Skip to main content
Skip table of contents

Search Incident

LAST UPDATED: AUG 29, 2024

Searches for incidents based on the provided search criteria.

Implementation

System

Command Category

System Utility

Tags

INCIDENT INCIDENT MANAGEMENT

Inputs

READER NOTE

At least one search criterion (any of the input parameters except for Username and Top Number) must be specified.

Parameter Name

Required/Optional

Description

Sample Data

Site Name

Optional

The site in which to search for incidents.

When left empty, this command will search through all internal sites if the runtime site is of the internal type, and will use the current runtime site if the runtime site is of the client type.

Security Operations

Incident Type

Optional

The incident type.

Playbook - CryptoCurrency

Start Time UTC

Optional

The earliest UTC report time for incidents.

2021-01-26 00:00:00

End Time UTC

Optional

The latest UTC report time for incidents.

2021-01-27 00:00:00

Status

Optional

The status of the incidents. The options are:

  • Open

  • Closed

  • In Progress

  • On Hold

Open

Wildcard Search

Optional

A flexible search pattern used to match against all built-in and custom incident field values.

20210128-216

Username

Optional

The user who has executed this command and viewed the incidents. This parameter will only be used in an auto-run playbook task. It is used by D3 for logging and audit purposes, particularly to track cross-site (internal) access.

If left empty, this command will default to the system user.

If searching across all internal sites, this parameter must be provided.

admin user

Top Number

Optional

The maximum number of records to return. The default value is 100.

Output

Return Data

The returned result of this command. If some required parameters are not defined, this returned data could be empty. The returned result can be passed down directly to a subsequent command in playbooks.

SAMPLE DATA

JSON 
[
    "20210128-216"
]
Context Data

The response data from the utility command.

SAMPLE DATA

JSON 
[
    {
        "Incident Number": "20210128-216",
        "Incident Site": "Security Operations",
        "Incident Type": "Playbook - CryptoCurrency",
        "Incident Title": "Use Case DLP",
        "Incident Report Date UTC": "2021-01-26 12:45:29.000",
        "Incident Status": "Open",
        "Incident Owner": "admin user"
    }
]

Remote Command API

The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.

Request

POST

CODE 
https:/{base_url}/{api_namespace}/api/Command/SearchIncident

Headers

Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.

Request Body

JSON 
{
  "Username": "<Username here>",
  "Site": "<Site here>",
  "CommandParams": {
    "Site Name": "<Site Name here>",
    "Incident Type": "<Incident Type here>",
    "Start Time UTC": "<Start Time UTC here>",
    "End Time UTC": "<End Time UTC here>",
    "Status": "<Status here>",
    "Wildcard Search": "<Wildcard Search here>",
    "Username": "<Username here>",
    "Top Number": "Top Number here>"
  }
}

Body Parameters

Parameter Name

Type

Required/Optional

Description

Username

string

Required

The username of your D3 SOAR account.

Site

string

Required

The D3 SOAR site to run the remote command.

Site Name

string

Optional

The site in which to search for incidents.

When left empty, this command will search through all internal sites if the runtime site is of the internal type, and will use the current runtime site if the runtime site is of the client type.

Incident Type

string

Optional

The incident type.

Start Time UTC

string

Optional

The earliest UTC report time for incidents.

End Time UTC

string

Optional

The latest UTC report time for incidents.

Status

string

Optional

The status of the incidents. The options are:

  • Open

  • Closed

  • In Progress

  • On Hold

Wildcard Search

string

Optional

A flexible search pattern used to match against all built-in and custom incident field values.

Username

string

Optional

The user who has executed this command and viewed the incidents. This parameter will only be used in an auto-run playbook task. It is used by D3 for logging and audit purposes, particularly to track cross-site (internal) access.

If left empty, this command will default to the system user.

If searching across all internal sites, this parameter must be provided.

Top Number

integer

Optional

The maximum number of records to return. The default value is 100.

Sample Request

SAMPLE DATA

JSON 
{
  "Username": "Admin",
  "Site": "Security Operations",
  "CommandParams": {
    "Site Name": "Security Operations",
    "Incident Type": "Playbook - CryptoCurrency",
    "Start Time UTC": "2021-01-26 00:00:00",
    "End Time UTC": "2021-01-27 00:00:00",
    "Status": "Open",
    "Wildcard Search": "20210128-216",
    "Username": "admin user",
    "Top Number": null
  }
}

Response

Response Fields

Field Name

Type

Description

error

string

The error message if the API request has failed.

returnData

array<string>

The return data from the API request.

contextData

array<JSON Object>

The context data from the API request.

Sample Response

JSON 
{
    "error": "",
    "returnData": [
      "20210128-216"
    ],
    "contextData": [
      {
          "Incident Number": "20210128-216",
          "Incident Site": "Security Operations",
          "Incident Type": "Playbook - CryptoCurrency",
          "Incident Title": "Use Case DLP",
          "Incident Report Date UTC": "2021-01-26 12:45:29.000",
          "Incident Status": "Open",
          "Incident Owner": "admin user"
      }
    ]
}
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close