Skip to main content
Skip table of contents

Get incident investigation details

LAST UPDATED: SEPT 09, 2024

Retrieves the investigation details for incidents.

READER NOTE

This utility command is for 16.8+, if you are in a lower version, you may encounter limitations in accessing this command. Kindly reach out to D3 for assistance in obtaining access if such a situation arises.

Implementation

Python

Command Category

System Utility

Tags

INCIDENT INVESTIGATION

Inputs

Parameter Name

Required/Optional

Description

Sample Data

Incident Numbers

Required

The incident number corresponding to an incident for which the investigation details will be retrieved.

CODE 
["090924-13297"]

Investigation Section Names

Required

The section of the investigation tab to query data. The options are:

  • Summary

  • Finding

  • Remediations and Mitigations

  • Recommendations

CODE 
[
  "Summary",
  "Findings",
  "Remediations and Mitigations",
  "Recommendations"
]

Output

Return Data

The returned result of this command. If some required parameters are not defined, this returned data could be empty. The returned result can be passed down directly to a subsequent command in playbooks.

SAMPLE DATA

JSON 
{
  "Status": "Successful",
  "Data": [
    {
      "IncidentNo": "090924-13297",
      "Summary": {
        "CreatedTime": "Sep 09, 2024 13:36",
        "CreatedBy": "Admin",
        "LastModifiedTime": "Sep 09, 2024 14:44",
        "LastModifiedBy": "Admin",
        "Content": "<p>Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla facilisi. Aenean fringilla, nibh sit amet tempor pulvinar, risus felis malesuada urna, in suscipit magna est non velit. Integer fermentum ante eget erat scelerisque, id elementum purus vestibulum. Fusce ac purus et erat sollicitudin pharetra. Aliquam erat volutpat. Mauris dapibus tortor in nulla accumsan, et ultricies libero vehicula. Pellentesque habitant morbi tristique senectus et netus et mal<br><br>WUUU</p><div class=\"absolute\"><div class=\"flex items-center justify-center\"></div></div><div class=\"md:pt-0 dark:border-white/20 md:border-transparent md:dark:border-transparent w-full\"><div class=\"\"><div class=\"text-base px-3 md:px-4 m-auto w-full md:px-5 lg:px-1 xl:px-5\"><div class=\"mx-auto flex flex-1 gap-4 text-base md:gap-5 lg:gap-6 md:max-w-3xl\"><div class=\"relative flex h-full max-w-full flex-1 flex-col\"><div class=\"absolute bottom-full left-0 right-0 z-20\"></div><div class=\"group relative flex w-full items-center\"><div class=\"flex w-full flex-col gap-1.5 rounded-[26px] p-1.5 transition-colors bg-[#f4f4f4] dark:bg-token-main-surface-secondary\"><div class=\"flex items-end gap-1.5 md:gap-2\"><div class=\"relative\"><div class=\"flex flex-col\"><div></div></div></div><div class=\"flex min-w-0 flex-1 flex-col\"></div></div></div></div></div></div></div></div></div>"
      },
      "Findings": [
        {
          "CreatedTime": "Sep 09, 2024 14:44",
          "CreatedBy": "Admin",
          "Type": "Initial Findings",
          "Content": "<p>demo initial findings</p>"
        },
        {
          "CreatedTime": "Sep 09, 2024 14:45",
          "CreatedBy": "Admin",
          "Type": "Indicators of Attack (IOA)",
          "Content": "<p>demo IOA</p>"
        }
      ],
      "Remediations and Mitigations": [
        {
          "CreatedTime": "Sep 09, 2024 14:45",
          "CreatedBy": "Admin",
          "Content": "<h1>Demo Remediations &amp; Mitigations</h1>"
        }
      ],
      "Recommendations": [
        {
          "CreatedTime": "Sep 09, 2024 14:45",
          "CreatedBy": "Admin",
          "Content": "<p><span style=\"color: rgb(220, 223, 228); font-family: -apple-system, BlinkMacSystemFont, &quot;Segoe UI&quot;, Roboto, Oxygen, Ubuntu, &quot;Fira Sans&quot;, &quot;Droid Sans&quot;, &quot;Helvetica Neue&quot;, sans-serif; font-size: 17px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 700; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: rgb(33, 38, 48); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;\">Demo Recommendations</span></p>"
        }
      ]
    }
  ],
  "ErrorData": []
}

Remote Command API

The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.

Request

POST

CODE 
https://{base_url}/{api_namespace}/api/Command/getIncidentInvestigationDetails

Headers

Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.

