Skip to main content
Skip table of contents

CrowdStrike Falcon LogScale (Humio)

LAST UPDATED: 09/24/2024

Overview

CrowdStrike Falcon LogScale (formerly known as Humio) is a log management system. Integration with LogScale mainly covers the major operations commonly used by users, such as operations to create, delete, and list alerts; operations to create, delete, and stop Query Jobs; and operations to create, list, and get actions.

D3 SOAR is providing REST operations to function with LogScale.

LogScale is available for use in:

D3 SOAR

V12.7.0+

Category

SIEM XDR

Deployment Options

Option II, Option IV

Connection

To connect to LogScale from D3 SOAR, follow this part to collect the required information below:

Parameter

Description

Example

API Token

The API token to use for authenticating the connection.

r8sP*****OV1b

Server URL

The LogScale URL.

https://cloud.us.humio.com

API Version

The version of the API to use for the connection.

v1

Permission Requirements

Each endpoint in the LogScale API requires a certain permission scope. The following are required scopes for the commands in this integration:

Command

Required Permissions

Create Alert(GraphQL)

Triggers and actions > Change triggers

Create Email Action(GraphQL)

Triggers and actions > Change actions

Create Query Job

Data access > Data read access

Create Webhook Action(GraphQL)

Triggers and actions > Change actions

Delete Actions(GraphQL)

Triggers and actions > Change actions

Delete Alerts(GraphQL)

Triggers and actions > Change triggers

Fetch Event

Data access > Data read access

Get Actions By IDs(GraphQL)

Triggers and actions > Change actions

Get Alerts By IDs(GraphQL)

Data access > Data read access

List Actions(GraphQL)

Triggers and actions > Change actions

List Alerts(GraphQL)

Data access > Data read access

List Repository and View Names

Data access > Data read access

Poll Query Job

Data access > Data read access

Stop Query Job

Data access > Data read access

Test Connection

Data access > Data read access

LogScale's role-based access control (RBAC) model enables authorization of users based on roles with different sets of permissions. LogScale distinguishes between authentication, which establishes the identity of the user, and authorization, which decides what actions an authenticated user may perform. For more information, see Manage users & permissions | Falcon LogScale Cloud 1.143.0-1.156.0 | LogScale Documentation (humio.com).

Configuring LogScale to Work with D3 SOAR

  1. Login to CrowdStrike Falcon LogScale.

  2. Navigate to the Manage your account dashboard.


    a. Click on the user icon on the top right corner of the portal.
    b. Click on the Manage your account option in the dropdown menu.

  3. Generate the API token.

a. Click on the Personal API token left sidebar option.

b. Click on the Reset token button.

c. Click on the Copy button, then paste the API token into D3 vSOC. Refer to step 3i (sub-step 2) of the Configuring D3 SOAR to Work with LogScale section.

Configuring D3 SOAR to Work with LogScale

  1. Log in to D3 SOAR.

  2. Find the LogScale integration.

    1. Navigate to Configuration on the top header menu.

    2. Click on the Integration icon on the left sidebar.

    3. Type LogScale in the search box to find the integration, then click it to select it.

    4. Click + Connection, on the right side of the Connections section. A new connection window will appear.

  3. Configure the following fields to create a connection to LogScale.

    1. Connection Name: The desired name for the connection.

    2. Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.

    3. Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.

    4. Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.

    5. Description (Optional): Add your desired description for the connection.

    6. Tenant (Optional): When configuring the connection from a master tenant site, you have the option to choose the specific tenant sites you want to share the connection with. Once you enable this setting, you can filter and select the desired tenant sites from the dropdowns to share the connection.

    7. Configure User Permissions: Defines which users have access to the connection.

    8. Active: Check the checkbox to ensure the connection is available for use.

    9. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.

      1. Input the Server URL. The default value is https://cloud.us.humio.com .

      2. Copy the API token from the LogScale platform. Refer to step 3c of the Configuring LogScale to Work with D3 SOAR section.

      3. Input the API Version. The default value is v1.

    10. Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.

      To set up a connection health check, check the Connection Health Check tick box. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.

    11. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Refer to the password vault connection guide if needed.

  4. Test the connection.

    1. Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green check mark appear beside the Test Connection button. If the test connection fails, check your connection parameters and try again.

    2. Click OK to close the alert window.

    3. Click + Add to create and add the configured connection.

Commands

LogScale includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the LogScale API, refer to the LogScale API reference.

READER NOTE

Certain permissions are required for each command. refer to the Permission Requirements and Configuring LogScale to Work with D3 SOAR sections for details.

