Get Incident Timeline Entries

LAST UPDATED: SEPT 18, 2024

Retrieves all timeline entries of an incident, offering a detailed overview of the incident's chronological events and key information.

READER NOTE

This utility command is for vSOC versions 16.8 and above. Clients on earlier versions may not have access to this command. Contact D3 to obtain access.

Implementation	Python
Command Category	System Utility
Tags	INCIDENT TIMELINE

Inputs

Parameter Name	Required/Optional	Description	Sample Data
Incident Number	Required	The incident number corresponding to an incident for which the timeline entries will be retrieved.	20200527-244
Filter	Optional	Filters entries by the values within any of the following fields: Summary, Note, EventType, Tactic, Technique, RiskLevel, Description and Author.	admin
Sort Order	Optional	The order of timeline entries displayed based on the Time field. Entries can be arranged either in ascending order (earliest to latest) or descending order (latest to earliest). By default, entries are arranged in ascending order. Users can specify the sort order by typing out "ascending" or "descending," or by using "ASC" or "DESC."	Descending

Output

Return Data

The returned result of this command. If some required parameters are not defined, this returned data could be empty. The returned result can be passed down directly to a subsequent command in playbooks.

SAMPLE DATA

CODE

{
    "Status": "Successful",
    "Data": [
        {
            "TimelineID": 66,
            "Time": "2024-05-22 17:02:53",
            "Summary": "Unauthorized data access detected",
            "Note": "Multiple login attempts from unusual IP addresses",
            "EventType": "Security Breach",
            "Tactic": [
                "Initial Access"
            ],
            "Technique": [
                "Brute Force",
                "Valid Accounts"
            ],
            "RiskLevel": "High",
            "Description": "Anomalous login patterns were identified, indicating a possible brute force attack targeting admin accounts.",
            "Author": "Admin User"
        },
        {
            "TimelineID": 67,
            "Time": "2024-05-22 18:15:30",
            "Summary": "Malware installation attempt",
            "Note": "Suspicious file download detected from phishing email",
            "EventType": "Malware",
            "Tactic": [
                "Execution"
            ],
            "Technique": [
                "Malicious File",
                "Scripting"
            ],
            "RiskLevel": "Critical",
            "Description": "A phishing email prompted the user to download a file, which was detected as malware by antivirus software.",
            "Author": "Security Analyst"
        },
        {
            "TimelineID": 68,
            "Time": "2024-05-22 19:45:10",
            "Summary": "Data exfiltration detected",
            "Note": "Large volumes of data transferred to an external IP",
            "EventType": "Data Breach",
            "Tactic": [
                "Exfiltration"
            ],
            "Technique": [
                "Automated Exfiltration",
                "Exfiltration Over Web Service"
            ],
            "RiskLevel": "High",
            "Description": "An unusual spike in outbound data traffic was observed, indicating possible data exfiltration to an external server.",
            "Author": "Incident Response Team"
        }
    ]
}

Remote Command API

The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.

Request

POST

CODE

https:/{base_url}/{api_namespace}/api/Command/GetIncidentTimelineEntries

Headers

Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.

Request Body

CODE

{
  "Username": <Username here>,
  "Site": <Site here>,
  "CommandParams": {
    "Incident Number": <Incident Number here>,
    "Filter": <Filter here>,
    "Sort Order": <Sort Order here>
  }
}

Body Parameters

Parameter Name	Type	Required/Optional	Description
Username	`string`	Required	The username of your D3 SOAR account.
Site	`string`	Required	The D3 SOAR site to run the remote command.
Incident Number	`string`	Required	The incident number corresponding to an incident for which the timeline entries will be retrieved.
Filter	`string`	Optional	Filters entries by the values within any of the following fields: Summary, Note, EventType, Tactic, Technique, RiskLevel, Description and Author.
Sort Order	`string`	Optional	The order of timeline entries displayed based on the Time field. Entries can be arranged either in ascending order (earliest to latest) or descending order (latest to earliest). By default, entries are arranged in ascending order. Users can specify the sort order by typing out "ascending" or "descending," or by using "ASC" or "DESC."

Sample Request

SAMPLE DATA

CODE

{
  "Username": "Admin",
  "Site": "Security Operations",
  "CommandParams": {
    "Incident Number": "20200527-244",
    "Filter": "admin",
    "Sort Order": "ASC"
  }
}

Response

Response Fields

Field Name	Type	Description
error	`string`	The error message if the API request has failed.
returnData	`JSON Object`	The return data from the API request.

Sample Response

CODE

{
    "error": "",
    "returnData": {
        "Status": "Successful",
        "Data": [
            {
                "TimelineID": 66,
                "Time": "2024-05-22 17:02:53",
                "Summary": "Unauthorized data access detected",
                "Note": "Multiple login attempts from unusual IP addresses",
                "EventType": "Security Breach",
                "Tactic": [
                    "Initial Access"
                ],
                "Technique": [
                    "Brute Force",
                    "Valid Accounts"
                ],
                "RiskLevel": "High",
                "Description": "Anomalous login patterns were identified, indicating a possible brute force attack targeting admin accounts.",
                "Author": "Admin User"
            },
            {
                "TimelineID": 67,
                "Time": "2024-05-22 18:15:30",
                "Summary": "Malware installation attempt",
                "Note": "Suspicious file download detected from phishing email",
                "EventType": "Malware",
                "Tactic": [
                    "Execution"
                ],
                "Technique": [
                    "Malicious File",
                    "Scripting"
                ],
                "RiskLevel": "Critical",
                "Description": "A phishing email prompted the user to download a file, which was detected as malware by antivirus software.",
                "Author": "Security Analyst"
            },
            {
                "TimelineID": 68,
                "Time": "2024-05-22 19:45:10",
                "Summary": "Data exfiltration detected",
                "Note": "Large volumes of data transferred to an external IP",
                "EventType": "Data Breach",
                "Tactic": [
                    "Exfiltration"
                ],
                "Technique": [
                    "Automated Exfiltration",
                    "Exfiltration Over Web Service"
                ],
                "RiskLevel": "High",
                "Description": "An unusual spike in outbound data traffic was observed, indicating possible data exfiltration to an external server.",
                "Author": "Incident Response Team"
            }
        ]
    }
}