Get D3 Log | docs.d3security

Last updated: Aug 13, 2024

Retrieves audit and monitor logs.

Implementation	System
Command Category	System Utility
Tags	Logging

Inputs

Parameter Name	Required/Optional	Description	Sample Data
Start Time	Required	The start of the date range for the log entries, specified in UTC time.	2024-03-04 00:00:00
End Time	Required	The end of the date range for the log entries, specified in UTC time.	2024-08-25 01:00:00
Top Number	Optional	The quantity of logs to display, ordered with the most recent first. The maximum number of logs that can be displayed is 5000.	3
Search Condition	Optional	Use the searchable parameters below to search for the desired log info. Types: IncidentPlaybook, EventPlaybook, CodelessPlaybook Actions: Add, Import, EditBaseInfo, EditTask, EditLink, RemoveNode, Clone, Replace, Delete, Live, Draft, EditPermissions, Publish, UnPublishAllSite, ClonePublish, Export, TestPlaybook Type: Integration Actions: Add, Edit, Delete, AddConnectionParameter, EditConnectionParameter, DeleteConnectionParameter, AddCommand, AddCommandCodelessPlaybook, EditCommand, EditCommandFeatures, AddCommandInputParameter, EditCommandInputParameter, DeleteCommandInputParameter, AddCommandOutputs, EditCommandOutputs, DeleteCommandOutputs, EditCommandScript, UpdateCommandReferences, EditCommandAllowRemote, LiveCommand, DraftCommand, DeleteCommand, CloneCommand, ExportCommandScript, EditMainEventJsonPath, AddEventSource, EditEventSource, DeleteEventSource, AddEventFieldMapping, EditEventFieldMapping, DeleteEventFieldMapping, EditMainEventJsonPathIncident, EditMainIncidentJsonPath, AddDefaultncidentFieldMappings, DeleteDefaultIncidentFieldMappings, AddIncidentSource, EditIncidentSource, DeleteIncidentSource, EditIncidentFieldMapping, TestCommand Type: UtilityCommand Actions: Add, Edit, Delete, AddCommandCodelessPlaybook, EditCommandFeatures, AddCommandInputParameter, EditCommandInputParameter, DeleteCommandInputParameter, AddCommandOutputs, EditCommandOutputs, DeleteCommandOutputs, EditCommandScript, UpdateCommandReferences, EditCommandAllowRemote, Live, Draft, CloneCommand, ExportCommandScript, TestCommand Type: CommandSchedule Actions: Add, Delete, Stop, CloneAdd Type: Report Actions: AddDashboard, EditDashboard, DeleteDashboard, AddEmailSchedule, DeleteEmailSchedule, CloneEmailSchedule, StopEmailSchedule, AddWidget, EditWidget, DeleteWidget, AddWidgetTag, EditWidgetTag, DeleteWidgetTag, EditDashboardPermission, EditWidgetPermission, AddQuery, EditQuery, CloneWidget, CloneDashboard Type: DataIngestionFetchCommand Actions: Add, CloneAdd, Stop, Delete Types: DataIngestionWebhook, RemoteCommandWebhook Actions: Add, Edit, Delete, RegenerateAuthKey, EditCommandSettings Type: GlobalList Actions: Add, Edit, Delete, Overwrite, Clear Type: User Actions: Add, Edit, Delete, Login, Logout, Lock, Unlock Type: Group Actions: Add, Edit, Delete, Edit user by group Type: Role Actions: Add, Edit, Delete, Edit user by role, SetDefault Type: Site Actions: Add, Edit, Delete, Edit user by site, Active Type: Connection Actions: Add, Edit, Delete, Clone, SetDisable Type: Web Service Actions: Application Start, Application End Type: Monitor Actions: Storage, ExecutedTaskCount	`[ { "Type": "User", "Action": "Add" }, { "Type": "User", "Action": "Edit" } ]`

Output

Return Data

The returned result of this command. If some required parameters are not defined, this returned data could be empty. The returned result can be passed down directly to a subsequent command in playbooks.