Note for Time-related parameters

The input format of time-related parameters may vary based on your account settings. As a result, the sample data provided in our commands is different from what you see. To set your preferred time format, follow these steps

  1. Navigate to Configuration Application Settings. Select Date/Time Format.

  2. Choose your desired date and time format, then click on the Save button.

After that, you will be able to view your preferred time format when configuring the DateTime input parameters for commands.

Create Alert(GraphQL)

Creates an alert in LogScale.

READER NOTE

Repository Or View Name and Actions (Notifiers) are required parameters to run this command.

  • Run the List Repository and View Names command to obtain the Repository Or View Name. Repository or View names can be found in the raw data at the path $.data.searchDomains[*].name.

  • Run the List Actions command to obtain the Actions (Notifiers). Actions (Notifiers) can be found in the raw data at the path $.data.searchDomain.actions[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Repository Or View Name

Required

The name of the repository or view for which to create alerts. Repository Or View Name can be obtained using the List Repository and View Names command.

sandbox

Alert Name

Required

The name of the alert to be created.

TestAlert001

Query String

Required

Use a query string to refine the search condition. For example, to search for events containing "office" in the URL field, use "url=*office*." Refer to Query Filters | LogScale for details about using query filters.

url=*posts*

Query Start

Required

The start time of the alert. The format is a number followed by the units: hours (h), minutes (m), and/or days (d). For example, 1h means 1 hour ago. 2m means 2 minutes ago. 3d means 3 days ago.

24h

Actions (Notifiers)

Required

The ID(s) of action(s). Action IDs can be obtained using the List Actions command.

CODE
["JadY*****GMb9" ]

Throttle Time Millis

Optional

The minimum amount of time in milliseconds taken between invoking actions. By default, the value is 600000.

100000

Description

Optional

A description for the alert.

Test Humio alert919a

Labels

Optional

The values of the labels applied to the alert.

CODE
["Test Label"]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "data": {
        "createAlert": {
            "displayName": "TestAlert919a",
            "name": "TestAlert919a",
            "description": "Test Humio alert919a",
            "enabled": true,
            "queryString": "url=*posts*",
            "throttleTimeMillis": 100000,
            "id": "*****",
            "actions": [
                "*****"
            ],
            "runAsUser": {
                "fullName": "*****",
                "email": "*****"
            },
            "queryStart": "24h",
            "labels": [
                "Test Label Jon 202106300302"
            ]
        }
    }
}
Key Fields

SAMPLE DATA

JSON
{
  "AlertId": "*****"
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

displayName

TestAlert919a

name

TestAlert919a

description

Test Humio alert919a

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Alert(GraphQL) failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogScale portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: 400 Bad Request

Error Sample Data

Create Alert(GraphQL) failed.

Status Code: 403.

Message: 400 Bad Request

Create Email Action(GraphQL)

Creates an email action (formerly Notifier) in LogScale.

READER NOTE

Repository Or View Name is a required parameter to run this command.

  • Run the List Repository and View Names command to obtain the Repository Or View Name. Repository or View names can be found in the raw data at the path $.data.searchDomains[*].name.

Input

Input Parameter

Required/Optional

Description

Example

Repository or View Name

Required

The name of the repository or view for which to create Email Actions. Repository or view name can be obtained using the List Repository and View Names command.

sandbox

Action Name

Required

The name of the email action to be created.

Test Email Action 011

Recipients

Required

The email address(es) of the recipient(s).

CODE
[ "user1@example.com" ]

Subject Template

Optional

The template used for the email subject. To use variables in the subject, refer to New Webhook Action | LogScale. By default, the value is LogScale Alert Email.

LogScale Alert Email

Body Template

Optional

The template used for the email body. To use variables in the body, refer to New Webhook Action | LogScale. See the example for the default value.

JSON
{
  "repository":"{repo_name}",
  "timestamp":"{alert_triggered_timestamp}",
  "alert":{
    "name":"{alert_name}",
    "description":"{alert_description}",
    "query":{
      "queryString":"{query_string}",
      "end":"{query_time_end}",
      "start":"{query_time_start}"
    },
    "notifierID":"{alert_notifier_id}",
    "id":"{alert_id}"
  },
  "warnings":"{warnings}",
  "events":"{events}",
  "numberOfEvents":"{event_count}"
}

Use Proxy

Optional

Whether the action should use a configured proxy to make web requests. By default, the value is False.

False

Attach CSV

Optional

Whether the result should be attached as a CSV file. By default, the value is False.

