Skip to main content
Skip table of contents

Get Incident Timeline Entries

This command retrieves the timeline entries of an incident and additionally gathers associated metadata, providing a comprehensive overview of the incident's chronological events and relevant details.

READER NOTE

This utility command is for 16.8, if you are in a lower version, you may encounter limitations in accessing this command. Kindly reach out to D3 for assistance in obtaining access if such a situation arises.

Implementation

Python

Command Category

System Utility

Tags

N/A

Inputs

Parameter Name

Required/Optional

Description

Sample Data

Incident Number

Required

The incident number for which the timeline entries will be retrieved.

20200527-244

Filter

Optional

The filter selectively displays entries by searching specific fields, such as Author, event times, summary, notes, description, risk name, and event type, for terms matching the defined criteria.

admin

Sort Order

Optional

The sort order specifies how data is arranged in a timeline, either in ascending order from earliest to latest, or in descending order from latest to earliest.

ASC

Output

Return Data

The returned result of this command. If some required parameters are not defined, this returned data could be empty. The returned result can be passed down directly to a subsequent command in playbooks.

SAMPLE DATA

CODE
{
    "Status": "Successful",
    "Data": [
        {
            "TimelineID": 66,
            "Time": "2024-05-22 17:02:53",
            "Summary": "Unauthorized data access detected",
            "Note": "Multiple login attempts from unusual IP addresses",
            "EventType": "Security Breach",
            "Tactic": [
                "Initial Access"
            ],
            "Technique": [
                "Brute Force",
                "Valid Accounts"
            ],
            "RiskLevel": "High",
            "Description": "Anomalous login patterns were identified, indicating a possible brute force attack targeting admin accounts.",
            "Author": "Admin User"
        },
        {
            "TimelineID": 67,
            "Time": "2024-05-22 18:15:30",
            "Summary": "Malware installation attempt",
            "Note": "Suspicious file download detected from phishing email",
            "EventType": "Malware",
            "Tactic": [
                "Execution"
            ],
            "Technique": [
                "Malicious File",
                "Scripting"
            ],
            "RiskLevel": "Critical",
            "Description": "A phishing email prompted the user to download a file, which was detected as malware by antivirus software.",
            "Author": "Security Analyst"
        },
        {
            "TimelineID": 68,
            "Time": "2024-05-22 19:45:10",
            "Summary": "Data exfiltration detected",
            "Note": "Large volumes of data transferred to an external IP",
            "EventType": "Data Breach",
            "Tactic": [
                "Exfiltration"
            ],
            "Technique": [
                "Automated Exfiltration",
                "Exfiltration Over Web Service"
            ],
            "RiskLevel": "High",
            "Description": "An unusual spike in outbound data traffic was observed, indicating possible data exfiltration to an external server.",
            "Author": "Incident Response Team"
        }
    ]
}

Remote Command API

The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.

Request

POST

CODE
https:/{base_url}/{api_namespace}/api/Command/GetIncidentTimelineEntries

Headers

Please refer to the pageWebhook Configuration Guide - Authentication Method: API Keys for more details.

Request Body

CODE
{
  "Username": <Username here>,
  "Site": <Site here>,
  "CommandParams": {
    "Incident Number": <Incident Number here>,
    "Filter": <Filter here>,
    "Sort Order": <Sort Order here>
  }
}

Body Parameters

Parameter Name

Type

Required/Optional

Description

Username

Text

Required

The username of your D3 SOAR account.

Site

Text

Required

The D3 SOAR site to run the remote command.

Incident Number

Text

Required

The incident number for which the timeline entries will be retrieved.

Filter

Text

Optional

The filter selectively displays entries by searching specific fields, such as Author, event times, summary, notes, description, risk name, and event type, for terms matching the defined criteria.

Sort Order

Text

Optional

The sort order specifies how data is arranged in a timeline, either in ascending order from earliest to latest, or in descending order from latest to earliest.

Sample Request

SAMPLE DATA

CODE
{
  "Username": "Admin",
  "Site": "Security Operations",
  "CommandParams": {
    "Incident Number": "20200527-244",
    "Filter": "admin",
    "Sort Order": "ASC"
  }
}

Response

Response Fields

Field Name

Type

Description

error

Text

The error message if the API request has failed.

returnData

JSON Object

The return data from the API request.

Sample Response

CODE
{
    "error": "",
    "returnData": {
        "Status": "Successful",
        "Data": [
            {
                "TimelineID": 66,
                "Time": "2024-05-22 17:02:53",
                "Summary": "Unauthorized data access detected",
                "Note": "Multiple login attempts from unusual IP addresses",
                "EventType": "Security Breach",
                "Tactic": [
                    "Initial Access"
                ],
                "Technique": [
                    "Brute Force",
                    "Valid Accounts"
                ],
                "RiskLevel": "High",
                "Description": "Anomalous login patterns were identified, indicating a possible brute force attack targeting admin accounts.",
                "Author": "Admin User"
            },
            {
                "TimelineID": 67,
                "Time": "2024-05-22 18:15:30",
                "Summary": "Malware installation attempt",
                "Note": "Suspicious file download detected from phishing email",
                "EventType": "Malware",
                "Tactic": [
                    "Execution"
                ],
                "Technique": [
                    "Malicious File",
                    "Scripting"
                ],
                "RiskLevel": "Critical",
                "Description": "A phishing email prompted the user to download a file, which was detected as malware by antivirus software.",
                "Author": "Security Analyst"
            },
            {
                "TimelineID": 68,
                "Time": "2024-05-22 19:45:10",
                "Summary": "Data exfiltration detected",
                "Note": "Large volumes of data transferred to an external IP",
                "EventType": "Data Breach",
                "Tactic": [
                    "Exfiltration"
                ],
                "Technique": [
                    "Automated Exfiltration",
                    "Exfiltration Over Web Service"
                ],
                "RiskLevel": "High",
                "Description": "An unusual spike in outbound data traffic was observed, indicating possible data exfiltration to an external server.",
                "Author": "Incident Response Team"
            }
        ]
    }
}

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.