Skip to main content
Skip table of contents

Ongoing Search

This command can only be executed within an event/incident playbook. It will create an ongoing fetchEvent job based on the parameters.

Reader Note

Please note that this command is only applicable within an incident Playbook.

Implementation

System

Command Category

Cyber Utility

Tags

EVENT EVENT SEARCH

Inputs

Parameter Name

Required/Optional

Description

Sample Data

Connection Name

Optional

Select the connection for fetching event(s).

Splunk

Start Time

Optional

Set the Start Time of the time range for fetching Event(s) (yyyy-MM-dd HH:mm:ss)

2020-01-01 06:00:00

End Time

Optional

Set the End Time of the time range for fetching Event(s) (yyyy-MM-dd HH:mm:ss)

2020-01-01 18:00:00

Top Recent Event Number

Optional

Set the number of the most recent Event(s) to fetch

20

Search Condition

Optional

Define queries to filter results.

search sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1"

Techniques

Optional

Set the Tactics and Techniques to be applied to the Event(s) retrieved by the Ongoing Surveillance Task.

JSON 
[
    {
        "tactic": "Initial Access",
        "technique": "Spearphishing Attachment"
    },
    {
        "tactic": "Execution",
        "technique": "Signed Script Proxy Execution"
    }
]

Risk Level

Optional

Define the Risk Level for the Event(s) retrieved by the Ongoing Surveillance Task.

4

Interval (Minutes)

Optional

Set the execution interval (minutes) of an Ongoing Surveillance job to fetch Event(s).

3

Event Playbook

Optional

Select an event playbook to process the event data.

NO SAMPLE DATA

Run MITRE TTP Search

Optional

Choose whether the system automatically maps tactic & techniques on newly ingested events. Default value is True

NO SAMPLE DATA

Run Event Automation Rules

Optional

Choose whether the system executes Event Automation Rules for dismissal and escalation. Default value is True

NO SAMPLE DATA

Output

N/A

Remote Command API

The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.

Request

POST

CODE 
https:/{base_url}/{api_namespace}/api/Command/OngoingSearch

Headers

Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.

Request Body

JSON 
{
  "Username": <Username here>,
  "Site": <Site here>,
  "CommandParams": {
    "Connection Name": <Connection Name here>,
    "Start Time": <Start Time here>,
    "End Time": <End Time here>,
    "Top Recent Event Number": <Top Recent Event Number here>,
    "Search Condition": <Search Condition here>,
    "Techniques": [
      {
        "tactic": <Tactic 1 here>,
        "technique": <Technique 1 here>
      },
      {
        "tactic": <Tactic 2 here>,
        "technique": <Technique 2 here>
      }
    ],
    "Risk Level": <Risk Level here>,
    "Interval (Minutes)": <Interval (Minutes) here>,
    "Event Playbook": <Event Playbook here>,
    "Run MITRE TTP Search": <Run MITRE TTP Search here>,
    "Run Event Automation Rules": <Run Event Automation Rules here>
  }
}

Body Parameters

Parameter Name

Type

Required/Optional

Description

Username

String

Required

The username of your D3 SOAR account.

Site

String

Required

The D3 SOAR site to run the remote command.

Connection Name

Text

Optional

Select the connection for fetching event(s).

Start Time

DateTime

Optional

Set the Start Time of the time range for fetching Event(s) (yyyy-MM-dd HH:mm:ss)

End Time

DateTime

Optional

Set the End Time of the time range for fetching Event(s) (yyyy-MM-dd HH:mm:ss)

Top Recent Event Number

Number

Optional

Set the number of the most recent Event(s) to fetch

Search Condition

Text

Optional

Define queries to filter results.

Techniques

JSON Array

Optional

Set the Tactics and Techniques to be applied to the Event(s) retrieved by the Ongoing Surveillance Task.

Risk Level

Number

Optional

Define the Risk Level for the Event(s) retrieved by the Ongoing Surveillance Task.

Interval (Minutes)

Number

Optional

Set the execution interval (minutes) of an Ongoing Surveillance job to fetch Event(s).

Event Playbook

Text

Optional

Select an event playbook to process the event data.

Run MITRE TTP Search

Text

Optional

Choose whether the system automatically maps tactic & techniques on newly ingested events. Default value is True

Run Event Automation Rules

Text

Optional

Choose whether the system executes Event Automation Rules for dismissal and escalation. Default value is True

Sample Request

SAMPLE DATA

JSON 
{
  "Username": "Admin",
  "Site": "Security Operations",
  "CommandParams": {
    "Connection Name": "Splunk",
    "Start Time": "2020-01-01 06:00:00",
    "End Time": "2020-01-01 18:00:00",
    "Top Recent Event Number": 20,
    "Search Condition": "search sourcetype=\"WinEventLog:Microsoft-Windows-Sysmon/Operational\" EventCode=\"1\"",
    "Techniques": [
      {
        "tactic": "Initial Access",
        "technique": "Spearphishing Attachment"
      },
      {
        "tactic": "Execution",
        "technique": "Signed Script Proxy Execution"
      }
    ],
    "Risk Level": 4,
    "Interval (Minutes)": 3,
    "Event Playbook": null,
    "Run MITRE TTP Search": null,
    "Run Event Automation Rules": null
  }
}

Response

Response Fields

Field Name

Type

Description

error

Text

The error message if the API request has failed.

Sample Response

JSON 
{
    "error": ""
}
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close