Skip to main content
Skip table of contents

Cybereason

LAST UPDATED: 2/9/2024

Overview

The Cybereason Defense Platform is a military-grade, real-time detection and response platform. It moves beyond endless alerting to instead recognize, expose, and end malicious operations before they take hold. The Cybereason Defense Platform allows organizations to get a complete picture of malicious activities and terminate attacks in minutes. This integration provides incident query, enrichment, and active responses to malicious operations.

D3 SOAR is providing REST operations to function with Cybereason.

Cybereason is available for use in:

D3 SOAR

V14.5.64.0+

Category

Endpoint Protection

Deployment Options

Option II, Option IV

Connection

To connect to Cybereason from D3 SOAR, please follow this part to collect the required information below:

Parameter

Description

Example

Server URL

The URL of the Cybereason server.

https://integration.cybereason.net:8443

Authentication Type

The type of authentication used for the integration connection. The two options are Basic Authentication and Client Certificate Authentication.

Basic Authentication

Authentication Type: Basic Authentication

User Name

The user name of the Cybereason account

test@example.com

Password

The password of the user account.

#E***sx=

Authentication Type: Client Certificate Authentication

Certificate

The authentication certificate

-----BEGIN CERTIFICATE-----

MIIJWgglAa9fkKHn/5JZFZ0qf0IvBD+ftC3yE1sz35rut/4grE3c0TI7tYq1Ya****************************VaaG6PQinQ==

-----END CERTIFICATE-----

Private Key

The authentication RSA private key.

-----BEGIN RSA PRIVATE KEY-----

MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCKE***********************R8eUohZCtt0V9lg==

-----END RSA PRIVATE KEY-----

Permission Requirements

Each endpoint in the Cybereason API requires a certain permission scope. The following are required scopes for the commands in this integration:

READER NOTE

Cybereason recommends that you do not use the API User role for anyone performing API requests as it has limited permissions. Instead, it is recommended to use the Super user role, as this role has permission to send all API requests. Please refer to Cybereason Required permission for more information.

Command

Required Permission

Add Comment To Malops

L1 Analyst, L2 Analyst, L3 Analyst, Sensor Viewer

Add Malop Labels

L1 Analyst, L2 Analyst, L3 Analyst, Executive

Delete Malop Labels

L1 Analyst, L2 Analyst, L3 Analyst, Executive

Download Files

L2 Analyst, L3 Analyst, System Admin, Sensor Viewer

Exclude Behavior From Malops

L3 Analyst

Fetch Event

L1 Analyst, L2 Analyst, L3 Analyst, Sensor Viewer, Executive

Fetch Incident

L1 Analyst, L2 Analyst, L3 Analyst, Sensor Viewer, Executive

Get Malop Labels

L1 Analyst, L2 Analyst, L3 Analyst, Executive

Get Malop Remediation Details

L1 Analyst, L2 Analyst, L3 Analyst, Sensor Viewer

Get All Malops

L1 Analyst, L2 Analyst, L3 Analyst, Sensor Viewer, Executive

Get Remediation Progress

L1 Analyst, L2 Analyst, L3 Analyst, Sensor Viewer

Is Host Connected

System Admin

Isolate Machine

L3 Analyst

Kill Process

L3 Analyst, Sensor Viewer

Query Domain

L1 Analyst, L2 Analyst, L3 Analyst, Sensor Viewer, Executive

Query File

L1 Analyst, L2 Analyst, L3 Analyst, Sensor Viewer, Executive

Query Malops

L1 Analyst, L2 Analyst, L3 Analyst, Sensor Viewer, Executive

Query Processes

L1 Analyst, L2 Analyst, L3 Analyst, Sensor Viewer, Executive

Query Sensors

System Admin

Query User

L1 Analyst, L2 Analyst, L3 Analyst, Sensor Viewer, Executive

Remediate

L3 Analyst, Sensor Viewer

Run Query

L1 Analyst, L2 Analyst, L3 Analyst, Sensor Viewer, Executive

Set IOC Reputation

Responder (L1/L2)

Unisolate Machine

L3 Analyst, Sensor Viewer

Update Malop Labels

L1 Analyst, L2 Analyst, L3 Analyst, Executive

Update Malops Status

L1 Analyst, L2 Analyst, L3 Analyst, Sensor Viewer

Test Connection

At Least one of L3 Analyst and Responder (L1/L2)

Configuring Cybereason to Work with D3 SOAR

No additional configurations are needed in Cybereason to work with D3 SOAR. Please note that any password changes made in the Cybereason platform must also be updated in D3 for the connection to continue working.

