Skip to main content
Skip table of contents

Get Incident Command Center Logs

READER NOTE

If you are not currently using version 16.9, you may encounter limitations in accessing this command. Kindly reach out to D3 for assistance in obtaining access if such a situation arises.

This command is designed to retrieve incident logs from the Command Center log.

Implementation

Python

Command Category

System Utility

Tags

N/A

Inputs

Parameter Name

Required/Optional

Description

Sample Data

Incident Number

Required

The incident number for which the Command Center log will be retrieved.

20200527-244

Log Type ID

Optional

This parameter is optional and is used to filter the type of command center log. If left empty, all types of logs will be retrieved by default. It sets the Log type ID. Below is a list that maps each Log Type ID to its corresponding name:

1: Task Results

2: Command Line Results

3: Messages

4: Changes of Incident Field

5: Other User Actions

6: System Notifications

7: Ad Hoc Tasks

13: Ad Hoc Tasks - Completed Tasks

8: Ad Hoc Tasks - Completed Tasks - Created by Me

9: Ad Hoc Tasks - Completed Tasks - Assigned to Me

14: Ad Hoc Tasks - Task Creation History

10: Artifact Action Results

11: Timeline Actions

12: Key Finding Actions Use the correct Log Type ID from this list to filter the desired Log type.

CODE
[
    1,
    2,
    3,
    4,
    5,
    6,
    7,
    8,
    9,
    10,
    11,
    12,
    13,
    14
]

Artifact Type ID

Optional

This parameter sets the artifact type and only affects the results when the log type is 'Artifact Action Results (logType: 10)'. If left empty, all types of artifact will be retrieved by default. It only supports system artifact types as a filter. Below is a list that maps each Artifact Type ID to its corresponding name:

0: Unknown

1: Internal Endpoint

2: External Endpoint

3: URL

4: File

5: User

6: Email Address

7: Process

8: Service

9: Module

10: Driver

11: Signature

12: Certificate

13: Registry

14: Vulnerability

15: Username

16: Filename

17: File Hash SHA256

18: File Hash MD5

19: File Hash SHA1

20: Process Guid

21: Signature Identity

22: Host Name

23: Internal Endpoint Domain Name

24: Internal IP

25: External Endpoint Domain Name

26: External IP

27: Registry Key Use the correct Artifact Type ID from this list to filter the desired artifact type.

[
10,
11
]

Output

Return Data

The returned result of this command. If some required parameters are not defined, this returned data could be empty. The returned result can be passed down directly to a subsequent command in playbooks.

SAMPLE DATA

JSON
{
    "Status": "Successful",
    "Data": [
        {
            "LogId": 12275,
            "LogTypeName": "Other User Actions",
            "LogTypeId": 5,
            "LogTime": "Tuesday 03/05/2024 02:14 PM PST",
            "UserName": "Admin ****",
            "LogContent": "Playbook (<span class=\"cc-playbook\">test0***</span>) is <span class=\"cc-action\">added to current incident</span> by <span class=\"cc-user\">Admin ****<span>.",
            "TaskId": -1,
            "TaskTypeIsIntegration": 0,
            "TaskName": ""
        },
        {
            "LogId": 266,
            "LogTypeName": "Other User Actions",
            "LogTypeId": 5,
            "LogTime": "Friday 05/12/2023 05:01 PM PST",
            "UserName": "Admin ****",
            "LogContent": "Current incident is set as <span class=\"cc-action\">On Hold</span> by <span class=\"cc-user\">Admin ****</span>.",
            "TaskId": -1,
            "TaskTypeIsIntegration": 0,
            "TaskName": ""
        },
        {
            "LogId": 159,
            "LogTypeName": "Other User Actions",
            "LogTypeId": 5,
            "LogTime": "Wednesday 10/27/2021 04:02 PM PST",
            "UserName": "Admin ****",
            "LogContent": "Playbook (<span class=\"cc-playbook\">Email Protection - Phishing Playbook</span>) is <span class=\"cc-action\">added to current incident</span>.",
            "TaskId": -1,
            "TaskTypeIsIntegration": 0,
            "TaskName": ""
        }
    ]
}

Remote Command API

The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.

Request

POST

CODE
https://{base_url}/{api_namespace}/api/Command/GetIncidentCommandCenterLogs

Headers

Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.