True

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "data": {
        "createEmailAction": {
            "id": "*****",
            "name": "Test Email Action 011",
            "bodyTemplate": "repository:{repo_name} <br> timestamp: {alert_triggered_timestamp}",
            "recipients": [
                "user1@example.com"
            ],
            "subjectTemplate": "LogScale Alert Email",
            "useProxy": false,
            "attachCsv": true
        }
    }
}
Key Fields

SAMPLE DATA

JSON
{
  "ActionID": "*****",
  "ActionName": "Test Email Action 011"
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id

*****

name

Test Email Action 011

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Email Action(GraphQL) failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogScale portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: 400 Bad Request

Error Sample Data

Create Email Action(GraphQL) failed.

Status Code: 403.

Message: 400 Bad Request

Create Query Job

Creates a Query Job for LogScale.

READER NOTE

Repository Name is a required parameter to run this command.

  • Run the List Repository and View Names command to obtain the Repository Name. Repository names can be found in the raw data at the path $.data.searchDomains[*].name.

Input

Input Parameter

Required/Optional

Description

Example

Start Time

Required

The start time of the Query Job (in UTC).

2021-05-26 03:47:49.000

End Time

Required

The end time of the Query Job (in UTC).

2021-05-27 03:47:49.000

Query String

Optional

Use a query string to refine the search condition. For example, to search for events containing "office" in the URL field, use "url=*office*." Refer to Query Filters | LogScale for details about using query filters.

url=*office*

Repository Name

Required

The name of the repository to be used. Repository names can be obtained using the List Repository and View Names command.

sandbox

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "id": "*****",
    "queryOnView": "(query-program :hashfilter (str :v \"DELETE\" :in (field :f \"method\" :a both)) :map [(field-test :field \"method\" :test (str-eq : \"DELETE\"))])"
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

Key Fields

SAMPLE DATA

JSON
{
  "JobId": "*****"
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

hashedQueryOnView

*****

id

*****

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Query Job failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogScale portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: 400 Bad Request

Error Sample Data

Create Query Job failed.

Status Code: 403.

Message: 400 Bad Request

Create Webhook Action(GraphQL)

Creates a webhook action (formerly Notifier). The HTTP method must be POST.

READER NOTE

Repository Or View Name is a required parameter to run this command.

  • Run the List Repository and View Names command to obtain the Repository Or View Name. Repository or View names can be found in the raw data at the path $.data.searchDomains[*].name.

Input

Input Parameter

Required/Optional

Description

Example

Repository or View Name

Required

The name of the repository or view for which to create a Webhook Action. Repository or view name can be obtained using the List Repository and View Names command.

sandbox

Action Name

Required

The name of the action to be created.

Test Webhook Action919

URL

Required

The URL to be used in the webhook.

*****

Headers

Optional

HTTP headers to add to the webhook action.

"Content-Type : application/json , AuthKey : 38pv*****ZVgQ"

Ignore SSL

Optional

Whether or not to ignore the SSL. By default, the value is false.

False

Body Template

Optional

The body template to be used in the webhook action. To find all available variables, refer to New Webhook Action | LogScale. See the example for the default value.

JSON
{
  "repository":"{repo_name}",
  "timestamp":"{alert_triggered_timestamp}",
  "alert":{
    "name":"{alert_name}",
    "description":"{alert_description}",
    "query":{
      "queryString":"{query_string}",
      "end":"{query_time_end}",
      "start":"{query_time_start}"
  },
  "notifierID":"{alert_notifier_id}",
  "id":"{alert_id}"},
  "warnings":"{warnings}",
  "events":"{events}",
  "numberOfEvents":"{event_count}"
}

Use Proxy

Optional

Whether the action should use a configured proxy to make web requests. By default, the value is False.

False

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "data": {
        "createWebhookAction": {
            "displayName": "Test Webhook Action919",
            "url": "*****",
            "id": "*****",
            "yamlTemplate": "name: Test Webhook Action919\nendpoint: *****\nallowInsecureSSL: false\n$schema: *****\nmethod: POST\nbody: '{  \"repository\": \"{repo_name}\",  \"timestamp\": \"{alert_triggered_timestamp}\",  \"alert\":\n  {    \"name\": \"{alert_name}\",    \"description\": \"{alert_description}\",    \"query\":\n  {      \"queryString\": \"{query_string} \",      \"end\": \"{query_time_end}\",      \"start\":\n  \"{query_time_start}\"    },    \"notifierID\": \"{alert_notifier_id}\",    \"id\": \"{alert_id}\"\n  },  \"warnings\": \"{warnings}\",  \"events\": \"{events}\",  \"numberOfEvents\": {event_count}}'\nheaders:\n- header: Content-Type\n  value: application/json\n- header: APIKey\n  value: *****\ntype: webhook\n",
            "useProxy": false,
            "headers": [
                {
                    "header": "Content-Type",
                    "value": "application/json"
                },
                {
                    "header": "APIKey",
                    "value": "*****"
                }
            ],
            "ignoreSSL": false,
            "method": "POST",
            "package": null,
            "name": "Test Webhook Action919",
            "bodyTemplate": "{  \"repository\": \"{repo_name}\",  \"timestamp\": \"{alert_triggered_timestamp}\",  \"alert\": {    \"name\": \"{alert_name}\",    \"description\": \"{alert_description}\",    \"query\": {      \"queryString\": \"{query_string} \",      \"end\": \"{query_time_end}\",      \"start\": \"{query_time_start}\"    },    \"notifierID\": \"{alert_notifier_id}\",    \"id\": \"{alert_id}\" },  \"warnings\": \"{warnings}\",  \"events\": \"{events}\",  \"numberOfEvents\": {event_count}}"
        }
    }
}
Key Fields

