IOCs Extraction‎

POST /Command/IOCsExtraction

This command identifies, classifies, and writes indicators of compromise (IOCs), such as URLs and IP addresses, into a structured JSON format.

Request

Authentication: API keys or JSON web tokens (JWT)

Body Parameters

Parameter Name	Type	Required/Optional	Description
Username	`string`	Required	The username of your D3 SOAR account.
Site	`string`	Required	The D3 SOAR site to run the remote command.
Raw Text	`string`	Required	The raw text to extract IOCs from

Body Sample Data

application/json

JSON

{
  "Username": "Admin",
  "Site": "Security Operations",
  "CommandParams": {
    "Raw Text": "216.251.148.1 192.168.1.1 ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft https://www.google.com\r\n T1055  8[.]8[.]8[.]8  sample@d3security.com"
  }
}

Response

200 OK

application/json

Response Fields

Field Name	Type	Description
error	`string`	The error message if the command execution failed.
returnData	`JSON Object`	The return data from the API request.

Sample Data

JSON

{
    "error": "",
    "returnData": {
      "urls": [
          "https://www.google.com"
      ],
      "xmpp_addresses": [],
      "email_addresses_complete": [
          "hhe@d3security.com"
      ],
      "email_addresses": [
          "hhe@d3security.com"
      ],
      "ipv4_cidrs": [],
      "imphashes": [],
      "authentihashes": [],
      "domains": [
          "www.google.com",
          "d3security.com"
      ],
      "ipv4s": [
          "8.8.8.8",
          "216.251.148.1",
          "192.168.1.1"
      ],
      "ipv6s": [],
      "sha512s": [],
      "sha256s": [
          "ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad"
      ],
      "sha1s": [],
      "md5s": [],
      "ssdeeps": [],
      "asns": [],
      "cves": [],
      "registry_key_paths": [
          "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft"
      ],
      "google_adsense_publisher_ids": [],
      "google_analytics_tracker_ids": [],
      "bitcoin_addresses": [],
      "monero_addresses": [],
      "mac_addresses": [],
      "user_agents": [],
      "tlp_labels": [],
      "attack_mitigations": {
          "enterprise": [],
          "mobile": []
      },
      "attack_tactics": {
          "pre_attack": [],
          "enterprise": [],
          "mobile": []
      },
      "attack_techniques": {
          "pre_attack": [],
          "enterprise": [
              "T1055"
          ],
          "mobile": []
      },
      "file_paths": []
  }
}

400 BadRequest

application/json

Response Fields

Field Name	Type	Description
Error	`string`	A error message when the API request fails.

Sample Data

JSON

{"Error": "The body of the request must be a valid JSON object"}

401 Unauthorized

application/json

Response Fields

Field Name	Type	Description
Error	`string`	A error message when the API request fails.

Sample Data

JSON

{"Error": "Invalid authentication key."}

429 TooManyRequests

application/json

Response Fields

Field Name	Type	Description
Error	`string`	A error message when the API request fails.

Sample Data

JSON

{"Error": "The request exceeds rate limits or is otherwise blocked by rate limiting policies."}

500 InternalServerError

application/json

Response Fields

Field Name	Type	Description
Error	`string`	A error message when the API request fails.

Sample Data

JSON

{"Error": "Unexpected Error."}