Request Body

JSON
{
  "Username": <Username here>,
  "Site": <Site here>,
  "CommandParams": {
    "Incident Number": <Incident Number here>,
    "Log Type ID": <Log Type ID here>,
    "Artifact Type ID": <Artifact ID here>
  }
}

Body Parameters

Parameter Name

Type

Required/Optional

Description

Username

String

Required

The username of your D3 SOAR account.

Site

String

Required

The D3 SOAR site to run the remote command.

Incident Number

Text

Required

The incident number for which the Command Center log will be retrieved.

Log Type ID

Number Array

Optional

This parameter is optional and is used to filter the type of command center log. If left empty, all types of logs will be retrieved by default. It sets the Log type ID. Below is a list that maps each Log Type ID to its corresponding name:

1: Task Results

2: Command Line Results

3: Messages

4: Changes of Incident Field

5: Other User Actions

6: System Notifications

7: Ad Hoc Tasks

13: Ad Hoc Tasks - Completed Tasks

8: Ad Hoc Tasks - Completed Tasks - Created by Me

9: Ad Hoc Tasks - Completed Tasks - Assigned to Me

14: Ad Hoc Tasks - Task Creation History

10: Artifact Action Results

11: Timeline Actions

12: Key Finding Actions Use the correct Log Type ID from this list to filter the desired Log type

Artifact Type ID

Number Array

Optional

This parameter sets the artifact type and only affects the results when the log type is 'Artifact Action Results (logType: 10)'. If left empty, all types of artifact will be retrieved by default. It only supports system artifact types as a filter. Below is a list that maps each Artifact Type ID to its corresponding name:

0: Unknown

1: Internal Endpoint

2: External Endpoint

3: URL

4: File

5: User

6: Email Address

7: Process

8: Service

9: Module

10: Driver

11: Signature

12: Certificate

13: Registry

14: Vulnerability

15: Username

16: Filename

17: File Hash SHA256

18: File Hash MD5

19: File Hash SHA1

20: Process Guid

21: Signature Identity

22: Host Name

23: Internal Endpoint Domain Name

24: Internal IP

25: External Endpoint Domain Name

26: External IP

27: Registry Key Use the correct Artifact Type ID from this list to filter the desired artifact type.

Sample Request

SAMPLE DATA

JSON
{
  "Username": "Admin",
  "Site": "Security Operations",
  "CommandParams": {
    "Incident Number": "20200527-244",
    "Log Type ID": [
      1,
      2,
      3,
      4,
      5,
      6,
      7,
      8,
      9,
      10,
      11,
      12,
      13,
      14
    ],
    "Artifact Type ID": [
      10,
      11
    ]
  }
}

Response

Response Fields

Field Name

Type

Description

error

String

The error message if the API request has failed.

returnData

JSON Object

The return data from the API request.

Sample Response

JSON
{
    "error": "",
    "returnData": {
        "Status": "Successful",
        "Data": [
            {
                "LogId": 12275,
                "LogTypeName": "Other User Actions",
                "LogTypeId": 5,
                "LogTime": "Tuesday 03/05/2024 02:14 PM PST",
                "UserName": "Admin ****",
                "LogContent": "Playbook (<span class=\"cc-playbook\">test0***</span>) is <span class=\"cc-action\">added to current incident</span> by <span class=\"cc-user\">Admin ****<span>.",
                "TaskId": -1,
                "TaskTypeIsIntegration": 0,
                "TaskName": ""
            },
            {
                "LogId": 266,
                "LogTypeName": "Other User Actions",
                "LogTypeId": 5,
                "LogTime": "Friday 05/12/2023 05:01 PM PST",
                "UserName": "Admin ****",
                "LogContent": "Current incident is set as <span class=\"cc-action\">On Hold</span> by <span class=\"cc-user\">Admin ****</span>.",
                "TaskId": -1,
                "TaskTypeIsIntegration": 0,
                "TaskName": ""
            },
            {
                "LogId": 159,
                "LogTypeName": "Other User Actions",
                "LogTypeId": 5,
                "LogTime": "Wednesday 10/27/2021 04:02 PM PST",
                "UserName": "Admin ****",
                "LogContent": "Playbook (<span class=\"cc-playbook\">Email Protection - Phishing Playbook</span>) is <span class=\"cc-action\">added to current incident</span>.",
                "TaskId": -1,
                "TaskTypeIsIntegration": 0,
                "TaskName": ""
            }
        ]
    }
}
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.