Get Incidents
Gets a list of filtered incidents with specified fields.
Implementation | System |
Command Category | Basic Utility |
Tags | INCIDENT INCIDENT MANAGEMENT |
Inputs
Parameter Name | Required/Optional | Description | Sample Data |
---|---|---|---|
Filter | Optional | These condition queries filter data. Key "field" indicates the selected field in the incident, key "operator" indicates the condition operator applied to the field and key "value" is the desired value. Section is optional. If the section name is added in the JSON object, it will be filtered as a dynamic field. "AND" logic applies between JSON objects in the same array, "OR" logic applies between different arrays. Valid values for key "field" as a non-dynamic field are every valid key in the Static Field input section. (Input must be in JSON format) Available operators: ["<",">","=","<=",">=","!=","LIKE","IS EMPTY","IS NOT EMPTY"]. |
CODE
|
Static Fields | Optional | Select the static incident field keys to be displayed in the result. The keys available for selection are listed below. In the case of an empty input, only general keys will be selected for each resulting incident. General keys are every key in the list below except for "Incident Raw Data" and "Event Raw Data". Note: "Date Created" is in UTC time. (Input must be in JSON format). |
CODE
|
Dynamic Fields | Optional | Select the dynamic incident fields to be displayed in the result. The key in the JSON object is the dynamic field section name. The value array contains the names of the elements under the section. (Input must be in JSON format). |
CODE
|
Start Time | Required | The start of the date range for incidents. Based on 'Date Created' (UTC) of the incident. |
|
End Time | Required | The end of the date range for incidents. Based on 'Date Created' (UTC) of the incident. |
|
Output Format | Optional | 1 - CSV, 2 - JSON, 3 - CSV link, 4 - JSON link. |
|
Page Index | Optional | The page number to receive results from. The default page index is 0. Note: if no value or 0 is given for both Page Index and Page Size, all incidents will be fetched. If pagination index is provided, total pages will show in key fields outputs. |
|
Page Size | Optional | The maximum number of incidents to fetch, ranges from 1 to 1000. If no value or 0 is given, a default page size of 100 will be applied. Note: if no value or 0 is given for both Page Index and Page Size, all incidents will be fetched. If pagination size is provided, total pages will show in key fields outputs. |
|
Output
Remote Command API
The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.
Request
POST
https:/{base_url}/{api_namespace}/api/Command/GetIncidents
Headers
Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.
Request Body
{
"Username": "<Username here>",
"Site": "<Site here>",
"CommandParams": {
"Filter": "<Filter here>",
"Static Fields": "<Static Fields here>",
"Dynamic Fields": "<Dynamic Fields here>",
"Start Time": "<Start Time here>",
"End Time": "<End Time here>",
"Output Format": "<Output Format here>",
"Page Index": "<Page Index here>",
"Page Size": "<Page Size here>"
}
}
Body Parameters
Parameter Name | Type | Required/Optional | Description |
---|---|---|---|
Username |
| Required | The username of your D3 SOAR account. |
Site |
| Required | The D3 SOAR site to run the remote command. |
Filter |
| Optional | These condition queries filter data. Key "field" indicates the selected field in the incident, key "operator" indicates the condition operator applied to the field and key "value" is the desired value. Section is optional. If the section name is added in the JSON object, it will be filtered as a dynamic field. "AND" logic applies between JSON objects in the same array, "OR" logic applies between different arrays. Valid values for key "field" as a non-dynamic field are every valid key in the Static Field input section. (Input must be in JSON format) Available operators: ["<",">","=","<=",">=","!=","LIKE","IS EMPTY","IS NOT EMPTY"]. |
Static Fields |
