Skip to main content
Skip table of contents

Search Incident‎

POST /Command/SearchIncident

Search incidents based on the given search criteria.

Request

Authentication: API keys or JSON web tokens (JWT)

Body Parameters

Parameter Name

Type

Required/Optional

Description

Username

string

Required

The username of your D3 SOAR account.

Site

string

Required

The D3 SOAR site to run the remote command.

Site Name

string

Optional

The site to search incident in. If left empty, will search across all internal sites if the runtime site is an internal site, otherwise will use the current runtime site.

Incident Type

string

Optional

The type of the incidents.

Start Time UTC

string

Optional

The earliest UTC report time of incidents.

End Time UTC

string

Optional

The latest UTC report time of incidents.

Status

string

Optional

The status of the incidents.

Wildcard Search

string

Optional

A general search string for incidents.

Username

string

Optional

The username of user who accesses the incidents. This username will only be used when the task auto-runs. If left empty, will default to the system user. Must not be empty or use the system user if searching across all internal sites.

Top Number

number

Optional

Specify the number of records to return. The default value is 100.

READER NOTE

For Date/Time parameters Start Time UTC and End Time UTC, all times and timestamps must follow the format: yyyy-mm-dd hh:mm:ss.

  • e.g. May 15, 2024, 2:32 PM should be written as 2024-05-15 14:32:00.

Body Sample Data

application/json
CODE 
{
  "Username": "Admin",
  "Site": "Security Operations",
  "CommandParams": {
    "Site Name": "Security Operations",
    "Incident Type": "Playbook - CryptoCurrency",
    "Start Time UTC": "2021-01-26 00:00:00",
    "End Time UTC": "2021-01-27 00:00:00",
    "Status": "Open",
    "Wildcard Search": "20210128-216",
    "Username": "admin user",
    "Top Number": null
  }
}

Response

200 OK

application/json

Field Name

Type

Description

error

string

The error message if the API request has failed.

returnData

array<string>

The return data from the API request.

contextData

array<JSON Object>

The context data from the API request.

CODE 
{
    "error": "",
    "returnData": [
      "20210128-216"
    ],
    "contextData": [
      {
          "Incident Number": "20210128-216",
          "Incident Site": "Security Operations",
          "Incident Type": "Playbook - CryptoCurrency",
          "Incident Title": "Use Case DLP",
          "Incident Report Date UTC": "2021-01-26 12:45:29.000",
          "Incident Status": "Open",
          "Incident Owner": "admin user"
      }
    ]
}

401 Unauthorized

application/json

Response Fields

Field Name

Type

Description

Error

string

A error message when the API request fails.

Sample Data

CODE 
{"Error": "Invalid authentication key."}

429 TooManyRequests

application/json

Response Fields

Field Name

Type

Description

Error

string

A error message when the API request fails.

Sample Data

CODE 
{"Error": "The request exceeds rate limits or is otherwise blocked by rate limiting policies."}

500 InternalServerError

application/json

Response Fields

Field Name

Type

Description

Error

string

A error message when the API request fails.

Sample Data

CODE 
{"Error": "Unexpected Error."}
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close