SAMPLE DATA

JSON
{
  "ActionID": "*****",
  "ActionName": "Test Webhook Action919"
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id

*****

displayName

Test Webhook Action919

name

Test Webhook Action919

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Webhook Action(GraphQL) failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogScale portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: 400 Bad Request

Error Sample Data

Create Webhook Action(GraphQL) failed.

Status Code: 403.

Message: 400 Bad Request

Delete Actions(GraphQL)

Deletes actions in LogScale.

READER NOTE

Repository Or View Name and Action IDs are required parameters to run this command.

  • Run the List Repository and View Names command to obtain the Repository Or View Name. Repository or View names can be found in the raw data at the path $.data.searchDomains[*].name.

  • Run the List Actions command to obtain Actions IDs. Action IDs can be found in the raw data at the path $.data.searchDomain.actions[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Repository or View Name

Required

The name of the repository or view from which to delete actions. Repository or view name can be obtained using the List Repository and View Names command.

sandbox

Action IDs

Required

The ID(s) of the action(s) to be deleted. Action IDs can be obtained using the List Actions command.

CODE
["KjGR*****IJ4g" ]

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "Results": [
        {
            "ActionID": "*****",
            "data": {
                "deleteAction": true
            }
        }
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

Deleted Actions Count

len($.Results)

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Delete Actions(GraphQL) failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogScale portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: 400 Bad Request

Error Sample Data

Delete Actions(GraphQL) failed.

Status Code: 403.

Message: 400 Bad Request

Delete Alerts(GraphQL)

Deletes alerts in LogScale.

READER NOTE

Repository Or View Name and Alert IDs are required parameters to run this command.

  • Run the List Repository and View Names command to obtain the Repository Or View Name. Repository Or View Names can be found in the raw data at the path $.data.searchDomains[*].name.

  • Run the List Alerts command to obtain the Alert IDs. Alert IDs can be found in the raw data at the path $.Results[*].data.searchDomain.alert.id.

Input

Input Parameter

Required/Optional

Description

Example

Repository Or View Name

Required

The name of the repository or view from which to delete alerts. Repository or view name can be obtained using the List Repository and View Names command.

sandbox

Alert IDs

Required

The ID(s) of the alert(s) to be deleted. Alert IDs can be obtained using the List Alerts command.

CODE
["zujl*****sugn" ]

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "Results": [
        {
            "AlertID": "*****",
            "data": {
                "deleteAlert": true
            }
        }
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

Deleted Alerts Count

len($.Results)

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Delete Alerts(GraphQL) failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogScale portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: 400 Bad Request

Error Sample Data

Delete Alerts(GraphQL) failed.

Status Code: 403.

Message: 400 Bad Request

Fetch Event

Retrieves events by the specified search condition and time range.

READER NOTE

Repository Name is a required parameter to run this command.

  • Run the List Repository and View Names command to obtain the Repository Name. Repository names can be found in the raw data at the path $.data.searchDomains[*].name.

Input

Input Parameter

Required/Optional

Description

Example

Start Time

Required

The start time of the time range (in UTC).

2021-05-25 03:47:49.000

End Time

Required

The end time of the time range (in UTC).

