Get Events
Gets a list of filtered events with specified fields
Implementation | Python |
Command Category | Basic Utility |
Tags | EVENT EVENT SEARCH |
Inputs
Parameter Name | Required/Optional | Description | Sample Data |
|---|---|---|---|
Filter | Optional | These condition queries filter data. Key "field" indicates the selected field in the event, key " operator " indicates the condition operator applied to the field and key "value" is the desired value. Valid values for key "field" are: ID, EventID, Type, RiskLevel, TimeofOccurrence, IntakeTime, Status, Datasource, Eventsource, EventFileName, LastEscalatedBy, Event Raw Data. "AND" logic applies between JSON objects in the same array, "OR" logic applies between different arrays. (Input must be in JSON format) Available operators: ["<",">","=","<=",">=","!=","LIKE","IS EMPTY","IS NOT EMPTY"] |
JSON
|
Fields | Optional | Select the event field keys to be displayed in the result. The keys available for selection are listed below. In the case of an empty input, only general keys will be selected for each resulting event. General keys are every key in the list below except for "Event Raw Data". (Input must be in JSON format) |
JSON
|
Start Time | Required | The start of the date range for events. Based on 'IntakeTime' (UTC) of the event. |
|
End Time | Required | The end of the date range for events. Based on 'Intake Time' (UTC) of the event. |
|
Output Format | Required | 1 - CSV, 2 - JSON, 3 - CSV link, 4 - JSON link |
|
Page Index | Optional | The page number to receive results from. The default page index is 0. Note: if no value or 0 is given for both Page Index and Page Size, all events will be fetched. |
|
Page Size | Optional | The maximum number of incidents to fetch, ranges from 1 to 1000. If no value or 0 is given, a default page size of 100 will be applied. Note: if no value or 0 is given for both Page Index and Page Size, all events will be fetched. |
|
Output
Remote Command API
The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.
Request
POST
https:/{base_url}/{api_namespace}/api/Command/GetEventsHeaders
Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.
Request Body
{
"Username": <Username here>,
"Site": <Site here>,
"CommandParams": {
"Filter": [
[
{
"field": <Field 1 here>,
"operator": <Operator 1 here>,
"value": <Value 1 here>
},
{
"field": <Field 2 here>,
"operator": <Operator 2 here>,
"value": <Value 2 here>
}
],
[
{
"field": <Field 3 here>,
"operator": <Operator 3 here>,
"value": <Value 3 here>
}
]
],
"Fields": [
<Field Name 1 here>,
<Field Name 2 here>,
<Field Name 3 here>,
<Field Name 4 here>,
<Field Name 5 here>,
<Field Name 6 here>,
<Field Name 7 here>,
<Field Name 8 here>,
<Field Name 9 here>,
<Field Name 10 here>,
<Field Name 11 here>,
<Field Name 12 here>,
<Field Name 13 here>,
<Field Name 14 here>,
<Field Name 15 here>,
<Field Name 16 here>,
<Field Name 17 here>,
<Field Name 18 here>,
<Field Name 19 here>,
<Field Name 20 here>,
<Field Name 21 here>
],
"Start Time": <Start Time here>,
"End Time": <End Time here>,
"Output Format": <Output Format here>,
"Page Index": <Page Index here>,
"Page Size": <Page Size here>
}
}Body Parameters
Parameter Name | Type | Required/Optional | Description |
|---|---|---|---|
Username |
| Required | The username of your D3 SOAR account. |
Site |
| Required | The D3 SOAR site to run the remote command. |
Filter |
| Optional | These condition queries filter data. Key "field" indicates the selected field in the event, key " operator " indicates the condition operator applied to the field and key "value" is the desired value. Valid values for key "field" are: ID, EventID, Type, RiskLevel, TimeofOccurrence, IntakeTime, Status, Datasource, Eventsource, EventFileName, LastEscalatedBy, Event Raw Data. "AND" logic applies between JSON objects in the same array, "OR" logic applies between different arrays. (Input must be in JSON format) Available operators: ["<",">","=","<=",">=","!=","LIKE","IS EMPTY","IS NOT EMPTY"] |
Fields |