Configuring D3 SOAR to Work with Cybereason

  1. Log in to D3 SOAR.

  2. Find the Cybereason integration.

    1. Navigate to Configuration on the top header menu.

    2. Click on the Integration icon on the left sidebar.

    3. Type Cybereason in the search box to find the integration, then click it to select it.

    4. Click + New Connection, on the right side of the Connections section. A new connection window will appear.

  3. Configure the following fields to create a connection to Cybereason.

    1. Connection Name: The desired name for the connection.

    2. Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.

    3. Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.

    4. Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.

    5. Description (Optional): Add your desired description for the connection.

    6. Configure User Permissions: Defines which users have access to the connection.

    7. Active: Check the tick box to ensure the connection is available for use.

    8. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.

      1. Copy the URL from the Cybereason platform and input it for the Server URL (domain level) field. The default server URL is https://integration.cybereason.net:8443.

      2. Select the authentication type used to build the connection.

        Basic Authentication: Input the login credentials of your Cybereason environment, including your User Name and Password.

        Client Certificate Authentication: Input the Certificate and the Private Key provided by Cybereason.

    9. Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.
      To set up a connection health check, check the Connection Health Check tickbox. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.

    10. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.

  4. Test the connection.

    1. Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmark appear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.

    2. Click OK to close the alert window.

    3. Click + Add to create and add the configured connection.

Commands

Cybereason includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the Cybereason API, please refer to the Cybereason API reference.

READER NOTE

Certain permissions are required for each command. Please refer to the Permission Requirements and Configuring Cybereason to Work with D3 SOAR for details.

Note for Time-related parameters

The input format of time-related parameters may vary based on your account settings. As a result, the sample data provided in our commands is different from what you see. To set your preferred time format, follow these steps:

  1. Navigate to Configuration > Application Settings. Select Date/Time Format.

  2. Choose your desired date and time format.

After that, you will be able to view your preferred time format when configuring the DateTime input parameters for commands.

Add Comment To Malops

Adds a comment to the specified Malops.

READER NOTE

The parameter Malop IDs is required to run this command.

  • Run the Get All Malops command to obtain Malop IDs. Malop IDs can be found in the returned raw data at the path $.malop[*].guid.

Input

Input Parameter

Required/Optional

Description

Example

Malop IDs

Required

The IDs of the malops to add a comment. Malop IDs can be obtained using the Get All Malops command. If the input Malop IDs are invalid, no new Malop will be created and the error message “Malop does not exist” will be returned.

["***"]

Comment

Required

The comment text to add the specified Malops.

This is a test Comment to the malop

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
[
    {
        "commentId": "***-***-***-***-***",
        "username": "test@example.com",
        "message": "{This is a test Comment to the malop}",
        "timestamp": 1637278710557
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "CommentIDs": [
        "***-***-***-***-***"
    ]
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

COMMENTID

USERNAME

MESSAGE

TIMESTAMP

***-***-***-***-***

test@example.com

{This is a test Comment to the malop}

1637278710557

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Add Comment To Malops failed. An error occurred (MalopIDNotFound) when calling the Add Comment To Malops operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybereason portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: The Malop ID does not exist.

Error Sample Data

Add Comment To Malops failed. An error occurred (MalopIDNotFound) when calling the Add Comment To Malops operation.

Status Code: 404.

Message: The Malop ID does not exist.

Add Malop Labels

Adds new Malop label(s) to the list of labels. If the label(s) already exist, an error will return.

READER NOTE

  • When adding Malop labels, please keep in mind, the labels are case sensitive. For example, “security” and “Security” will be added as two different labels.

  • If your label text input already exists, D3 SOAR will return the existing label with the corresponding label ID.

  • An improper input format may result in only one label created. For example, you use the input format “label1, label2” or label1, label2 to create two new labels. These formats are incorrect and will create one label. The correct format [“label1”, “label2”] will output two labels: “label1” and “label2”.

Input

Input Parameter

Required/Optional

Description

Example

Label Texts

Required

The label text to add to the label list.

["Spear Phishing label"]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
[
    {
        "id": ***,
        "labelText": "Spear Phishing label",
        "totalCount": 0,
        "selectionCount": 0
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "LabelIDs": [
        ***
    ]
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ID

LABELTEXT

TOTALCOUNT

SELECTIONCOUNT

***

Spear Phishing label

0

0

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Add Malop Labels failed. An error occurred when calling the Add Malop Labels operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybereason portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: The value for parameter (Label Texts) is invalid.

