Get Events‎

POST /Command/GetEvents

Gets a list of filtered events with specified fields.

Request

Authentication: API keys or JSON web tokens (JWT)

Body Parameters

Parameter Name	Type	Required/Optional	Description
Username	`string`	Required	The username of your D3 SOAR account.
Site	`string`	Required	The D3 SOAR site to run the remote command.
Filter	`arrays<array<JSON Object>>`	Optional	These condition queries filter data. Key "field" indicates the selected field in the event, key " operator " indicates the condition operator applied to the field and key "value" is the desired value. Valid values for key "field" are: ID, EventID, Type, RiskLevel, TimeofOccurrence, IntakeTime, Status, Datasource, Eventsource, EventFileName, LastEscalatedBy, Event Raw Data. "AND" logic applies between JSON objects in the same array, "OR" logic applies between different arrays. (Input must be in JSON format) Available operators: ["<",">","=","<=",">=","!=","LIKE","IS EMPTY","IS NOT EMPTY"]
Fields	`array<string>`	Optional	Select the event field keys to be displayed in the result. The keys available for selection are listed below. In the case of an empty input, only general keys will be selected for each resulting event. General keys are every key in the list below except for "Event Raw Data". (Input must be in JSON format)
Start Time	`string`	Required	The start of the date range for events. Based on 'IntakeTime' (UTC) of the event.
End Time	`string`	Required	The end of the date range for events. Based on 'Intake Time' (UTC) of the event.
Output Format	`integer`	Required	1 - CSV, 2 - JSON, 3 - CSV link, 4 - JSON link
Page Index	`integer`	Optional	The page number to receive results from. The default page index is 0. Note: if no value or 0 is given for both Page Index and Page Size, all events will be fetched.
Page Size	`integer`	Optional	The maximum number of incidents to fetch, ranges from 1 to 1000. If no value or 0 is given, a default page size of 100 will be applied. Note: if no value or 0 is given for both Page Index and Page Size, all events will be fetched.

READER NOTE

Fields represents an input parameter as an array of strings. Each field in this array is optional. If you include these fields, the response will contain the specified fields. The options are:

ID, EventID, Type, Tactic, Technique, RiskLevel, TimeofOccurrence, IntakeTime, Status, Description, Site, Datasource, Eventsource, Username, Sourceip, Targetip, Integrationconnection, EventFileName, LastEscalatedBy, Event Raw Data, LinkedIncidents

READER NOTE
The fields "Event Raw Data" can contain large amounts of data. Use these fields cautiously and consider using pagination input parameters (page index and page number) to manage the data volume efficiently.

READER NOTE

For Date/Time parameters Start Time, End Time:

All times and timestamps are in this format: yyyy-MM-dd HH:mm:ss.

For example, May 15, 2024, 2:32 PM should be 2024-05-15 14:32:00.

Body Sample Data

application/json

JSON

{
  "Username": "Admin",
  "Site": "Security Operations",
  "CommandParams": {
    "Filter": [
      [
        {
          "field": "Status",
          "operator": "=",
          "value": "Escalated"
        },
        {
          "field": "IntakeTime",
          "operator": ">=",
          "value": "2020-09-25 23:20:03.693"
        }
      ],
      [
        {
          "field": "RiskLevel",
          "operator": "=",
          "value": "High"
        }
      ]
    ],
    "Fields": [
      "ID",
      "EventID",
      "Type",
      "Tactic",
      "Technique",
      "RiskLevel",
      "TimeofOccurrence",
      "IntakeTime",
      "Status",
      "Description",
      "Site",
      "Datasource",
      "Eventsource",
      "Username",
      "Sourceip",
      "Targetip",
      "Integrationconnection",
      "EventFileName",
      "LastEscalatedBy",
      "Event Raw Data",
      "LinkedIncidents"
    ],
    "Start Time": "2020-01-06 01:30:00",
    "End Time": "2020-10-23 07:45:00",
    "Output Format": 2,
    "Page Index": 0,
    "Page Size": 100
  }
}

Response

200 OK

application/json

Response Fields

Field Name	Type	Description
error	`string`	The error message if the API request has failed.
keyFields	`JSON Object`	The key fields from the API request.
returnData	`string`	The return data from the API request.
rawData	`string`	The raw data from the API request.