2021-05-26 03:47:49.000

Number of Event(s) Fetched

Optional

The maximum number of rules to return. By default, the value is 50

50

Search Condition

Optional

Use a query string to refine the search condition. For example, to search for events containing "office" in the URL field, use "url=*office*." Refer to Query Filters | LogScale for details about using query filters.

url=*office*

Repository Name

Required

The name of the repository to be used. Repository names can be obtained using the List Repository and View Names command.

sandbox

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "#type": "json-for-action",
    "url": "*****",
    "@trigger.query.start": "1d",
    "@trigger.invocation.uuid": "*****",
    "@tag.type": "accesslog",
    "userid": "*****",
    "@trigger.invocation.triggeredAt": "2024-09-19T23:24:34.336Z",
    "client": "*****",
    "@timezone": "Z",
    "@trigger.query.end": "now",
    "@trigger.invocation.end": "1726788274336",
    "referrer": "-",
    "@timestamp.nanos": "0",
    "@tag.repo": "sandbox_*****",
    "@id": "*****",
    "method": "POST",
    "@timestamp": 1726788273000,
    "@ingesttimestamp": "1726788279540",
    "responsesize": "7018",
    "@trigger.invocation.start": "1726701874336",
    "httpversion": "HTTP/1.1",
    "useragent": "*****",
    "#repo": "sandbox_*****",
    "@trigger.type": "alert",
    "statuscode": "401",
    "@trigger.description": "",
    "@trigger.repository.name": "sandbox_*****",
    "@trigger.id": "*****",
    "@rawstring": "*****\t-\t-\t[19/Sep/2024:23:24:33 +0000]\t\"POST ***** HTTP/1.1\"\t401\t7018\t\"-\"\t\"*****\"",
    "@trigger.name": "Method:POST"
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

Key Fields

SAMPLE DATA

JSON
{
  "EventIds": "*****",
  "Types": "json-for-action"
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

Result

No result

Fetch Event Field Mapping

Fetch Event commands require event field mapping. Field mapping plays a key role for data normalization within the event pipeline. Field mapping converts the original data fields from the different providers to standardized D3 fields as defined by the D3 Model. Refer to Event and Incident Intake Field Mapping for details.

To customize field mapping, click + Add Field and add the custom field of your choice. You can also remove built-in field mappings by clicking x. Note that two underscore characters will automatically prefix the defined Field Name as the System Name for a custom field mapping. Additionally, if an input Field Name contains any spaces, they will automatically be replaced with underscores for the corresponding System Name.

As a system integration, the LogScale integration has some pre-configured field mappings for default field mapping.

Default Event Source

  • The Default Event Source is the default set of field mappings that are applied when this fetch event command is executed. For out-of-the-box integrations, you will find a set of field mapping provided by the system. Default event source provides field mappings for common fields from fetched events. The default event source has a "Main Event JSON Path" that is used to extract a batch of events from the response raw data. Click on the Edit Main JSON Path button to view the "Main Event JSON Path."

    • Main Event JSON Path: $.

      The Main Event JSON Path determines the root path where the system starts parsing raw response data into D3 event data. The JSON path begins with $, representing the root element. The path is formed by appending a sequence of child elements to $, each separated by a dot (.). Square brackets with nested quotation marks ([‘...’]) should be used to separate child elements in JSON arrays.

      For example, the root node of a JSON Path is $. The child node denoting the Unique Event Key field would be @id. Putting it together, the JSON Path expression to extract the Unique Event Key is $.@id.

The pre-configured field mappings are detailed below:

Field Name

Source Field

Unique Event Key

.@id

Event Type

.#type

Raw event data

.@rawstring

Original source

.#repo

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Fetch Event failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogScale portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: 400 Bad Request

Error Sample Data

Fetch Event failed.

Status Code: 403.

Message: 400 Bad Request

Get Actions By IDs(GraphQL)

Retrieves action(s) by Action ID(s) from LogScale.

READER NOTE

Repository Name and Action IDs are required parameters to run this command.

  • Run the List Repository and View Names command to obtain the Repository Name. Repository Names can be found in the raw data at the path $.data.searchDomains[*].name.

  • Run the List Actions command to obtain the Action IDs. Action IDs can be found in the raw data at the path $.data.searchDomain.actions[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Repository Name

Required

The name of the repository or view from which to retrieve actions. Repository or view name can be obtained using the List Repository and View Names command.

sandbox

Action IDs

Required

The ID(s) of the action(s) to retrieve. Action IDs can be obtained using the List Actions command.

CODE
["JadY*****GMb9" ]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "data": {
        "createAlert": {
            "displayName": "TestAlert919a",
            "name": "TestAlert919a",
            "description": "Test Humio alert919a",
            "enabled": true,
            "queryString": "url=*posts*",
            "throttleTimeMillis": 100000,
            "id": "*****",
            "actions": [
                "*****"
            ],
            "runAsUser": {
                "fullName": "*****",
                "email": "*****"
            },
            "queryStart": "24h",
            "labels": [
                "Test Label Jon 202106300302"
            ]
        }
    }
}
Key Fields

SAMPLE DATA

JSON
{
  "ActionIDs": "*****",
  "ActionNames": ["Test Webhook Action919"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

Actions Count

len($.Results)

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Actions By Id(GraphQL) failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogScale portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: 400 Bad Request

Error Sample Data

Get Actions By Id(GraphQL) failed.

