Get Incident Command Center Logs
LAST UPDATED: SEPT 20, 2024
Retrieves incident logs from the Command Center.
READER NOTE
If you are not currently using version 16.9, you may encounter limitations in accessing this command. Kindly reach out to D3 for assistance in obtaining access if such a situation arises.
Implementation | Python |
Command Category | System Utility |
Tags | INCIDENT COMMAND CENTER LOGS |
Inputs
Parameter Name | Required/Optional | Description | Sample Data |
---|---|---|---|
Incident Number | Required | The incident number corresponding to an incident for which the Command Center logs will be retrieved. | 090924-13297 |
Log Type ID | Optional | Filters the type of command center log. Below are the types of command center logs available for retrieval: If left empty, all 14 types of logs will be retrieved. |
CODE
|
Artifact Type ID | Optional | Sets the artifact type. This parameter only affects the results when the Log Type ID is 10 (i.e. Artifact Action Results). The parameter only supports filtering by system artifact types, with each ID corresponding to a specific type of artifact. Below are the system artifact types available for filtering: If left empty, all artifact types will be retrieved. |
CODE
|
Output
Remote Command API
The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.
Request
POST
https://{base_url}/{api_namespace}/api/Command/GetIncidentCommandCenterLogs
Headers
Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.
Request Body
{
"Username": <Username here>,
"Site": <Site here>,
"CommandParams": {
"Incident Number": <Incident Number here>,
"Log Type ID": <Log Type ID here>,
"Artifact Type ID": <Artifact ID here>
}
}
Body Parameters
Parameter Name | Type | Required/Optional | Description |
---|---|---|---|
Username |
| Required | The username of your D3 SOAR account. |
Site |
| Required | The D3 SOAR site to run the remote command. |
Incident Number |
| Required | The incident number corresponding to an incident for which the Command Center logs will be retrieved. |
Log Type ID |
| Optional | Filters the type of command center log. Below are the types of command center logs available for retrieval: If left empty, all 14 types of logs will be retrieved. |
Artifact Type ID |
| Optional | Sets the artifact type. This parameter only affects the results when the Log Type ID is 10 (i.e. Artifact Action Results). The parameter only supports filtering by system artifact types, with each ID corresponding to a specific type of artifact. Below are the system artifact types available for filtering: If left empty, all artifact types will be retrieved. |
Sample Request
SAMPLE DATA
{
"Username": "Admin",
"Site": "Security Operations",
"CommandParams": {
"Incident Number": "20200527-244",
"Artifact Type ID": [
10,
11
]
}
}
Response
Response Fields
Field Name | Type | Description |
---|---|---|
error |
| The error message if the API request has failed. |
returnData |
| The return data from the API request. |
Sample Response
{
"error": "",
"returnData": {
"Status": "Successful",
"Data": [
{
"LogId": 12275,
"LogTypeName": "Other User Actions",
"LogTypeId": 5,
"LogTime": "Tuesday 03/05/2024 02:14 PM PST",
"UserName": "Admin ****",
"LogContent": "Playbook (<span class=\"cc-playbook\">test0***</span>) is <span class=\"cc-action\">added to current incident</span> by <span class=\"cc-user\">Admin ****<span>.",
"TaskId": -1,
"TaskTypeIsIntegration": 0,
"TaskName": ""
},
{
"LogId": 266,
"LogTypeName": "Other User Actions",
"LogTypeId": 5,
"LogTime": "Friday 05/12/2023 05:01 PM PST",
"UserName": "Admin ****",
"LogContent": "Current incident is set as <span class=\"cc-action\">On Hold</span> by <span class=\"cc-user\">Admin ****</span>.",
"TaskId": -1,
"TaskTypeIsIntegration": 0,
"TaskName": ""
},
{
"LogId": 159,
"LogTypeName": "Other User Actions",
"LogTypeId": 5,
"LogTime": "Wednesday 10/27/2021 04:02 PM PST",
"UserName": "Admin ****",
"LogContent": "Playbook (<span class=\"cc-playbook\">Email Protection - Phishing Playbook</span>) is <span class=\"cc-action\">added to current incident</span>.",
"TaskId": -1,
"TaskTypeIsIntegration": 0,
"TaskName": ""
}
]
}
}