Sample Data

JSON

{
    "AuditLogs": [
        {
            "_id": "64dec7c5c6488f2d542cde14",
            "ModifiedTime": "2024-08-18 01:22:13.757000",
            "ModifiedUtcTime": "2024-08-18 01:22:13.757000",
            "Type": "Web Service",
            "Action": "Application Start",
            "MachineName": "VDVPC-1"
        },
        {
            "_id": "64dec7a7a3185ce16ad3f205",
            "ModifiedTime": "2024-08-18 01:21:43.776000",
            "ModifiedUtcTime": "2024-08-18 01:21:43.776000",
            "Type": "Web Service",
            "Action": "Application End",
            "MachineName": "VDVPC-1"
        }
    ],
    "MonitorLogs": [
        {
            "_id": "64dfa912640633851577ecaa",
            "ModifiedTime": "2024-08-18 17:23:30.659000",
            "ModifiedUtcTime": "2024-08-18 17:23:30.659000",
            "Type": "Monitor",
            "Action": "Storage",
            "Data": {
                "Storage": {
                    "TotalSize": 1152.01678466392,
                    "SqlServer": {
                        "StorageSize": 10.29022216392,
                        "StorageUsage": 9.23755644512
                    },
                    "MongoDb": 1141.7265625
                }
            }
        }
    ]
}

Remote Command API

The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.

Request

POST

https:/{base_url}/{api_namespace}/api/Command/getD3Log

Headers

Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.

Request Body

JSON

{
  "Username": <Username here>,
  "Site": <Site here>,
  "CommandParams": {
    "Source Type": <Source Type here>,
    "JSON Object": <The JSON object contains fields and data here>
    "Start Time": <Start Time here>,
    "End Time": <End Time here>,
    "Top Number": <Top Number here>,
    "Search Condition": <Search Condition here>
  }
}

Body Parameters

Parameter Name	Type	Required/Optional	Description
Username	`string`	Required	The username of your D3 SOAR account.
Site	`string`	Required	The D3 SOAR site to run the remote command.
Start Time	`string`	Required	The start of the date range for logs
End Time	`string`	Required	The end of the date range for logs
Top Number	`integer`	Optional	Show the top number of logs
Search Condition	`array<JSON Object>`	Optional	Use the searchable parameters to search for the desired log info.

Sample Request

Sample Data

JSON

{
  "Username": "Admin",
  "Site": "Security Operations",
  "CommandParams": {
    "Start Time": "2024-03-04 00:00:00",
    "End Time": "2024-08-25 00:00:00",
    "Top Number": 3,
    "Search Condition": [
      {
        "Type": "Web Service",
        "Action": "Application Start"
      },
      {
        "Type": "Monitor",
        "Action": "Storage"
      }
    ]
  }
}

Response

Response Fields

Field Name	Type	Description
error	`string`	The error message if the API request has failed.
returnData	`JSON Object`	The return data from the API request.

Sample Response

JSON

{
    "error": "",
    "returnData": {
      "AuditLogs": [
          {
              "_id": "64dec7c5c6488f2d542cde14",
              "ModifiedTime": "2024-08-18 01:22:13.757000",
              "ModifiedUtcTime": "2024-08-18 01:22:13.757000",
              "Type": "Web Service",
              "Action": "Application Start",
              "MachineName": "VDVPC-1"
          },
          {
              "_id": "64dec7a7a3185ce16ad3f205",
              "ModifiedTime": "2024-08-18 01:21:43.776000",
              "ModifiedUtcTime": "2024-08-18 01:21:43.776000",
              "Type": "Web Service",
              "Action": "Application End",
              "MachineName": "VDVPC-1"
          }
      ],
      "MonitorLogs": [
          {
              "_id": "64dfa912640633851577ecaa",
              "ModifiedTime": "2024-08-18 17:23:30.659000",
              "ModifiedUtcTime": "2024-08-18 17:23:30.659000",
              "Type": "Monitor",
              "Action": "Storage",
              "Data": {
                  "Storage": {
                      "TotalSize": 1152.01678466392,
                      "SqlServer": {
                          "StorageSize": 10.29022216392,
                          "StorageUsage": 9.23755644512
                      },
                      "MongoDb": 1141.7265625
                  }
              }
          }
      ]
  }
}