WEBSITE | |
| Value | The actual value of the related information (e.g., an IP address, domain name, or account). |
| Tenancy Code | Optional tenancy code associated with the case, if applicable. |
Output
The node outputs an array of JSON objects, each representing the result of creating related info for an input item. Each output object contains:
success: Boolean indicating whether the creation was successful.response: The full response from the SOAR API when the related info is successfully created.caseCode: The case identifier used.error: Present only if the operation failed, containing the error message.
No binary data is produced by this node.
Example output JSON for a successful creation:
{
"success": true,
"response": { /* API response object */ },
"caseCode": "CASE123"
}
Example output JSON for a failure (if continue on fail is enabled):
{
"success": false,
"error": "Error message describing what went wrong"
}
Dependencies
- Requires access to a SOAR API endpoint that supports creating related information via HTTP POST.
- Needs an API authentication token credential configured in n8n to authorize requests.
- The node sends requests with an Authorization header using a bearer token.
- The API endpoint URL must be provided as an input property.
Troubleshooting
Common issues:
- Invalid or missing API token causing authorization failures.
- Incorrect or unreachable SOAR API URL leading to network errors.
- Providing invalid case codes or unsupported types/subtypes may cause API rejections.
- Missing required parameters will prevent the node from executing properly.
Error messages:
- Errors returned from the SOAR API are logged with details including status code and response body.
- If the node is set to stop on failure, it throws an error halting execution; otherwise, it logs the error and continues.
Resolutions:
- Verify the API token and ensure it has sufficient permissions.
- Confirm the SOAR API URL is correct and accessible from the n8n environment.
- Double-check the case code and type/subtype values against the SOAR system's expected formats.
- Use the node’s logging output to diagnose issues and adjust inputs accordingly.
Links and References
- [SOAR Platform API Documentation] (Please refer to your SOAR vendor’s official API docs for detailed endpoint usage)
- n8n HTTP Request Node Documentation
- n8n Credentials Management