Get Incidents
POST /Command/GetIncidents
Gets a list of filtered incidents with specified fields.
Request
Authentication: API keys or JSON web tokens (JWT)
Body Parameters
Parameter Name | Type | Required/Optional | Description |
---|---|---|---|
Username |
| Required | The username of the D3 SOAR user account making the request. |
Site |
| Required | The D3 SOAR site containing the desired incidents to retrieve with the request. |
Filter |
| Optional | The list of criteria, each containing one or more JSON object conditions, used to filter incidents.
For non-dynamic "field" values, refer to the sample data for the following Static Fields input parameter. |
Static Fields |
| Optional | The static incident fields to be included in the results. Default fields will be selected for each resulting incident if the Static Fields input is left empty.
The static fields "Date Created," "Date Modified" and "Date Closed" are in UTC time. |
Dynamic Fields |
| Optional | The dynamic incident fields to be included in the results. A key in the JSON object is the user-specified Section name of a dynamic field (i.e. incident form). The value (string array) corresponding to a key is the user-specified Activity or Info Activity name within the section. |
Start Time |
| Required | The start time (in UTC) for retrieving incidents, based on the "Date Created" field of the incident. |
End Time |
| Required | The end time (in UTC) for retrieving incidents, based on the "Date Created" field of the incident. |
Output Format |
| Optional | Allows users to choose the format in which to present incident data. Available options are:
|
Page Index |
| Optional | A page of incident records. The default page index is 0, indicating the first page. For example, if there exists 50 incidents, and the Page Size (the following parameter) is set to 49, and the Page Index is set to 1 (the second page), only one incident will be displayed.
|
Page Size |
| Optional | The number of incident records to display within a page, ranging from 1 to 1000.
If the page size is greater than zero, a "TotalPages" property will be displayed within the Key Fields tab in the output. |
Sort Field |
| Optional | The name of the static or dynamic field by which to sort the results. Formatting requirements are as follows:
Sorting is only supported if the field is included in the Static Fields or Dynamic Fields parameter. Nested dynamic fields beyond one level are not supported. Fields containing a period (.) in their name are not supported (except for Incident No.). |
Sort Order |
| Optional | The order in which the results are sorted. This parameter is used in conjunction with Sort Field to control the sort behaviour. |
READER NOTE
Static Fields represents an input parameter as an array of strings. Each field in this array is optional. If you include these fields, the response will contain the specified fields. The fields are:
IR Number, IR Type, Title, Status, Severity, Stage, Priority, Disposition, Tags, Owner, Creator, Timezone, Date Created, Date Modified, Playbook, Description, Conclusion, Investigation Team, Linked Incidents, Incident Raw Data, Event Raw Data
READER NOTE
The fields Incident Raw Data and Event Raw Data can contain large amounts of data. Use these fields cautiously and consider using pagination input parameters (page index and page number) to manage the data volume efficiently.
READER NOTE
For Date/Time parameters Start Time
and End Time
, all times and timestamps must follow the format: yyyy-mm-dd hh:mm:ss
.
e.g. May 15, 2024, 2:32 PM should be written as 2024-05-15 14:32:00.
Body Sample Data
Response
200 OK
400 BadRequest
401 Unauthorized
429 TooManyRequests
500 InternalServerError