Status Code: 403.

Message: 400 Bad Request

Get Alerts By IDs(GraphQL)

Retrieves alert(s) by Alert ID(s) from LogScale.

READER NOTE

Repository Name and Alert IDs are required parameters to run this command.

  • Run the List Repository and View Names command to obtain the Repository Name. Repository names can be found in the raw data at the path $.data.searchDomains[*].name.

  • Run the List Alerts command to obtain Alert IDs. Alert IDs can be found in the raw data at the path $.data.searchDomain.alerts[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Repository Name

Required

The name of the repository or view from which to retrieve alerts. Repository names can be obtained using the List Repository and View Names command.

sandbox

Alert IDs

Required

The ID(s) of the alert(s) to be retrieved. Alert IDs can be obtained using the List Alerts command.

CODE
["dUrv*****oclA"]

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
  "Results": [
    {
      "data": {
        "searchDomain": {
          "id": "*****",
          "name": "humio-organization-metrics",
          "__typename": "View",
          "alert": {
            "displayName": "TestAlert919a",
            "name": "TestAlert919a",
            "description": "Test Humio alert919a",
            "enabled": true,
            "queryString": "url=*posts*",
            "id": "*****",
            "actions": [
                "*****"
            ],
            "runAsUser": {
                "fullName": "*****",
                "email": "*****"
            },
            "queryStart": "1d",
            "labels": [
                "Test Label Jon 202106300302"
            ]
          }
        }
      }
    }
  ]
}
Key Fields

SAMPLE DATA

JSON
{
  "AlertIDs": ["*****"],
  "Descriptions": ["Test Humio alert919a"],
  "AlertNames": ["TestAlert919a"],
  "QueryStrings": ["url=*posts*"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

Alerts Count

len($.Results)

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Alerts By IDs(GraphQL) failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogScale portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: 400 Bad Request

Error Sample Data

Get Alerts By IDs(GraphQL) failed.

Status Code: 403.

Message: 400 Bad Request

List Actions(GraphQL)

Lists actions (notifiers) from a specified repository or view of LogScale.

READER NOTE

Repository Name is a required parameter to run this command.

  • Run the List Repository and View Names command to obtain the Repository Name. Repository names can be found in the raw data at the path $.data.searchDomains[*].name.

Input

Input Parameter

Required/Optional

Description

Example

Repository Name

Required

The name of the repository or view from which to list actions. Repository or view names can be obtained using the List Repository and View Names command.

sandbox

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
  "data": {
    "searchDomain": {
      "id": "*****",
      "name": "humio-organization-metrics",
      "__typename": "View",
      "actions": [
        {
          "displayName": "Test Webhook Action919a",
          "name": "Test Webhook Action919a",
          "isAllowedToRun": true,
          "id": "*****",
          "yamlTemplate": "name: Test Webhook Action919a\nendpoint: *****\nallowInsecureSSL: false\n$schema: *****\nmethod: POST\nbody: '{  \"repository\": \"{repo_name}\",  \"timestamp\": \"{alert_triggered_timestamp}\",  \"alert\":\n  {    \"name\": \"{alert_name}\",    \"description\": \"{alert_description}\",    \"query\":\n  {      \"queryString\": \"{query_string} \",      \"end\": \"{query_time_end}\",      \"start\":\n  \"{query_time_start}\"    },    \"notifierID\": \"{alert_notifier_id}\",    \"id\": \"{alert_id}\"\n  },  \"warnings\": \"{warnings}\",  \"events\": \"{events}\",  \"numberOfEvents\": {event_count}}'\nheaders:\n- header: Content-Type\n  value: application/json\n- header: APIKey\n  value: *****\ntype: webhook\n",
          "packageId": null,
          "package": null,
          "allowedActions": [
              "Read",
              "Update"
          ]
        }
      ]
    }
  },
  "extensions": {
    "preview": [
      {
        "name": "allowedActions",
        "reason": "[PREVIEW: Feature currently being iterated on. Changes may occur.]"
      }
    ]
  }
}
Key Fields

SAMPLE DATA

JSON
{
  "ActionIDs": ["*****"],
  "ActionNames": ["Test Email Action 007"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

Actions Count

len($.data.searchDomain.actions)

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Actions(GraphQL) failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogScale portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: 400 Bad Request

Error Sample Data

List Actions(GraphQL) failed.

Status Code: 403.