| Optional | Select the event field keys to be displayed in the result. The keys available for selection are listed below. In the case of an empty input, only general keys will be selected for each resulting event. General keys are every key in the list below except for "Event Raw Data". (Input must be in JSON format) |
Start Time |
| Required | The start of the date range for events. Based on 'IntakeTime' (UTC) of the event. |
End Time |
| Required | The end of the date range for events. Based on 'Intake Time' (UTC) of the event. |
Output Format |
| Required | 1 - CSV, 2 - JSON, 3 - CSV link, 4 - JSON link |
Page Index |
| Optional | The page number to receive results from. The default page index is 0. Note: if no value or 0 is given for both Page Index and Page Size, all events will be fetched. |
Page Size |
| Optional | The maximum number of incidents to fetch, ranges from 1 to 1000. If no value or 0 is given, a default page size of 100 will be applied. Note: if no value or 0 is given for both Page Index and Page Size, all events will be fetched. |
Sample Request
SAMPLE DATA
{
"Username": "Admin",
"Site": "Security Operations",
"CommandParams": {
"Filter": [
[
{
"field": "Status",
"operator": "=",
"value": "Escalated"
},
{
"field": "IntakeTime",
"operator": ">=",
"value": "2020-09-25 23:20:03.693"
}
],
[
{
"field": "RiskLevel",
"operator": "=",
"value": "High"
}
]
],
"Fields": [
"ID",
"EventID",
"Type",
"Tactic",
"Technique",
"RiskLevel",
"TimeofOccurrence",
"IntakeTime",
"Status",
"Description",
"Site",
"Datasource",
"Eventsource",
"Username",
"Sourceip",
"Targetip",
"Integrationconnection",
"EventFileName",
"LastEscalatedBy",
"Event Raw Data",
"LinkedIncidents"
],
"Start Time": "2020-01-06 01:30:00",
"End Time": "2020-10-23 07:45:00",
"Output Format": 2,
"Page Index": 0,
"Page Size": 100
}
}Response
Response Fields
Field Name | Type | Description |
|---|---|---|
error |
| The error message if the API request has failed. |
keyFields |
| The key fields from the API request. |
returnData |
| The return data from the API request. |
rawData |
| The raw data from the API request. |
Sample Response
{
"error": "",
"keyFields": {
"Pagination": {
"PageIndex": 0,
"PageSize": 100,
"TotalPages": 10
}
},
"returnData": "Successful",
"rawData": {
"events": [
{
"ID": "4ea4cf0b-bdfe-ea11-bdc2-1062e502940f",
"EventID": 60075,
"Type": "DEVICE_PLUG",
"Tactic": "Defense Evasion",
"Technique": "Drive-by Compromise",
"RiskLevel": "High",
"TimeofOccurrence": null,
"IntakeTime": "2020-09-24 23:24:09.640",
"Status": "New",
"Description": null,
"Site": "APSOC",
"Datasource": "McAfee ePolicy Orchestrator",
"Eventsource": "Default Event Source",
"Username": null,
"Sourceip": null,
"Targetip": null,
"Integrationconnection": "Webhook",
"EventFileName": null,
"LastEscalatedBy": "admin user",
"Event Raw Data": {
"Body": {
"BodyType": 0
}
}
},
{
"ID": "e2c2e2cb-1693-eb11-92c1-9cebe82ccd06",
"EventID": 60078,
"Type": "DEVICE_PLUG",
"Tactic": "Execution",
"Technique": "Timestomp",
"RiskLevel": "High",
"TimeofOccurrence": null,
"IntakeTime": "2020-09-25 23:20:03.693",
"Status": "Escalated",
"Description": null,
"Site": "APSOC",
"Datasource": "McAfee ePolicy Orchestrator",
"Eventsource": "Default Event Source",
"Username": null,
"Sourceip": null,
"Targetip": null,
"Integrationconnection": "Webhook",
"EventFileName": null,
"LastEscalatedBy": "admin user",
"Event Raw Data": {
"Body": {
"BodyType": 0
}
}
},
{
"ID": "97a4a84f-bdfe-ea11-bdc2-1062e502940f",
"EventID": 60076,
"Type": "DEVICE_PLUG",
"Tactic": "Collection",
"Technique": "Data from Removable Media",
"RiskLevel": "High",
"TimeofOccurrence": null,
"IntakeTime": "2020-09-24 23:26:03.693",
"Status": "Dismissed",
"Description": null,
"Site": "APSOC",
"Datasource": "McAfee ePolicy Orchestrator",
"Eventsource": "Default Event Source",
"Username": null,
"Sourceip": null,
"Targetip": null,
"Integrationconnection": "Webhook",
"EventFileName": null,
"LastEscalatedBy": "admin user",
"Event Raw Data": {
"Body": {
"BodyType": 0
}
}
}
]
}
}