Sample Data

JSON

{
  "error": "",
  "keyFields": {
    "Pagination": {
      "PageIndex": 0,
      "PageSize": 100,
      "TotalPages": 10
    }
  },
  "returnData": "Successful",
  "rawData": {
    "events": [
      {
        "ID": "4ea4cf0b-bdfe-ea11-bdc2-1062e50xxxx",
        "EventID": 60075,
        "Type": "DEVICE_PLUG",
        "Tactic": "Defense Evasion",
        "Technique": "Drive-by Compromise",
        "RiskLevel": "High",
        "TimeofOccurrence": null,
        "IntakeTime": "2020-09-24 23:24:09.640",
        "Status": "New",
        "Description": null,
        "Site": "APSOC",
        "Datasource": "McAfee ePolicy Orchestrator",
        "Eventsource": "Default Event Source",
        "Username": null,
        "Sourceip": null,
        "Targetip": null,
        "Integrationconnection": "Webhook",
        "EventFileName": null,
        "LastEscalatedBy": "admin user",
        "Event Raw Data": {
          "Body": {
            "BodyType": 0
          }
        }
      },
      {
        "ID": "e2c2e2cb-1693-eb11-92c1-9cebe82cxxxx",
        "EventID": 60078,
        "Type": "DEVICE_PLUG",
        "Tactic": "Execution",
        "Technique": "Timestomp",
        "RiskLevel": "High",
        "TimeofOccurrence": null,
        "IntakeTime": "2020-09-25 23:20:03.693",
        "Status": "Escalated",
        "Description": null,
        "Site": "APSOC",
        "Datasource": "McAfee ePolicy Orchestrator",
        "Eventsource": "Default Event Source",
        "Username": null,
        "Sourceip": null,
        "Targetip": null,
        "Integrationconnection": "Webhook",
        "EventFileName": null,
        "LastEscalatedBy": "admin user",
        "Event Raw Data": {
          "Body": {
            "BodyType": 0
          }
        }
      },
      {
        "ID": "97a4a84f-bdfe-ea11-bdc2-1062e502xxxx",
        "EventID": 60076,
        "Type": "DEVICE_PLUG",
        "Tactic": "Collection",
        "Technique": "Data from Removable Media",
        "RiskLevel": "High",
        "TimeofOccurrence": null,
        "IntakeTime": "2020-09-24 23:26:03.693",
        "Status": "Dismissed",
        "Description": null,
        "Site": "APSOC",
        "Datasource": "McAfee ePolicy Orchestrator",
        "Eventsource": "Default Event Source",
        "Username": null,
        "Sourceip": null,
        "Targetip": null,
        "Integrationconnection": "Webhook",
        "EventFileName": null,
        "LastEscalatedBy": "admin user",
        "Event Raw Data": {
          "Body": {
            "BodyType": 0
          }
        }
      }
    ]
  }
}

400 BadRequest

application/json

Response Fields

Field Name	Type	Description
Error	`string`	A error message when the API request fails.

Sample Data

JSON

{"Error": "The body of the request must be a valid JSON object"}

401 Unauthorized

application/json

Response Fields

Field Name	Type	Description
Error	`string`	A error message when the API request fails.

Sample Data

JSON

{"Error": "Invalid authentication key."}

429 TooManyRequests

application/json

Response Fields

Field Name	Type	Description
Error	`string`	A error message when the API request fails.

Sample Data

JSON

{"Error": "The request exceeds rate limits or is otherwise blocked by rate limiting policies."}

500 InternalServerError

application/json

Response Fields

Field Name	Type	Description
Error	`string`	A error message when the API request fails.

Sample Data

JSON

{"Error": "Unexpected Error."}