Message: 400 Bad Request

List Alerts(GraphQL)

Lists alerts in a specified repository of LogScale.

READER NOTE

Repository Name is a required parameter to run this command.

  • Run the List Repository and View Names command to obtain the Repository Name. Repository names can be found in the raw data at the path $.data.searchDomains[*].name.

Input

Input Parameter

Required/Optional

Description

Example

Repository Name

Required

The name of the repository from which to list alerts. Repository names can be obtained using the List Repository and View Names command.

sandbox

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "data": {
        "searchDomain": {
            "id": "*****",
            "name": "humio-organization-metrics",
            "__typename": "View",
            "alerts": [
                {
                    "displayName": "TestAlert919a",
                    "name": "TestAlert919a",
                    "description": "Test Humio alert919a",
                    "enabled": true,
                    "queryString": "url=*posts*",
                    "throttleTimeMillis": 100000,
                    "id": "*****",
                    "actions": [
                        "*****"
                    ],
                    "runAsUser": {
                        "fullName": "*****",
                        "email": "*****"
                    },
                    "queryStart": "1d",
                    "labels": [
                        "Test Label Jon 202106300302"
                    ]
                }
            ]
        }
    }
}
Key Fields

SAMPLE DATA

JSON
{
  "AlertIds": ["*****"],
  "Descriptions": ["Test Humio alert919a"],
  "AlertNames": ["TestAlert919a"],
  "QueryStrings": ["url=*posts*"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

Alerts Count

len($.data.searchDomain.alerts)

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Alerts(GraphQL) failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogScale portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: 400 Bad Request

Error Sample Data

List Alerts(GraphQL) failed.

Status Code: 403.

Message: 400 Bad Request

List Repository and View Names

Lists the names of repositories and views from LogScale.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "data": {
        "searchDomains": [
            {
                "id": "*****",
                "__typename": "View",
                "name": "humio-organization-usage",
                "description": "Your organizations usage, including ingest, disk usage and user count."
            },
            {
                "id": "*****",
                "__typename": "View",
                "name": "humio-organization-metrics",
                "description": "Humio Metrics for your organization"
            },
            {
                "id": "*****",
                "__typename": "View",
                "name": "humio-organization-audit",
                "description": "An audit log, showing who did what and when."
            },
            {
                "id": "*****",
                "__typename": "Repository",
                "name": "humio-fleet",
                "description": null
            },
            {
                "id": "*****",
                "__typename": "Repository",
                "name": "sandbox_*****",
                "description": null
            },
            {
                "id": "*****",
                "__typename": "View",
                "name": "humio-organization-activity",
                "description": "Humio internal logs for your organization"
            }
        ]
    }
}
Key Fields

SAMPLE DATA

JSON
{
  "Names": [
    "humio-organization-usage",
    "humio-organization-metrics",
    "humio-organization-audit",
    "humio-fleet",
    "sandbox_*****",
    "humio-organization-activity"
  ],
  "IDs": [
    "*****",
    "*****",
    "*****",
    "*****",
    "sandbox_*****",
    "*****"
  ],
  "Types": [
    "View",
    "View",
    "View",
    "Repository",
    "View",
    "Repository"
  ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

Repositories and Views Count

len($.data.searchDomains)

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Repository and View Names failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogScale portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: 400 Bad Request

Error Sample Data

List Repository and View Names failed.

Status Code: 403.

Message: 400 Bad Request

Poll Query Job

Retrieves the result of the Query Job.

READER NOTE

Job Id and Repository Name are required parameters to run this command.

  • Run the Create Query Job command to obtain the Job Id. Job Ids can be found in the raw data at the path $.id.

  • Run the List Repository and View Names command to obtain the Repository Name. Repository names can be found in the raw data at the path $.data.searchDomains[*].name.

Input

Input Parameter

Required/Optional

Description

Example

Job Id

Required

The ID of the Query Job to be polled. Job Ids can be obtained using the Create Query Job command.

P7-3*****LJu4

Repository Name

Required

The name of the repository to be used. Repository names can be obtained using the List Repository and View Name command.