Error Sample Data

Add Malop Labels failed. An error occurred when calling the Add Malop Labels operation.

Status Code: 400.

Message: The value for parameter (Label Texts) is invalid.

Delete Malop Labels

Deletes existing Malop label(s) from the list of labels.

READER NOTE

The parameter Label IDs is required to run this command.

  • Run the Get Malop Labels command to obtain Label IDs. Label IDs can be found in the returned raw data at the path $[*].id.

Please note:

  • The same Label cannot be deleted twice.

  • If some of your input Label IDs do not exist, existing labels won’t be deleted and D3 SOAR will return an error about Label IDs not existing.

  • If some malops are using the labels you want to delete, the labels will be removed from the malops after deletion.

Input

Input Parameter

Required/Optional

Description

Example

Label IDs

Required

The IDs of the labels to remove from the label list. Label IDs can be obtained using the Get Malop Labels command. If the input Label IDs do not exist, no labels will be deleted and the error message “Label ID Not Exist” will be returned.

[***]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "result": [
        "success"
    ]
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

result

  • success

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Delete Malop Labels failed. An error occurred (LabelDoesNotExist) when calling the Delete Malop Labels operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybereason portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Label Does Not Exist.

Error Sample Data

Delete Malop Labels failed. An error occurred (LabelDoesNotExist) when calling the Delete Malop Labels operation.

Status Code: 404.

Message: Label Does Not Exist.

Download Files

Downloads files from the Element Details screen and saves them in the D3 database.

READER NOTE

The parameter File GUIDs is required to run this command.

  • Run the Query File command to obtain File GUIDs. The File GUIDs can be found in the returned raw data at the path $.data.resultIdToElementDataMap.<id>.guidString.

Initiator User Name is an optional parameter to run this command.

  • Run the Get Malop Remediation Details command to obtain the Initiator User Name. The Initiator User Names can be found in the returned Raw Data, under path $.initiatingUser.

Input

Input Parameter

Required/Optional

Description

Example

File GUIDs

Required

The GUIDs (globally unique identifiers) of the files to download. File GUIDs can be obtained using the Query File command. Note: Files from a machine that is not connected to Cybereason cannot be downloaded.

["-***.-***"]

Initiator User Name

Optional

The username of the user initiating the file download.

test@example.com

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
[
    {
        "fileId": "***",
        "fileName": "***.zip",
        "md5": "***",
        "sha1": "***",
        "sha256": "***"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "D3FileIDs": [
        "***"
    ],
    "FileNames": [
        "***.zip"
    ]
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

FILEID

FILENAME

MD5

SHA1

SHA256

***

***.zip

***

***

***

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Download Files failed. An error occurred when calling the Download Files operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybereason portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Please check if the FIle GUIDs are correct.

Error Sample Data

Download Files failed. An error occurred when calling the Download Files operation.

Status Code: 404.

Message: Please check if the FIle GUIDs are correct.

Exclude Behavior From Malops

Instructs the Cybereason platform to not trigger additional Malops for behavior in specified Malops.

READER NOTE

The parameter Malop IDs is required to run this command.

  • Run the Get All Malops command to obtain Malop IDs. Malop IDs can be found in the returned raw data at the path $.malop[*].guid.

Input

Input Parameter

Required/Optional

Description

Example

Malop IDs

Required

The IDs of the Malops to exclude their behaviour from triggering additional malops. Malop IDs can be obtained using the Get All Malops command.

["***"]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "result": "Exclude behavior from malops *** successful."
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "MalopIDs": [
        "***"
    ]
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

result

Exclude behavior from malops *** successful.

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Exclude Behavior From Malops failed. An error occurred (MalopIDNotExist) when calling the Exclude Behavior From Malops operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybereason portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: The Malop ID does not exist.

Error Sample Data

Exclude Behavior From Malops failed. An error occurred (MalopIDNotExist) when calling the Exclude Behavior From Malops operation.

Status Code: 404.

Message: The Malop ID does not exist.

Fetch Event

Returns events (AI Hunting Malops) from the Cybereason environment based on specified criteria.

Input

Input Parameter

Required/Optional

Description

Example

Start Time

Required

The start time of the time range to fetch events in UTC time. Time ranges can be defined by the event’s updated time or start time.

2022-05-04 00:00

End Time

Optional

The end time of the time range to fetch events in UTC time. Time ranges can be defined by the event’s updated time or start time.

