Skip to main content
Skip table of contents

Find Events

LAST UPDATED: MAR 27, 2024

Use the query condition to identify events matching the query criteria. If the command is executed within an incident playbook, then correlate these events with the runtime incident.

Implementation

System

Command Category

System Utility

Tags

EVENT EVENT SEARCH

Inputs

Parameter Name

Required/Optional

Description

Sample Data

Search Condition

Optional

NOT AVAILABLE

EventType contains "Bitcoin"

Field Names

Optional

NOT AVAILABLE

CODE
["HostName"]

Start Time

Required

(datetime format: yyyy-MM-dd HH:mm:ss)

2020-04-01 00:00:00

End Time

Required

(datetime format: yyyy-MM-dd HH:mm:ss)

2020-06-16 00:00:00

Top Recent Event Number

Optional

NOT AVAILABLE

10

Output

Return Data

The returned result of this command. If some required parameters are not defined, this returned data could be empty. The returned result can be passed down directly to a subsequent command in playbooks.

SAMPLE DATA

JSON
Succeed
Context Data

The response data from the utility command.

SAMPLE DATA

JSON
{
    "eventCount": 10,
    "events": [
        {
            "ID": 5478,
            "eventType": "8012",
            "eventTime": "2020-06-22 21:12:58",
            "intakeTime": "2020-06-22 21:12:58",
            "LogDescription": "Summary IR Report"
        },
        {
            "ID": 5477,
            "eventType": "8011",
            "eventTime": "2020-06-22 21:09:00",
            "intakeTime": "2020-06-22 21:09:00",
            "LogDescription": "Summary IR Report"
        },
        {
            "ID": 5476,
            "eventType": "8010",
            "eventTime": "2020-06-22 21:08:59",
            "intakeTime": "2020-06-22 21:08:59",
            "LogDescription": "Summary IR Report"
        },
        {
            "ID": 5475,
            "eventType": "8009",
            "eventTime": "2020-06-22 21:08:59",
            "intakeTime": "2020-06-22 21:08:59",
            "LogDescription": "Summary IR Report"
        },
        {
            "ID": 5474,
            "eventType": "8008",
            "eventTime": "2020-06-22 21:08:59",
            "intakeTime": "2020-06-22 21:08:59",
            "LogDescription": "Summary IR Report"
        },
        {
            "ID": 5473,
            "eventType": "8007",
            "eventTime": "2020-06-22 21:08:59",
            "intakeTime": "2020-06-22 21:08:59",
            "LogDescription": "Summary IR Report"
        },
        {
            "ID": 5472,
            "eventType": "8006",
            "eventTime": "2020-06-22 21:08:59",
            "intakeTime": "2020-06-22 21:08:59",
            "LogDescription": "Summary IR Report"
        },
        {
            "ID": 5471,
            "eventTime": "2020-06-22 20:52:44",
            "intakeTime": "2020-06-22 20:52:44"
        },
        {
            "ID": 5470,
            "eventType": "8005",
            "eventTime": "2020-06-22 20:40:25",
            "intakeTime": "2020-06-22 20:40:25",
            "LogDescription": "Summary IR Report"
        },
        {
            "ID": 5469,
            "eventType": "8004",
            "eventTime": "2020-06-22 20:40:25",
            "intakeTime": "2020-06-22 20:40:25",
            "LogDescription": "Summary IR Report"
        }
    ]
}

Remote Command API

The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.

Request

POST

CODE
https:/{base_url}/{api_namespace}/api/Command/FindEvents

Headers

Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.

Request Body

JSON
{
  "Username": <Username here>,
  "Site": <Site here>,
  "CommandParams": {
    "Search Condition": <Search Condition here>,
    "Field Names": <Field Names here>,
    "Start Time": <Start Time here>,
    "End Time": <End Time here>,
    "Top Recent Event Number": <Top Recent Event Number here>
  }
}

Body Parameters

Parameter Name

Type

Required/Optional

Description

Username

String

Required

The username of your D3 SOAR account.

Site

String

Required

The D3 SOAR site to run the remote command.

Search Condition

Text

Optional

NOT AVAILABLE

Field Names

Text Array

Optional

NOT AVAILABLE

Start Time

DateTime

Required

(datetime format: yyyy-MM-dd HH:mm:ss)

End Time

DateTime

Required

(datetime format: yyyy-MM-dd HH:mm:ss)

Top Recent Event Number

Number

Optional

NOT AVAILABLE

Sample Request

SAMPLE DATA

JSON
{
  "Username": "Admin",
  "Site": "Security Operations",
  "CommandParams": {
    "Search Condition": "EventType contains \"Bitcoin\"",
    "Field Names": [
      "HostName"
    ],
    "Start Time": "2020-04-01 00:00:00",
    "End Time": "2020-06-16 00:00:00",
    "Top Recent Event Number": 10
  }
}

Response

Response Fields

Field Name

Type

Description

error

Text

The error message if the API request has failed.

returnData

Text

The return data from the API request.

contextData

JSON Object

The context data from the API request.

Sample Response

JSON
{
    "error": "",
    "returnData": "Succeed",
    "contextData": {
        "eventCount": 10,
        "events": [
            {
                "ID": 5478,
                "eventType": "8012",
                "eventTime": "2020-06-22 21:12:58",
                "intakeTime": "2020-06-22 21:12:58",
                "LogDescription": "Summary IR Report"
            },
            {
                "ID": 5477,
                "eventType": "8011",
                "eventTime": "2020-06-22 21:09:00",
                "intakeTime": "2020-06-22 21:09:00",
                "LogDescription": "Summary IR Report"
            },
            {
                "ID": 5476,
                "eventType": "8010",
                "eventTime": "2020-06-22 21:08:59",
                "intakeTime": "2020-06-22 21:08:59",
                "LogDescription": "Summary IR Report"
            },
            {
                "ID": 5475,
                "eventType": "8009",
                "eventTime": "2020-06-22 21:08:59",
                "intakeTime": "2020-06-22 21:08:59",
                "LogDescription": "Summary IR Report"
            },
            {
                "ID": 5474,
                "eventType": "8008",
                "eventTime": "2020-06-22 21:08:59",
                "intakeTime": "2020-06-22 21:08:59",
                "LogDescription": "Summary IR Report"
            },
            {
                "ID": 5473,
                "eventType": "8007",
                "eventTime": "2020-06-22 21:08:59",
                "intakeTime": "2020-06-22 21:08:59",
                "LogDescription": "Summary IR Report"
            },
            {
                "ID": 5472,
                "eventType": "8006",
                "eventTime": "2020-06-22 21:08:59",
                "intakeTime": "2020-06-22 21:08:59",
                "LogDescription": "Summary IR Report"
            },
            {
                "ID": 5471,
                "eventTime": "2020-06-22 20:52:44",
                "intakeTime": "2020-06-22 20:52:44"
            },
            {
                "ID": 5470,
                "eventType": "8005",
                "eventTime": "2020-06-22 20:40:25",
                "intakeTime": "2020-06-22 20:40:25",
                "LogDescription": "Summary IR Report"
            },
            {
                "ID": 5469,
                "eventType": "8004",
                "eventTime": "2020-06-22 20:40:25",
                "intakeTime": "2020-06-22 20:40:25",
                "LogDescription": "Summary IR Report"
            }
        ]
    }
}
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.