Get Incidents
LAST UPDATED: APRIL 7, 2025
Retrieves a customized list of incidents.
Implementation | System |
Command Category | Basic Utility |
Tags | INCIDENT INCIDENT MANAGEMENT |
Inputs
Parameter Name | Required/Optional | Description | Sample Data |
---|---|---|---|
Filter | Optional | The list of criteria, each containing one or more JSON object conditions, used to filter incidents.
For non-dynamic "field" values, refer to the sample data for the following Static Fields input parameter. |
JSON
|
Static Fields | Optional | The static incident fields to be included in the results. Default fields will be selected for each resulting incident if the Static Fields input is left empty.
The static fields "Date Created," "Date Modified" and "Date Closed" are in UTC time. | BEFORE VERSION 16.8
JSON
VERSION 16.8+
JSON
|
Dynamic Fields | Optional | The dynamic incident fields to be included in the results. A key in the JSON object is the user-specified Section name of a dynamic field (i.e. incident form). The value (string array) corresponding to a key is the user-specified Activity or Info Activity name within the section. |
JSON
|
Start Time | Required | The start time (in UTC) for retrieving incidents, based on the "Date Created" field of the incident. | 2019-03-26 00:00:00 |
End Time | Required | The end time (in UTC) for retrieving incidents, based on the "Date Created" field of the incident. | 2021-12-31 10:15:00 |
Output Format | Required | Allows users to choose the format in which to present incident data. Available options are:
| 2 |
Page Index | Optional | A page of incident records. The default page index is 0, indicating the first page. For example, if there exists 50 incidents, and the Page Size (the following parameter) is set to 49, and the Page Index is set to 1 (the second page), only one incident will be displayed.
| 0 |
Page Size | Optional | The number of incident records to display within a page, ranging from 1 to 1000.
If the page size is greater than zero, a "TotalPages" property will be displayed within the Key Fields tab in the output. | 100 |
Sort Field | Optional | The name of the static or dynamic field by which to sort the results. Formatting requirements are as follows:
Sorting is only supported if the field is included in the Static Fields or Dynamic Fields parameter. Nested dynamic fields beyond one level are not supported. Fields containing a period (.) in their name are not supported (except for Incident No.). | Incident No. |
Sort Order | Optional | The order in which the results are sorted. This parameter is used in conjunction with Sort Field to control the sort behaviour. | Ascending |
Output
Remote Command API
The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.
Request
POST
https:/{base_url}/{api_namespace}/api/Command/GetIncidents
Headers
Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.
Request Body
{
"Username": "<Username here>",
"Site": "<Site here>",
"CommandParams": {
"Filter": "<Filter here>",
"Static Fields": "<Static Fields here>",
"Dynamic Fields": "<Dynamic Fields here>",
"Start Time": "<Start Time here>",
"End Time": "<End Time here>",
"Output Format": "<Output Format here>",
"Page Index": "<Page Index here>",
"Page Size": "<Page Size here>",
"Sort Field": <Sort Field here>,
"Sort Order": <Sort Order here>
}
}
Body Parameters
Parameter Name | Type | Required/Optional | Description |
---|---|---|---|
Username |
| Required | The username of the D3 SOAR user account making the request. |
Site |
| Required | The D3 SOAR site containing the desired incidents to retrieve with the request. |
Filter |
| Optional | The list of criteria, each containing one or more JSON object conditions, used to filter incidents.
For non-dynamic "field" values, refer to the sample data for the following Static Fields input parameter. |
Static Fields |
| Optional | The static incident fields to be included in the results. Default fields will be selected for each resulting incident if the Static Fields input is left empty.
The static fields "Date Created," "Date Modified" and "Date Closed" are in UTC time. |
Dynamic Fields |
| Optional | The dynamic incident fields to be included in the results. A key in the JSON object is the user-specified Section name of a dynamic field (i.e. incident form). The value (string array) corresponding to a key is the user-specified Activity or Info Activity name within the section. |
Start Time |
| Required | The start time (in UTC) for retrieving incidents, based on the "Date Created" field of the incident. |
End Time |
| Required | The end time (in UTC) for retrieving incidents, based on the "Date Created" field of the incident. |
Output Format |
| Optional | Allows users to choose the format in which to present incident data. Available options are:
|
Page Index |
| Optional | A page of incident records. The default page index is 0, indicating the first page. For example, if there exists 50 incidents, and the Page Size (the following parameter) is set to 49, and the Page Index is set to 1 (the second page), only one incident will be displayed.
|
Page Size |
| Optional | The number of incident records to display within a page, ranging from 1 to 1000.