2022-05-05 00:00

Top Recent Event Number

Optional

The maximum number of events (up to 1,000) to return. The default value is 100.

100

Search Condition

Required

The JSON-formatted queries to filter results. See Generic Queries for more on the query syntax. It is recommended to use the provided sample data as a template to build your query by modifying the “filters” object.

Note: Do not input a value for the totalResultLimit key in the JSON object. It will be overwritten by the defined value of the Top Recent Events Number parameter of this command. The defined values for the Start Time and End Time parameters will be used to set the time range filter. There is no need to define it in the JSON object here.

{

"templateContext": "MALOP",

"queryPath": [

{

"requestedType": "MalopProcess",

"filters": [

{

"facetName": "hasRansomwareSuspendedProcesses",

"values": [ false ],

"filterType": "Equals"

}

],

"result": true

}

]

}

Query Time Type

Optional

Specifies whether the query is performed by Malop Last Update Time or Malop Start Time. The default value is Malop Last Update Time.

Malop Last Update Time

Tolerance Scope(Minute)

Optional

The tolerance scope in minutes of the query to fetch events between start and end time to avoid the loss of events. Events will be fetched between {Start Time - Tolerance Scope, End Time}.

10

Output

Raw Data

The primary response data from the API request.

To align the JSON format for D3 SOAR event field mapping, D3 customizes the Raw Data by removing the key name under $.data.resultIdToElementDataMap[*] in the API returned JSON.

For developers’ information, the hierarchy of original Cybereason API response looks like this

{ “data”: 

             “resultIdToElementDataMap” :{ 

                "11.-***": {

                    "simpleValues": {......

