Get Incident Command Center Logs ‎

POST /Command/GetIncidentCommandCenterLogs

This command is designed to retrieve incident logs from the Command Center log.

READER NOTE

This API endpoint is available from version 16.9 onwards. If the API endpoint is unavailable, please contact D3 for assistance.

Request

Authentication: API keys or JSON web tokens (JWT)

Body Parameters

Parameter Name	Type	Required/Optional	Description
Username	`string`	Required	The username of your D3 SOAR account.
Site	`string`	Required	The D3 SOAR site to run the remote command.
Incident Number	`string`	Required	The incident number for which the Command Center log will be retrieved.
Log Type ID	`array<integer>`	Optional	This parameter is optional and is used to filter the type of command center log. If left empty, all types of logs will be retrieved by default. It sets the Log type ID. Below is a list that maps each Log Type ID to its corresponding name: 1: Task Results 2: Command Line Results 3: Messages 4: Changes of Incident Field 5: Other User Actions 6: System Notifications 7: Ad Hoc Tasks 13: Ad Hoc Tasks - Completed Tasks 8: Ad Hoc Tasks - Completed Tasks - Created by Me 9: Ad Hoc Tasks - Completed Tasks - Assigned to Me 14: Ad Hoc Tasks - Task Creation History 10: Artifact Action Results 11: Timeline Actions 12: Key Finding Actions Use the correct Log Type ID from this list to filter the desired Log type
Artifact Type ID	`array<integer>`	Optional	This parameter sets the artifact type and only affects the results when the log type is 'Artifact Action Results (logType: 10)'. If left empty, all types of artifact will be retrieved by default. It only supports system artifact types as a filter. Below is a list that maps each Artifact Type ID to its corresponding name: 0: Unknown 1: Internal Endpoint 2: External Endpoint 3: URL 4: File 5: User 6: Email Address 7: Process 8: Service 9: Module 10: Driver 11: Signature 12: Certificate 13: Registry 14: Vulnerability 15: Username 16: Filename 17: File Hash SHA256 18: File Hash MD5 19: File Hash SHA1 20: Process Guid 21: Signature Identity 22: Host Name 23: Internal Endpoint Domain Name 24: Internal IP 25: External Endpoint Domain Name 26: External IP 27: Registry Key Use the correct Artifact Type ID from this list to filter the desired artifact type.

Body Sample Data

application/json

JSON

{
  "Username": "Admin",
  "Site": "Security Operations",
  "CommandParams": {
    "Incident Number": "20200527-244",
    "Log Type ID": [
      1,
      2
    ],
    "Artifact Type ID": [
      10,
      11
    ]
  }
}

Response

200 OK

application/json

Response Fields

Field Name	Type	Description
error	`string`	The error message if the API request has failed.
returnData	`JSON Object`	The return data from the API request.

Sample Data

CODE

{
    "error": "",
    "returnData": {
        "Status": "Successful",
        "Data": [
            {
                "LogId": 12275,
                "LogTypeName": "Other User Actions",
                "LogTypeId": 5,
                "LogTime": "Tuesday 03/05/2024 02:14 PM PST",
                "UserName": "Admin ****",
                "LogContent": "Playbook (<span class=\"cc-playbook\">test0***</span>) is <span class=\"cc-action\">added to current incident</span> by <span class=\"cc-user\">Admin ****<span>.",
                "TaskId": -1,
                "TaskTypeIsIntegration": 0,
                "TaskName": ""
            },
            {
                "LogId": 266,
                "LogTypeName": "Other User Actions",
                "LogTypeId": 5,
                "LogTime": "Friday 05/12/2023 05:01 PM PST",
                "UserName": "Admin ****",
                "LogContent": "Current incident is set as <span class=\"cc-action\">On Hold</span> by <span class=\"cc-user\">Admin ****</span>.",
                "TaskId": -1,
                "TaskTypeIsIntegration": 0,
                "TaskName": ""
            },
            {
                "LogId": 159,
                "LogTypeName": "Other User Actions",
                "LogTypeId": 5,
                "LogTime": "Wednesday 10/27/2021 04:02 PM PST",
                "UserName": "Admin ****",
                "LogContent": "Playbook (<span class=\"cc-playbook\">Email Protection - Phishing Playbook</span>) is <span class=\"cc-action\">added to current incident</span>.",
                "TaskId": -1,
                "TaskTypeIsIntegration": 0,
                "TaskName": ""
            }
        ]
    }
}

400 BadRequest

application/json

Response Fields

Field Name	Type	Description
Error	`string`	A error message when the API request fails.

Sample Data

JSON

{"Error": "The body of the request must be a valid JSON object"}

401 Unauthorized

application/json

Response Fields

Field Name	Type	Description
Error	`string`	A error message when the API request fails.

Sample Data

JSON

{"Error": "Invalid authentication key."}

429 TooManyRequests

application/json

Response Fields

Field Name	Type	Description
Error	`string`	A error message when the API request fails.

Sample Data

JSON

{"Error": "The request exceeds rate limits or is otherwise blocked by rate limiting policies."}

500 InternalServerError

application/json

Response Fields

Field Name	Type	Description
Error	`string`	A error message when the API request fails.

Sample Data

JSON

{"Error": "Unexpected Error."}