sandbox

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
  "cancelled": false,
  "done": true,
  "events": [
    {
      "#type":"json-for-action",
      "url":"*****",
      "@trigger.query.start":"24h",
      "@trigger.invocation.uuid":"*****",
      "@tag.type":"accesslog",
      "userid":"-",
      "@trigger.invocation.triggeredAt":"2021-06-30T23:55:53.438Z",
      "client":"19.26.11.25",
      "@timezone":"Z",
      "@trigger.query.end":"now",
      "@trigger.invocation.end":"1625097353438",
      "referrer":"*****",
      "@timestamp.nanos":"0",
      "@tag.repo":"sandbox_*****",
      "@id":"*****",
      "method":"GET",
      "@timestamp":1625093763000,
      "@ingesttimestamp":"1625179970042",
      "responsesize":"7018",
      "@trigger.invocation.start":"1625010953438",
      "httpversion":"HTTP/1.1",
      "useragent":"*****",
      "#repo":"sandbox_*****",
      "@trigger.type":"alert",
      "statuscode":"100",
      "@trigger.description":"",
      "@trigger.repository.name":"sandbox_*****",
      "@trigger.id":"*****",
      "@rawstring":"19.26.11.25\t-\t-\t[30/Jun/2021:22:56:03 +0000]\t\"GET *****\"\t100\t7018\t\"*****\"\t\"*****\"",
      "@trigger.name":"Method:POST"
    }
  ]
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

Key Fields

SAMPLE DATA

JSON
{
  "EventIds": "*****",
  "Types": ["json-for-action"],
  "Done": true,
  "Cancelled": false
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

cancelled

False

done

True

events

[]

filesUsed

[]

metaData

JSON
{'costs': {'liveCost': 0.0, 'liveCostRate': 0.0, 'staticCost': 1.0, 'staticCostRate': 0.0}, 'digestFlow': {'ingestTimeKnownGood': 1727132741368, 'maxIngestLatency': 9599, 'minIngestTimeIncluded': 1727132741368}, 'eventCount': 0, 'extraData': {'hasMoreEvents': 'false'}, 'filterQuery': {'allowEventSkipping': False, 'end': 1727049600000, 'includeDeletedEvents': False, 'ingestEnd': 9223372036854775807, 'ingestStart': 0, 'isAlertQuery': False, 'isInteractive': False, 'isLive': False, 'isRepeatingSubquery': False, 'languageVersion': 'legacy', 'noResultUntilDone': False, 'queryString': 'hello', 'showQueryEventDistribution': False, 'start': 1726185600000, 'useIngestTime': False}, 'isAggregate': False, 'pollAfter': 1789, 'processedBytes': 0, 'processedEvents': 0, 'queryEnd': 1727049600000, 'querySpent': {'day': {'liveCost': 0, 'queryCount': 1, 'staticCost': 1}, 'hour': {'liveCost': 0, 'queryCount': 1, 'staticCost': 1}, 'oneMinute': {'liveCost': 0, 'queryCount': 1, 'staticCost': 1}, 'tenMinutes': {'liveCost': 0, 'queryCount': 1, 'staticCost': 1}}, 'queryStart': 1726185600000, 'queuedMillis': 0, 'quotaTotalSpent': {'day': {'liveCost': 17302, 'queryCount': 6, 'staticCost': 2}, 'hour': {'liveCost': 76, 'queryCount': 1, 'staticCost': 0}, 'oneMinute': {'liveCost': 1, 'queryCount': 0, 'staticCost': 0}, 'tenMinutes': {'liveCost': 76, 'queryCount': 1, 'staticCost': 0}}, 'responderVHost': 58, 'resultBufferSize': 0, 'timeMillis': 352, 'totalWork': 0, 'warnings': [], 'workDone': 0}

warnings

[]

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Poll Query Job failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogScale portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: 400 Bad Request

Error Sample Data

Poll Query Job failed.

Status Code: 403.

Message: 400 Bad Request

Stop Query Job

Stops a running Query Job.

READER NOTE

Job Id and Repository Name are required parameters to run this command.

  • Run the Create Query Job command to obtain the Job Id. Job Id can be found in the raw data at the path $.id.

  • Run the List Repository and View Names command to obtain the Repository Name. Repository names can be found in the raw data at the path $.data.searchDomains[*].name.

Input

Input Parameter

Required/Optional

Description

Example

Job Ids

Required

The ID of the Query Job to be stopped. Job Ids can be obtained using the Create Query Job command.

CODE
[“P18-*****jiW5”]

Repository Name

Required

The name of the repository to be used. Repository names can be obtained using the List Repository and View Name command.

sandbox

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
  "JobIds": ["*****"],
  "ActionResult": "Stop query job successfully"]
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

jobIds

  • *****

ActionResult

Stop query job successfully.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Stop Query Job failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogScale portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: 400 Bad Request

Error Sample Data

Stop Query Job failed.

Status Code: 403.

Message: 400 Bad Request

Test Connection

Performs a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Test Connection failed. Failed to check the connector.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogScale portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: 400 Bad Request

Error Sample Data

Test Connection failed. Failed to check the connector.

Status Code: 403.

Message: 400 Bad Request

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.