Request Body

JSON 
{
  "Username": <Username here>,
  "Site": <Site here>,
  "CommandParams": {
    "Incident Numbers": <Incident Numbers here>,
    "Investigation Section Names": <Investigation Section Names here>,
  }
}

Body Parameters

Parameter Name

Type

Required/Optional

Description

Username

string

Required

The username of your D3 SOAR account.

Site

string

Required

The D3 SOAR site to run the remote command.

Incident Numbers

array<string>

Required

The incident number corresponding to an incident for which the investigation details will be retrieved.

Investigation Section Names

string

Required

The section of the investigation tab to query data. The options are:

  • Summary

  • Finding

  • Remediations and Mitigations

  • Recommendations

Sample Request

SAMPLE DATA

JSON 
{
  "Username": "Admin",
  "Site": "Security Operations",
  "CommandParams": {
    "Incident Numbers": ["090924-13297"],
    "Investigation Section Names": [
      "Summary",
      "Findings",
      "Remediations and Mitigations",
      "Recommendations"
    ]
  }
}

Response

Response Fields

Field Name

Type

Description

error

string

The error message if the API request has failed.

returnData

JSON Object

The return data from the API request.

Sample Response

JSON 
{
    "error": "",
    "returnData": {
        "Status": "Successful",
        "Data": [
            {
                "IncidentNo": "090924-13297",
                "Summary": {
                    "CreatedTime": "Sep 09, 2024 13:36",
                    "CreatedBy": "Admin",
                    "LastModifiedTime": "Sep 09, 2024 14:44",
                    "LastModifiedBy": "Admin",
                    "Content": "<p>Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla facilisi. Aenean fringilla, nibh sit amet tempor pulvinar, risus felis malesuada urna, in suscipit magna est non velit. Integer fermentum ante eget erat scelerisque, id elementum purus vestibulum. Fusce ac purus et erat sollicitudin pharetra. Aliquam erat volutpat. Mauris dapibus tortor in nulla accumsan, et ultricies libero vehicula. Pellentesque habitant morbi tristique senectus et netus et mal<br><br>WUUU</p><div class=\"absolute\"><div class=\"flex items-center justify-center\"></div></div><div class=\"md:pt-0 dark:border-white/20 md:border-transparent md:dark:border-transparent w-full\"><div class=\"\"><div class=\"text-base px-3 md:px-4 m-auto w-full md:px-5 lg:px-1 xl:px-5\"><div class=\"mx-auto flex flex-1 gap-4 text-base md:gap-5 lg:gap-6 md:max-w-3xl\"><div class=\"relative flex h-full max-w-full flex-1 flex-col\"><div class=\"absolute bottom-full left-0 right-0 z-20\"></div><div class=\"group relative flex w-full items-center\"><div class=\"flex w-full flex-col gap-1.5 rounded-[26px] p-1.5 transition-colors bg-[#f4f4f4] dark:bg-token-main-surface-secondary\"><div class=\"flex items-end gap-1.5 md:gap-2\"><div class=\"relative\"><div class=\"flex flex-col\"><div></div></div></div><div class=\"flex min-w-0 flex-1 flex-col\"></div></div></div></div></div></div></div></div></div>"
                },
                "Findings": [
                    {
                        "CreatedTime": "Sep 09, 2024 14:44",
                        "CreatedBy": "Admin",
                        "Type": "Initial Findings",
                        "Content": "<p>demo initial findings</p>"
                    },
                    {
                        "CreatedTime": "Sep 09, 2024 14:45",
                        "CreatedBy": "Admin",
                        "Type": "Indicators of Attack (IOA)",
                        "Content": "<p>demo IOA</p>"
                    }
                ],
                "Remediations and Mitigations": [
                    {
                        "CreatedTime": "Sep 09, 2024 14:45",
                        "CreatedBy": "Admin",
                        "Content": "<h1>Demo Remediations &amp; Mitigations</h1>"
                    }
                ],
                "Recommendations": [
                    {
                        "CreatedTime": "Sep 09, 2024 14:45",
                        "CreatedBy": "Admin",
                        "Content": "<p><span style=\"color: rgb(220, 223, 228); font-family: -apple-system, BlinkMacSystemFont, &quot;Segoe UI&quot;, Roboto, Oxygen, Ubuntu, &quot;Fira Sans&quot;, &quot;Droid Sans&quot;, &quot;Helvetica Neue&quot;, sans-serif; font-size: 17px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 700; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; white-space: normal; background-color: rgb(33, 38, 48); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial; display: inline !important; float: none;\">Demo Recommendations</span></p>"
                    }
                ]
            }
        ],
        "ErrorData": []
    }
}
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close