SAMPLE DATA

CODE
{
    "data": {
        "resultIdToElementDataMap": [
            {
                "simpleValues": {
                    "hasRansomwareSuspendedProcesses": {
                        "totalValues": 1,
                        "values": [
                            "true"
                        ]
                    },
                    "decisionFeature": {
                        "totalValues": 1,
                        "values": [
                            "Process.maliciousShadowCopyDeletion(Malop decision)"
                        ]
                    },
                    "detectionType": {
                        "totalValues": 1,
                        "values": [
                            "RANSOMWARE"
                        ]
                    },
                    "malopActivityTypes": {
                        "totalValues": 1,
                        "values": [
                            "RANSOMWARE"
                        ]
                    },
                    "elementDisplayName": {
                        "totalValues": 1,
                        "values": [
                            "RANSOMWARE"
                        ]
                    },
                    "creationTime": {
                        "totalValues": 1,
                        "values": [
                            "***"
                        ]
                    },
                    "iconBase64": {
                        "totalValues": 1,
                        "values": [
                            "***"
                        ]
                    },
                    "isBlocked": {
                        "totalValues": 1,
                        "values": [
                            "false"
                        ]
                    },
                    "rootCauseElementTypes": {
                        "totalValues": 1,
                        "values": [
                            "Process"
                        ]
                    },
                    "malopStartTime": {
                        "totalValues": 1,
                        "values": [
                            "***"
                        ]
                    },
                    "rootCauseElementNames": {
                        "totalValues": 1,
                        "values": [
                            "***.exe"
                        ]
                    },
                    "malopLastUpdateTime": {
                        "totalValues": 1,
                        "values": [
                            "***"
                        ]
                    },
                    "allRansomwareProcessesSuspended": {
                        "totalValues": 1,
                        "values": [
                            "true"
                        ]
                    },
                    "rootCauseElementHashes": {
                        "totalValues": 1,
                        "values": [
                            "***"
                        ]
                    },
                    "managementStatus": {
                        "totalValues": 1,
                        "values": [
                            "OPEN"
                        ]
                    },
                    "closeTime": {
                        "totalValues": 1,
                        "values": [
                            null
                        ]
                    },
                    "closerName": {
                        "totalValues": 1,
                        "values": [
                            null
                        ]
                    },
                    "customClassification": {
                        "totalValues": 1,
                        "values": [
                            "None"
                        ]
                    },
                    "comments": {
                        "totalValues": 8,
                        "values": [
                            {
                                "commentId": "***-***-***-***-***",
                                "username": "***",
                                "message": "Resilient ID: ***",
                                "timestamp": 1631094322975
                            },
                            {
                                "commentId": "***-***-***-***-***",
                                "username": "***",
                                "message": "Resilient ID: ***",
                                "timestamp": ***
                            },
                            {
                                "commentId": "***-***-***-***-***",
                                "username": "***",
                                "message": "Resilient ID: **",
                                "timestamp": 1634101534461
                            },
                            {
                                "commentId": "***-***-***-***-***",
                                "username": "***",
                                "message": "Resilient ID: ***",
                                "timestamp": 1636369492437
                            },
                            {
                                "commentId": "***-***-***-***-***",
                                "username": "***",
                                "message": "Resilient ID: ***",
                                "timestamp": 1636517867376
                            },
                            {
                                "commentId": "***-***-***-***-***",
                                "username": "***",
                                "message": "Resilient ID: ***",
                                "timestamp": 1636613779143
                            },
                            {
                                "commentId": "***-***-***-***-***",
                                "username": "***",
                                "message": "Resilient ID: ***",
                                "timestamp": 1637909255838
                            },
                            {
                                "commentId": "***-***-***-***-***",
                                "username": "***,
                                "message": "Resilient ID: ***",
                                "timestamp": 1637919142401
                            }
                        ]
                    }
                },
                "elementValues": {
                    "primaryRootCauseElements": {
                        "totalValues": 1,
                        "elementValues": [
                            {
                                "elementType": "Process",
                                "guid": "***",
                                "name": "**.exe",
                                "hasSuspicions": true,
                                "hasMalops": true
                            }
                        ],
                        "totalSuspicious": 1,
                        "totalMalicious": 1,
                        "guessedTotal": 0
                    },
                    "affectedUsers": {
                        "totalValues": 1,
                        "elementValues": [
                            {
                                "elementType": "User",
                                "guid": "0.-***",
                                "name": "**-**\\administrator",
                                "hasSuspicions": false,
                                "hasMalops": false
                            }
                        ],
                        "totalSuspicious": 0,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    },
                    "affectedMachines": {
                        "totalValues": 1,
                        "elementValues": [
                            {
                                "elementType": "Machine",
                                "guid": "**",
                                "name": "**",
                                "hasSuspicions": false,
                                "hasMalops": false
                            }
                        ],
                        "totalSuspicious": 0,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    }
                },
                "suspicions": null,
                "filterData": {
                    "sortInGroupValue": "11.-**",
                    "groupByValue": "MalopProcessRuntime:11.-** "
                },
                "isMalicious": false,
                "suspicionCount": 0,
                "guidString": "11.-**",
                "labelsIds": [],
                "malopPriority": null,
                "suspect": false,
                "malicious": false
            }
        ],
        "suspicionsMap": {},
        "evidenceMap": {},
        "totalPossibleResults": 1,
        "guessedPossibleResults": 0,
        "queryLimits": {
            "totalResultLimit": 1000,
            "perGroupLimit": 10,
            "perFeatureLimit": 10,
            "groupingFeature": {
                "elementInstanceType": "MalopProcess",
                "featureName": "self"
            },
            "sortInGroupFeature": null
        },
        "queryTerminated": false,
        "pathResultCounts": [
            {
                "featureDescriptor": {
                    "elementInstanceType": "MalopProcess",
                    "featureName": null
                },
                "count": 1
            }
        ],
        "guids": []
    },
    "status": "SUCCESS",
    "hidePartialSuccess": false,
    "message": "",
    "expectedResults": 1,
    "failures": 0
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "MalopIDs": [
        "11.***",
        "11.***",
        "11.***"
    ],
    "ProccessIDs": [
        "**.**"
    ]
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

 Fetch Event Field Mapping

Please note that Fetch Event commands require Event Field Mapping. Field mapping plays a key role in the data normalization process part of the event pipeline. Field mapping converts the original data fields from the different providers to D3 system fields which are standardized by the D3 data model. You can edit the provided mapping or customize new mappings by need. Please refer to Event and Incident Intake Field Mapping for details.

As a system integration, the Cybereason integration has some pre-configured field mappings for default field mapping.

  • Default Event Source

The Default Event Source is the default set of field mappings that is applied when this fetch event command is executed. For out-of-the-box integrations, you will find a set of field mapping provided by the system. Default event source provides field mappings for common fields from fetched events (e.g., Original event ID and File Hash). The default event source has a Main Event JSON Path used to extract a batch of events from the raw response data.

  • Main Event JSON Path: $.data.resultIdToElementDataMap

The Main Event JSON Path determines the root path where the system starts parsing raw response data into D3 event data. The JSON path begins with $, representing the root element. The path is formed by appending a sequence of child elements to $, each separated by a dot (.). Square brackets with nested quotation marks ([‘...’]) should be used to separate child elements in JSON arrays.