| Optional | Select the static incident field keys to be displayed in the result. The keys available for selection are listed below. In the case of an empty input, only general keys will be selected for each resulting incident. General keys are every key in the list below except for "Incident Raw Data" and "Event Raw Data". Note: "Date Created" is in UTC time. (Input must be in JSON format). |
Dynamic Fields |
| Optional | Select the dynamic incident fields to be displayed in the result. The key in the JSON object is the dynamic field section name. The value array contains the names of the elements under the section. (Input must be in JSON format). |
Start Time |
| Required | The start of the date range for incidents. Based on 'Date Created' (UTC) of the incident. |
End Time |
| Required | The end of the date range for incidents. Based on 'Date Created' (UTC) of the incident. |
Output Format |
| Optional | 1 - CSV, 2 - JSON, 3 - CSV link, 4 - JSON link. |
Page Index |
| Optional | The page number to receive results from. The default page index is 0. Note: if no value or 0 is given for both Page Index and Page Size, all incidents will be fetched. If pagination index is provided, total pages will show in key fields outputs. |
Page Size |
| Optional | The maximum number of incidents to fetch, ranges from 1 to 1000. If no value or 0 is given, a default page size of 100 will be applied. Note: if no value or 0 is given for both Page Index and Page Size, all incidents will be fetched. If pagination size is provided, total pages will show in key fields outputs. |
Sample Request
SAMPLE DATA
{
"Username": "Admin",
"Site": "Security Operations",
"CommandParams": {
"Filter": [
[
{
"field": "Status",
"operator": "!=",
"value": "Open"
},
{
"field": "Severity",
"operator": "=",
"value": "High"
}
],
[
{
"section": "Customer",
"field": "Name",
"operator": "LIKE",
"value": "VIP%"
}
]
],
"Static Fields": [
"IR Number",
"IR Type",
"Title",
"Status",
"Severity",
"Stage",
"Priority",
"Disposition",
"Tags",
"Owner",
"Creator",
"Timezone",
"Date Created",
"Date Modified",
"Playbook",
"Description",
"Conclusion",
"Investigation Team",
"Linked Incidents",
"Incident Raw Data",
"Event Raw Data"
],
"Dynamic Fields": {
"Incident Owner": [
"Owner Last Update Time",
"Time Spend"
],
"Customer": [
"Name",
"Country"
]
},
"Start Time": "2019-03-26 00:00:00",
"End Time": "2021-12-31 10:15:00",
"Output Format": 2,
"Page Index": 0,
"Page Size": 100
}
}
Response
Response Fields
Field Name | Type | Description |
---|---|---|
error |
| The error message if the API request has failed. |
keyFields |
| The key fields from the API request. |
returnData |
| The return data from the API request. |
rawData |
| The raw data from the API request. |
contextData |
| The context data from the API request. |
Sample Response
{
"error": "",
"keyFields": "{
"Pagination" : {
"PageIndex": 0,
"PageSize": 100,
"TotalPages": 10
}
}",
"returnData": "Successful",
"rawData": {
"incidents": [
{
"IR Number": "20211222-3",
"IR Type": "Playbook - DLP",
"Title": "222222222",
"Status": "Open",
"Severity": "Low",
"Stage": "Data Aggregation Stage",
"Priority": "1 - Medium",
"Disposition": "N/A",
"Tags": "",
"Owner": "admin user",
"Creator": "admin",
"Timezone": "PST",
"Date Created": "2019-04-08 09:17:32",
"Date Modified": "2019-04-09 11:31:30",
"Playbook": "Endpoint Protection - Unauthorized Access",
"Description": "",
"Conclusion": "",
"Investigation Team": "",
"Linked Incidents": "",
"Incident Raw Data": "",
"Event Raw Data": "",
"Customer - Name": "VIP_Mary",
"Customer - Country": "France",
"Incident Owner - Owner Last Update Time": null,
"Incident Owner - Time Spend": null
},
{
"IR Number": "20211222-4",
"IR Type": "Playbook - DLP",
"Title": "",
"Status": "Open",
"Severity": "Low",
"Stage": "Data Aggregation Stage",
"Priority": "1 - Medium",
"Disposition": "N/A",
"Tags": "",
"Owner": "admin user",
"Creator": "admin",
"Timezone": "PST",
"Date Created": "2021-12-22 15:14:26",
"Date Modified": "2021-12-22 15:51:56",
"Playbook": "Endpoint Protection - Unauthorized Access",
"Description": "",
"Conclusion": "",
"Investigation Team": "",
"Linked Incidents": "",
"Incident Raw Data": "",
"Event Raw Data": "",
"Customer - Name": "VIP_Robert",
"Customer - Country": "Canada",
"Incident Owner - Owner Last Update Time": null,
"Incident Owner - Time Spend": null
}
]
}
}