During the incident investigation, you may need retrieve the audit trail.
In this example, the Cortex XSOAR REST API queries for the audit trail since that data is not available in the incident context. You can view the audit trail in the Cortex XSOAR console under → → .
Note
For list options, no spaces are allowed.
Create an automation and use the Settings button to add the mandatory argument timeframe. This argument specifies the number of hours prior to the present time to query for audit trail entries.
Use the basic automation template to create the following code.
The parameter to the REST API is a dictionary with two keys:
uriis the Cortex XSOAR endpoint for the API andbodyis a sub-dictionary with additional parameters for the API, in this casesizeandquery.Once the API parameters are created, the
demisto.executeCommand()function is used to invoke the API with thedemisto-api-postcommand.The results of the query are displayed in the War Room using the
return_results()function.def main(): try: timeframe = demisto.args()['timeframe'] timefrom = datetime.now() - timedelta(hours=int(timeframe)) timestring = timefrom.strftime("%Y-%m-%dT%H:%M:%S") parameters = { 'uri': "/settings/audits", 'body': { 'size': 1000, 'query': f"modified:>{timestring}" } } results = demisto.executeCommand('demisto-api-post', parameters ) return_results(results[0]['Contents']['response']) except Exception as ex: demisto.error(traceback.format_exc()) return_error("Failed querying the audit trail: " + str(ex) ) if __name__ in ("__main__", "__builtin__", "builtins"): main()Save the completed automation and run it in the War Room of an open incident or the Playground to test it.