Get Incident Timeline Entries‎

POST /Command/GetIncidentTimelineEntries

This command retrieves the timeline entries of an incident and additionally gathers associated metadata, providing a comprehensive overview of the incident's chronological events and relevant details.

Request

Authentication: API keys or JSON web tokens (JWT)

Body Parameters

Parameter Name	Type	Required/Optional	Description
Username	`string`	Required	The username of your D3 SOAR account.
Site	`string`	Required	The D3 SOAR site to run the remote command.
Incident Number	`string`	Required	The incident number for which the timeline entries will be retrieved.
Filter	`string`	Optional	The filter selectively displays entries by searching specific fields, such as Author, event times, summary, notes, description, risk name, and event type, for terms matching the defined criteria.
Sort Order	`string`	Optional	The sort order specifies how data is arranged in a timeline, either in ascending order from earliest to latest, or in descending order from latest to earliest.

Body Sample Data

application/json

CODE

{
  "Username": "Admin",
  "Site": "Security Operations",
  "CommandParams": {
    "Incident Number": "20200527-244",
    "Filter": "admin",
    "Sort Order": "ASC"
  }
}

Response

200 OK

application/json

Field Name	Type	Description
error	`string`	The error message if the API request has failed.
returnData	`JSON Object`	The return data from the API request.

CODE

{
    "error": "",
    "returnData": {
        "Status": "Successful",
        "Data": [
            {
                "TimelineID": 66,
                "Time": "2024-05-22 17:02:53",
                "Summary": "Unauthorized data access detected",
                "Note": "Multiple login attempts from unusual IP addresses",
                "EventType": "Security Breach",
                "Tactic": [
                    "Initial Access"
                ],
                "Technique": [
                    "Brute Force",
                    "Valid Accounts"
                ],
                "RiskLevel": "High",
                "Description": "Anomalous login patterns were identified, indicating a possible brute force attack targeting admin accounts.",
                "Author": "Admin User"
            },
            {
                "TimelineID": 67,
                "Time": "2024-05-22 18:15:30",
                "Summary": "Malware installation attempt",
                "Note": "Suspicious file download detected from phishing email",
                "EventType": "Malware",
                "Tactic": [
                    "Execution"
                ],
                "Technique": [
                    "Malicious File",
                    "Scripting"
                ],
                "RiskLevel": "Critical",
                "Description": "A phishing email prompted the user to download a file, which was detected as malware by antivirus software.",
                "Author": "Security Analyst"
            },
            {
                "TimelineID": 68,
                "Time": "2024-05-22 19:45:10",
                "Summary": "Data exfiltration detected",
                "Note": "Large volumes of data transferred to an external IP",
                "EventType": "Data Breach",
                "Tactic": [
                    "Exfiltration"
                ],
                "Technique": [
                    "Automated Exfiltration",
                    "Exfiltration Over Web Service"
                ],
                "RiskLevel": "High",
                "Description": "An unusual spike in outbound data traffic was observed, indicating possible data exfiltration to an external server.",
                "Author": "Incident Response Team"
            }
        ]
    }
}

401 Unauthorized

application/json

Response Fields

Field Name	Type	Description
Error	`string`	A error message when the API request fails.

Sample Data

CODE

{"Error": "Invalid authentication key."}

429 TooManyRequests

application/json

Response Fields

Field Name	Type	Description
Error	`string`	A error message when the API request fails.

Sample Data

CODE

{"Error": "The request exceeds rate limits or is otherwise blocked by rate limiting policies."}

500 InternalServerError

application/json

Response Fields

Field Name	Type	Description
Error	`string`	A error message when the API request fails.

Sample Data

CODE

{"Error": "Unexpected Error."}