Get Incident Command Center Logs

LAST UPDATED: SEPT 20, 2024

Retrieves incident logs from the Command Center.

READER NOTE

If you are not currently using version 16.9, you may encounter limitations in accessing this command. Kindly reach out to D3 for assistance in obtaining access if such a situation arises.

Implementation	Python
Command Category	System Utility
Tags	INCIDENT COMMAND CENTER LOGS

Inputs

Parameter Name

Required/Optional

Description

Sample Data

Incident Number

Required

The incident number corresponding to an incident for which the Command Center logs will be retrieved.

090924-13297

Log Type ID

Optional

Filters the type of command center log. Below are the types of command center logs available for retrieval:
1 - Task Results
2 - Command Line Results
3 - Messages
4 - Changes of Incident Field
5 - Other User Actions
6 - System Notifications
7 - Ad Hoc Tasks
8 - Ad Hoc Tasks - Completed Tasks - Created by Me
9 - Ad Hoc Tasks - Completed Tasks - Assigned to Me
10 - Artifact Action Results
11 - Timeline Actions
12 - Key Finding Actions Use the correct Log Type
ID from this list to filter the desired Log type.
13 - Ad Hoc Tasks - Completed Tasks
14 - Ad Hoc Tasks - Task Creation History

If left empty, all 14 types of logs will be retrieved.

CODE

Artifact Type ID

Optional

Sets the artifact type.

This parameter only affects the results when the Log Type ID is 10 (i.e. Artifact Action Results).

The parameter only supports filtering by system artifact types, with each ID corresponding to a specific type of artifact.

Below are the system artifact types available for filtering:
0 - Unknown
1 - Internal Endpoint
2 - External Endpoint
3 - URL
4 - File
5 - User
6 - Email Address
7 - Process
8 - Service
9 - Module
10 - Driver
11 - Signature
12 - Certificate
13 - Registry
14 - Vulnerability
15 - Username
16 - Filename
17 - File Hash SHA256
18 - File Hash MD5
19 - File Hash SHA1
20 - Process GUID
21 - Signature Identity
22 - Host Name
23 - Internal Endpoint Domain Name
24 - Internal IP
25 - External Endpoint Domain Name
26 - External IP
27 - Registry Key

If left empty, all artifact types will be retrieved.

CODE

[
  10,
  11
]

Output

Return Data

The returned result of this command. If some required parameters are not defined, this returned data could be empty. The returned result can be passed down directly to a subsequent command in playbooks.

SAMPLE DATA

JSON

{
    "Status": "Successful",
    "Data": [
        {
            "LogId": 12275,
            "LogTypeName": "Other User Actions",
            "LogTypeId": 5,
            "LogTime": "Tuesday 03/05/2024 02:14 PM PST",
            "UserName": "Admin ****",
            "LogContent": "Playbook (<span class=\"cc-playbook\">test0***</span>) is <span class=\"cc-action\">added to current incident</span> by <span class=\"cc-user\">Admin ****<span>.",
            "TaskId": -1,
            "TaskTypeIsIntegration": 0,
            "TaskName": ""
        },
        {
            "LogId": 266,
            "LogTypeName": "Other User Actions",
            "LogTypeId": 5,
            "LogTime": "Friday 05/12/2023 05:01 PM PST",
            "UserName": "Admin ****",
            "LogContent": "Current incident is set as <span class=\"cc-action\">On Hold</span> by <span class=\"cc-user\">Admin ****</span>.",
            "TaskId": -1,
            "TaskTypeIsIntegration": 0,
            "TaskName": ""
        },
        {
            "LogId": 159,
            "LogTypeName": "Other User Actions",
            "LogTypeId": 5,
            "LogTime": "Wednesday 10/27/2021 04:02 PM PST",
            "UserName": "Admin ****",
            "LogContent": "Playbook (<span class=\"cc-playbook\">Email Protection - Phishing Playbook</span>) is <span class=\"cc-action\">added to current incident</span>.",
            "TaskId": -1,
            "TaskTypeIsIntegration": 0,
            "TaskName": ""
        }
    ]
}

Remote Command API

The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.

Request

POST

CODE

https://{base_url}/{api_namespace}/api/Command/GetIncidentCommandCenterLogs

Headers

Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.

