Search Incident
Search incidents based on the given search criteria.
Implementation | System |
Command Category | System Utility |
Tags | INCIDENT INCIDENT MANAGEMENT |
Inputs
Parameter Name | Required/Optional | Description | Sample Data |
---|---|---|---|
Site Name | Optional | The site to search incident in. If left empty, will search across all internal sites if the runtime site is an internal site, otherwise will use the current runtime site. |
|
Incident Type | Optional | The type of the incidents. |
|
Start Time UTC | Optional | The earliest UTC report time of incidents. |
|
End Time UTC | Optional | The latest UTC report time of incidents. |
|
Status | Optional | The status of the incidents. |
|
Wildcard Search | Optional | A general search string for incidents. |
|
Username | Optional | The username of user who accesses the incidents. This username will only be used when the task auto-runs. If left empty, will default to the system user. Must not be empty or use the system user if searching across all internal sites. |
|
Top Number | Optional | Specify the number of records to return. The default value is 100. |
|
Output
Remote Command API
The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.
Request
POST
https:/{base_url}/{api_namespace}/api/Command/SearchIncident
Headers
Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.
Request Body
{
"Username": "<Username here>",
"Site": "<Site here>",
"CommandParams": {
"Site Name": "<Site Name here>",
"Incident Type": "<Incident Type here>",
"Start Time UTC": "<Start Time UTC here>",
"End Time UTC": "<End Time UTC here>",
"Status": "<Status here>",
"Wildcard Search": "<Wildcard Search here>",
"Username": "<Username here>",
"Top Number": "Top Number here>"
}
}
Body Parameters
Parameter Name | Type | Required/Optional | Description |
---|---|---|---|
Username |
| Required | The username of your D3 SOAR account. |
Site |
| Required | The D3 SOAR site to run the remote command. |
Site Name |
| Optional | The site to search incident in. If left empty, will search across all internal sites if the runtime site is an internal site, otherwise will use the current runtime site. |
Incident Type |
| Optional | The type of the incidents. |
Start Time UTC |
| Optional | The earliest UTC report time of incidents. |
End Time UTC |
| Optional | The latest UTC report time of incidents. |
Status |
| Optional | The status of the incidents. |
Wildcard Search |
| Optional | A general search string for incidents. |
Username |
| Optional | The username of user who accesses the incidents. This username will only be used when the task auto-runs. If left empty, will default to the system user. Must not be empty or use the system user if searching across all internal sites. |
Top Number |
| Optional | Specify the number of records to return. The default value is 100. |
Sample Request
SAMPLE DATA
{
"Username": "Admin",
"Site": "Security Operations",
"CommandParams": {
"Site Name": "Security Operations",
"Incident Type": "Playbook - CryptoCurrency",
"Start Time UTC": "2021-01-26 00:00:00",
"End Time UTC": "2021-01-27 00:00:00",
"Status": "Open",
"Wildcard Search": "20210128-216",
"Username": "admin user",
"Top Number": null
}
}
Response
Response Fields
Field Name | Type | Description |
---|---|---|
error |
| The error message if the API request has failed. |
returnData |
| The return data from the API request. |
contextData |
| The context data from the API request. |
Sample Response
{
"error": "",
"returnData": [
"20210128-216"
],
"contextData": [
{
"Incident Number": "20210128-216",
"Incident Site": "Security Operations",
"Incident Type": "Playbook - CryptoCurrency",
"Incident Title": "Use Case DLP",
"Incident Report Date UTC": "2021-01-26 12:45:29.000",
"Incident Status": "Open",
"Incident Owner": "admin user"
}
]
}