Get Events
POST /Command/GetEvents
Gets a list of filtered events with specified fields.
Request
Authentication: API keys or JSON web tokens (JWT)
Body Parameters
Parameter Name | Type | Required/Optional | Description |
---|---|---|---|
Username |
| Required | The username of the D3 SOAR user account making the request. |
Site |
| Required | The D3 SOAR site containing the desired incidents to retrieve with the request. |
Filter |
| Optional | The array of criteria, each containing one or more JSON object conditions, used to filter events.
|
Fields |
| Optional | The event fields to include in the response data. If no fields are specified, the default fields displayed are all those listed in the Sample Data, except for "Event Raw Data." |
Start Time |
| Required | The start time (in UTC) for retrieving events. The time range is based on event intake time, rather than the time of occurrence. The API requires the input format to be yyyy-mm-dd HH:mm (e.g., 2024-08-22 00:00:00). |
End Time |
| Required | The end time (in UTC) for retrieving events. The time range is based on event intake time, rather than the time of occurrence. The API requires the DateTime format to be yyyy-mm-dd HH:mm (e.g., 2024-08-22 00:00:00). |
Output Format |
| Required | Allows users to choose the format in which to present event data. Available options are:
|
Page Index |
| Optional | The page number to view a subset of events. For example, if there exists 50 events, and the Page Size (the following parameter) is set to 49, and the Page Index is set to 1 (the second page), only one event will be displayed. The default page index is 0, indicating the first page.
|
Page Size |
| Optional | The maximum number of event records to fetch, ranging from 1 to 1000. For example, if there exists 50 events, and the Page Size is set to 49, and the Page Index (the previous parameter) is set to 1 (the second page), only one event will be displayed.
If the page size is greater than zero, a "TotalPages" property will be displayed within the Key Fields tab in the output. |
Sort Field |
| Optional | The field by which the results are sorted. Users can specify any field listed in the Fields parameter (e.g., |
Sort Order |
| Optional | The order in which the results are sorted. This parameter is used in conjunction with Sort Field to control the sort behaviour. |
READER NOTE
Fields represents an input parameter as an array of strings. Each field in this array is optional. If you include these fields, the response will contain the specified fields. The options are:
ID, EventID, Type, Tactic, Technique, RiskLevel, TimeofOccurrence, IntakeTime, Status, Description, Site, Datasource, Eventsource, Username, Sourceip, Targetip, Integrationconnection, EventFileName, LastEscalatedBy, Event Raw Data, LinkedIncidents
READER NOTE
The fields "Event Raw Data" can contain large amounts of data. Use these fields cautiously and consider using pagination input parameters (page index and page number) to manage the data volume efficiently.
READER NOTE
For Date/Time parameters Start Time, End Time:
All times and timestamps are in this format: yyyy-MM-dd HH:mm:ss.
For example, May 15, 2024, 2:32 PM should be 2024-05-15 14:32:00.
Body Sample Data
Response
200 OK
400 BadRequest
401 Unauthorized
429 TooManyRequests
500 InternalServerError