Find Events
Use the query condition to identify events matching the query criteria. If the command is executed within an incident playbook, then correlate these events with the runtime incident.
Implementation | System |
Command Category | System Utility |
Tags | EVENT EVENT SEARCH |
Inputs
Parameter Name | Required/Optional | Description | Sample Data |
|---|---|---|---|
Search Condition | Optional | NOT AVAILABLE |
|
Field Names | Optional | NOT AVAILABLE |
|
Start Time | Required | (datetime format: yyyy-MM-dd HH:mm:ss) |
|
End Time | Required | (datetime format: yyyy-MM-dd HH:mm:ss) |
|
Top Recent Event Number | Optional | NOT AVAILABLE |
|
Output
Remote Command API
The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.
Request
POST
https:/{base_url}/{api_namespace}/api/Command/FindEventsHeaders
Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.
Request Body
{
"Username": <Username here>,
"Site": <Site here>,
"CommandParams": {
"Search Condition": <Search Condition here>,
"Field Names": <Field Names here>,
"Start Time": <Start Time here>,
"End Time": <End Time here>,
"Top Recent Event Number": <Top Recent Event Number here>
}
}Body Parameters
Parameter Name | Type | Required/Optional | Description |
|---|---|---|---|
Username |
| Required | The username of your D3 SOAR account. |
Site |
| Required | The D3 SOAR site to run the remote command. |
Search Condition |
| Optional | NOT AVAILABLE |
Field Names |
| Optional | NOT AVAILABLE |
Start Time |
| Required | (datetime format: yyyy-MM-dd HH:mm:ss) |
End Time |
| Required | (datetime format: yyyy-MM-dd HH:mm:ss) |
Top Recent Event Number |
| Optional | NOT AVAILABLE |
Sample Request
SAMPLE DATA
{
"Username": "Admin",
"Site": "Security Operations",
"CommandParams": {
"Search Condition": "EventType contains \"Bitcoin\"",
"Field Names": [
"HostName"
],
"Start Time": "2020-04-01 00:00:00",
"End Time": "2020-06-16 00:00:00",
"Top Recent Event Number": 10
}
}Response
Response Fields
Field Name | Type | Description |
|---|---|---|
error |
| The error message if the API request has failed. |
returnData |
| The return data from the API request. |
contextData |
| The context data from the API request. |
Sample Response
{
"error": "",
"returnData": "Succeed",
"contextData": {
"eventCount": 10,
"events": [
{
"ID": 5478,
"eventType": "8012",
"eventTime": "2020-06-22 21:12:58",
"intakeTime": "2020-06-22 21:12:58",
"LogDescription": "Summary IR Report"
},
{
"ID": 5477,
"eventType": "8011",
"eventTime": "2020-06-22 21:09:00",
"intakeTime": "2020-06-22 21:09:00",
"LogDescription": "Summary IR Report"
},
{
"ID": 5476,
"eventType": "8010",
"eventTime": "2020-06-22 21:08:59",
"intakeTime": "2020-06-22 21:08:59",
"LogDescription": "Summary IR Report"
},
{
"ID": 5475,
"eventType": "8009",
"eventTime": "2020-06-22 21:08:59",
"intakeTime": "2020-06-22 21:08:59",
"LogDescription": "Summary IR Report"
},
{
"ID": 5474,
"eventType": "8008",
"eventTime": "2020-06-22 21:08:59",
"intakeTime": "2020-06-22 21:08:59",
"LogDescription": "Summary IR Report"
},
{
"ID": 5473,
"eventType": "8007",
"eventTime": "2020-06-22 21:08:59",
"intakeTime": "2020-06-22 21:08:59",
"LogDescription": "Summary IR Report"
},
{
"ID": 5472,
"eventType": "8006",
"eventTime": "2020-06-22 21:08:59",
"intakeTime": "2020-06-22 21:08:59",
"LogDescription": "Summary IR Report"
},
{
"ID": 5471,
"eventTime": "2020-06-22 20:52:44",
"intakeTime": "2020-06-22 20:52:44"
},
{
"ID": 5470,
"eventType": "8005",
"eventTime": "2020-06-22 20:40:25",
"intakeTime": "2020-06-22 20:40:25",
"LogDescription": "Summary IR Report"
},
{
"ID": 5469,
"eventType": "8004",
"eventTime": "2020-06-22 20:40:25",
"intakeTime": "2020-06-22 20:40:25",
"LogDescription": "Summary IR Report"
}
]
}
}