Search Incident‎ | docs.d3security

POST /Command/SearchIncident

Search incidents based on the given search criteria.

Request

Authentication: API keys or JSON web tokens (JWT)

Body Parameters

Parameter Name	Type	Required/Optional	Description
Username	`string`	Required	The username of your D3 SOAR account.
Site	`string`	Required	The D3 SOAR site to run the remote command.
Site Name	`string`	Optional	The site to search incident in. If left empty, will search across all internal sites if the runtime site is an internal site, otherwise will use the current runtime site.
Incident Type	`string`	Optional	The type of the incidents.
Start Time UTC	`string`	Optional	The earliest UTC report time of incidents.
End Time UTC	`string`	Optional	The latest UTC report time of incidents.
Status	`string`	Optional	The status of the incidents.
Wildcard Search	`string`	Optional	A general search string for incidents.
Username	`string`	Optional	The username of user who accesses the incidents. This username will only be used when the task auto-runs. If left empty, will default to the system user. Must not be empty or use the system user if searching across all internal sites.
Top Number	`number`	Optional	Specify the number of records to return. The default value is 100.

READER NOTE

For Date/Time parameters Start Time UTC and End Time UTC, all times and timestamps must follow the format: yyyy-mm-dd hh:mm:ss.

e.g. May 15, 2024, 2:32 PM should be written as 2024-05-15 14:32:00.

Body Sample Data

application/json

{
  "Username": "Admin",
  "Site": "Security Operations",
  "CommandParams": {
    "Site Name": "Security Operations",
    "Incident Type": "Playbook - CryptoCurrency",
    "Start Time UTC": "2021-01-26 00:00:00",
    "End Time UTC": "2021-01-27 00:00:00",
    "Status": "Open",
    "Wildcard Search": "20210128-216",
    "Username": "admin user",
    "Top Number": null
  }
}

Response

200 OK

application/json

Field Name	Type	Description
error	`string`	The error message if the API request has failed.
returnData	`array<string>`	The return data from the API request.
contextData	`array<JSON Object>`	The context data from the API request.

{
    "error": "",
    "returnData": [
      "20210128-216"
    ],
    "contextData": [
      {
          "Incident Number": "20210128-216",
          "Incident Site": "Security Operations",
          "Incident Type": "Playbook - CryptoCurrency",
          "Incident Title": "Use Case DLP",
          "Incident Report Date UTC": "2021-01-26 12:45:29.000",
          "Incident Status": "Open",
          "Incident Owner": "admin user"
      }
    ]
}

401 Unauthorized

application/json

Response Fields

Field Name	Type	Description
Error	`string`	A error message when the API request fails.

Sample Data

{"Error": "Invalid authentication key."}

429 TooManyRequests

application/json

Response Fields

Field Name	Type	Description
Error	`string`	A error message when the API request fails.

Sample Data

{"Error": "The request exceeds rate limits or is otherwise blocked by rate limiting policies."}

500 InternalServerError

application/json

Response Fields

Field Name	Type	Description
Error	`string`	A error message when the API request fails.

Sample Data

{"Error": "Unexpected Error."}