If the page size is greater than zero, a "TotalPages" property will be displayed within the Key Fields tab in the output. |
Sort Field |
| Optional | The name of the static or dynamic field by which to sort the results. Formatting requirements are as follows:
Sorting is only supported if the field is included in the Static Fields or Dynamic Fields parameter. Nested dynamic fields beyond one level are not supported. Fields containing a period (.) in their name are not supported (except for Incident No.). |
Sort Order |
| Optional | The order in which the results are sorted. This parameter is used in conjunction with Sort Field to control the sort behaviour. |
Sample Request
SAMPLE DATA BEFORE VERSION 16.8
{
"Username": "Admin",
"Site": "Security Operations",
"CommandParams": {
"Filter": [
[
{
"field": "Status",
"operator": "=",
"value": "Open"
},
{
"field": "Severity",
"operator": "=",
"value": "High"
}
],
[
{
"section": "Customer",
"field": "Name",
"operator": "LIKE",
"value": "VIP%"
}
]
],
"Static Fields": [
"IR Number",
"IR Type",
"Title",
"Status",
"Severity",
"Stage",
"Priority",
"Disposition",
"Tags",
"Owner",
"Creator",
"Timezone",
"Date Created",
"Date Modified",
"Playbook",
"Description",
"Conclusion",
"Investigation Team",
"Linked Incidents",
"Incident Raw Data",
"Event Raw Data"
],
"Dynamic Fields": {
"Incident Owner": [
"Owner Last Update Time",
"Time Spend"
],
"Customer": [
"Name",
"Country"
]
},
"Start Time": "2019-03-26 00:00:00",
"End Time": "2021-12-31 10:15:00",
"Output Format": 2,
"Page Index": 0,
"Page Size": 100
}
}
SAMPLE DATA FOR VERSION 16.8+
{
"Username": "Admin",
"Site": "Security Operations",
"CommandParams": {
"Filter": [
[
{
"field": "Status",
"operator": "=",
"value": "Open"
},
{
"field": "Severity",
"operator": "=",
"value": "High"
}
],
[
{
"section": "Customer",
"field": "Name",
"operator": "LIKE",
"value": "VIP%"
}
]
],
"Static Fields": [
"Incident No.",
"Incident Type",
"Title",
"Status",
"Severity",
"Stage",
"Priority",
"Disposition",
"Tags",
"Owner",
"Creator",
"Closed by",
"Time Zone",
"Date Created",
"Date Modified",
"Date Closed",
"Playbook",
"Description",
"Conclusion",
"Investigation Team",
"Linked Incidents",
"Incident Raw Data",
"Custom Field"
],
"Dynamic Fields": {
"Incident Owner": [
"Owner Last Update Time",
"Time Spend"
],
"Customer": [
"Name",
"Country"
]
},
"Start Time": "2019-03-26 00:00:00",
"End Time": "2021-12-31 10:15:00",
"Output Format": 2,
"Page Index": 0,
"Page Size": 100,
"Sort Field": "Incident No.",
"Sort Order": "Ascending"
}
}
Response
Response Fields
Field Name | Type | Description |
---|---|---|
error |
| The error message if the API request has failed. |
keyFields |
| The key fields from the API request. |
returnData |
| The return data from the API request. |
rawData |
| The raw data from the API request. |
Sample Response
BEFORE VERSION 16.8
{
"error": "",
"keyFields": "{
"Pagination" : {
"PageIndex": 0,
"PageSize": 100,
"TotalPages": 10
}
}",
"returnData": "Successful",
"rawData": {
"incidents": [
{
"IR Number": "20211222-3",
"IR Type": "Playbook - DLP",
"Title": "*****",
"Status": "Open",
"Severity": "High",
"Stage": "Data Aggregation Stage",
"Priority": "1 - Medium",
"Disposition": "N/A",
"Tags": "",
"Owner": "admin user",
"Creator": "admin",
"Timezone": "PST",
"Date Created": "2019-04-08 09:17:32",
"Date Modified": "2019-04-09 11:31:30",
"Playbook": "Endpoint Protection - Unauthorized Access",
"Description": "",
"Conclusion": "",
"Investigation Team": "",
"Linked Incidents": "",
"Incident Raw Data": "",
"Event Raw Data": "",
"Customer - Name": "*****",
"Customer - Country": "France",
"Incident Owner - Owner Last Update Time": null,
"Incident Owner - Time Spend": null
},
{
"IR Number": "20211222-4",
"IR Type": "Playbook - DLP",
"Title": "",
"Status": "Open",
"Severity": "High",
"Stage": "Data Aggregation Stage",
"Priority": "1 - Medium",
"Disposition": "N/A",
"Tags": "",
"Owner": "admin user",
"Creator": "admin",
"Timezone": "PST",
"Date Created": "2021-12-22 15:14:26",
"Date Modified": "2021-12-22 15:51:56",
"Playbook": "Endpoint Protection - Unauthorized Access",
"Description": "",
"Conclusion": "",
"Investigation Team": "",
"Linked Incidents": "",
"Incident Raw Data": "",
"Event Raw Data": "",
"Customer - Name": "*****",
"Customer - Country": "Canada",
"Incident Owner - Owner Last Update Time": null,
"Incident Owner - Time Spend": null
}
]
}
}
VERSION 16.8+
{
"incidents": [
{
"Incident No.": "20250401-46",
"Incident Type": "*****",
"Title": "*****",
"Status": "Open",
"Severity": "Critical",
"Stage": "",
"Owner": "Admin User",
"Date Created (UTC)": "2025-04-01 21:34:28.000"
},
{
"Incident No.": "20250402-240",
"Incident Type": "Phishing",
"Title": "*****",
"Status": "Open",
"Severity": "Critical",
"Stage": "",
"Owner": "Admin User",
"Date Created (UTC)": "2025-04-02 19:41:24.000"
}
]
}