Request Body

JSON

{
  "Username": <Username here>,
  "Site": <Site here>,
  "CommandParams": {
    "Incident Number": <Incident Number here>,
    "Log Type ID": <Log Type ID here>,
    "Artifact Type ID": <Artifact ID here>
  }
}

Body Parameters

Parameter Name	Type	Required/Optional	Description
Username	`string`	Required	The username of your D3 SOAR account.
Site	`string`	Required	The D3 SOAR site to run the remote command.
Incident Number	`string`	Required	The incident number corresponding to an incident for which the Command Center logs will be retrieved.
Log Type ID	`array<integer>`	Optional	Filters the type of command center log. Below are the types of command center logs available for retrieval: `1` - Task Results `2` - Command Line Results `3` - Messages `4` - Changes of Incident Field `5` - Other User Actions `6` - System Notifications `7` - Ad Hoc Tasks `8` - Ad Hoc Tasks - Completed Tasks - Created by Me `9` - Ad Hoc Tasks - Completed Tasks - Assigned to Me `10` - Artifact Action Results `11` - Timeline Actions `12` - Key Finding Actions Use the correct Log Type ID from this list to filter the desired Log type. `13` - Ad Hoc Tasks - Completed Tasks `14` - Ad Hoc Tasks - Task Creation History If left empty, all 14 types of logs will be retrieved.
Artifact Type ID	`array<integer>`	Optional	Sets the artifact type. This parameter only affects the results when the Log Type ID is 10 (i.e. Artifact Action Results). The parameter only supports filtering by system artifact types, with each ID corresponding to a specific type of artifact. Below are the system artifact types available for filtering: `0` - Unknown `1` - Internal Endpoint `2` - External Endpoint `3` - URL `4` - File `5` - User `6` - Email Address `7` - Process `8` - Service `9` - Module `10` - Driver `11` - Signature `12` - Certificate `13` - Registry `14` - Vulnerability `15` - Username `16` - Filename `17` - File Hash SHA256 `18` - File Hash MD5 `19` - File Hash SHA1 `20` - Process GUID `21` - Signature Identity `22` - Host Name `23` - Internal Endpoint Domain Name `24` - Internal IP `25` - External Endpoint Domain Name `26` - External IP `27` - Registry Key If left empty, all artifact types will be retrieved.

Sample Request

SAMPLE DATA

JSON

{
  "Username": "Admin",
  "Site": "Security Operations",
  "CommandParams": {
    "Incident Number": "20200527-244",
    "Artifact Type ID": [
      10,
      11
    ]
  }
}

Response

Response Fields

Field Name	Type	Description
error	`string`	The error message if the API request has failed.
returnData	`JSON Object`	The return data from the API request.

Sample Response

JSON

{
    "error": "",
    "returnData": {
        "Status": "Successful",
        "Data": [
            {
                "LogId": 12275,
                "LogTypeName": "Other User Actions",
                "LogTypeId": 5,
                "LogTime": "Tuesday 03/05/2024 02:14 PM PST",
                "UserName": "Admin ****",
                "LogContent": "Playbook (<span class=\"cc-playbook\">test0***</span>) is <span class=\"cc-action\">added to current incident</span> by <span class=\"cc-user\">Admin ****<span>.",
                "TaskId": -1,
                "TaskTypeIsIntegration": 0,
                "TaskName": ""
            },
            {
                "LogId": 266,
                "LogTypeName": "Other User Actions",
                "LogTypeId": 5,
                "LogTime": "Friday 05/12/2023 05:01 PM PST",
                "UserName": "Admin ****",
                "LogContent": "Current incident is set as <span class=\"cc-action\">On Hold</span> by <span class=\"cc-user\">Admin ****</span>.",
                "TaskId": -1,
                "TaskTypeIsIntegration": 0,
                "TaskName": ""
            },
            {
                "LogId": 159,
                "LogTypeName": "Other User Actions",
                "LogTypeId": 5,
                "LogTime": "Wednesday 10/27/2021 04:02 PM PST",
                "UserName": "Admin ****",
                "LogContent": "Playbook (<span class=\"cc-playbook\">Email Protection - Phishing Playbook</span>) is <span class=\"cc-action\">added to current incident</span>.",
                "TaskId": -1,
                "TaskTypeIsIntegration": 0,
                "TaskName": ""
            }
        ]
    }
}