For example, the root node of a JSON Path is data.resultIdToElementDataMap. The child node denoting the Original event ID field would be guidString. Putting it together, the JSON Path expression to extract the Original event ID is $.data.resultIdToElementDataMap.guidString.

Field Name

Source Field

Original event ID

.guidString

Malop Activity Types

.simpleValues.malopActivityTypes.values

Malop Last Update Time

.simpleValues.malopLastUpdateTime.values

Malop Creation Time

.simpleValues.creationTime.values

File Hash

.simpleValues.rootCauseElementHashes.values

Comments

.simpleValues.comments.values[*].message

Root Cause ID

.elementValues.primaryRootCauseElements.elementValues[*].guid

Root Cause Name

.elementValues.primaryRootCauseElements.elementValues[*].name

Affected Users

.elementValues.affectedUsers.elementValues[*].name

Affected Machines ID

.elementValues.affectedMachines.elementValues[*].guid

Affected Machines Name

.elementValues.affectedMachines.elementValues[*].name

Priority

.malopPriority

Event Type

.simpleValues.detectionType.values

Start Time

.simpleValues.malopStartTime.values

Root Cause Element Names

.simpleValues.rootCauseElementNames.values

Root Cause Element Types

.simpleValues.rootCauseElementTypes.values

Management Status

.simpleValues.managementStatus.values

Decision Feature

.simpleValues.decisionFeature.values

Process ID

.elementValues.primaryRootCauseElements.elementValues[?(@.elementType=='Process')].guid

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Fetch Event failed. An error occurred when calling the Fetch Event operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybereason portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: SearchCondition is not valid JSON input.

Error Sample Data

Fetch Event failed. An error occurred when calling the Fetch Event operation.

Status Code: 400.

Message: SearchCondition is not valid JSON input.

Fetch Incident

Returns incident(s) from the Cybereason environment based on specified criteria.

Input

Input Parameter

Required/Optional

Description

Example

Start Time

Required

The start time of the time range to fetch incidents in UTC time. Time ranges can be defined by the incident’s updated time or start time.

2022-05-04 00:00

End Time

Optional

The end time of the time range to fetch incidents in UTC time. Time ranges can be defined by the incident’s updated time or start time.

2022-05-05 00:00

Top Recent Incident Number

Optional

The maximum number of incidents (up to 1,000) to return. The default value is 100.

100

Search Condition

Required

The JSON-formatted queries to filter results. See Generic Queries from Cybereason’s API documentation for more information on the query syntax. It is recommended to use the provided sample data as a template to build your query by modifying the “filters” object.

Note: Do not input a value for the totalResultLimit key in the JSON object. It will be overwritten by the defined value of the Top Recent Events Number parameter of this command. The defined values for the Start Time and End Time parameters will be used to set the time range filter. There is no need to define it in the JSON object here.

{

"templateContext": "MALOP",

"queryPath": [

{

"requestedType": "MalopProcess",

"filters": [

{

"facetName": "hasRansomwareSuspendedProcesses",

"values": [

false

],

"filterType": "Equals"

}

],

"result": true

}

]

}

Query Time Type

Optional

Specifies whether the query is performed by Malop Last Update Time or Malop Start Time. The default value is Malop Last Update Time.

Malop Last Update Time

Tolerance Scope(Minute)

Optional

The tolerance scope in minutes of the query to fetch incidents between start and end time to avoid the loss of events. Events will be fetched between {Start Time - Tolerance Scope, End Time}.

10

Output

Raw Data

The primary response data from the API request.

To align the JSON format for D3 SOAR event field mapping, D3 customizes the Raw Data by removing the key name under $.data.resultIdToElementDataMap[*] in the API returned JSON.

For developers’ information, the hierarchy of original Cybereason API response looks like this

{ “data”: 

             “resultIdToElementDataMap” :{ 

                "11.-***": {

                    "simpleValues": {......

SAMPLE DATA

CODE
{
    "data": {
        "resultIdToElementDataMap": [
            {
                "simpleValues": {
                    "hasRansomwareSuspendedProcesses": {
                        "totalValues": 1,
                        "values": [
                            "true"
                        ]
                    },
                    "decisionFeature": {
                        "totalValues": 1,
                        "values": [
                            "Process.maliciousShadowCopyDeletion(Malop decision)"
                        ]
                    },
                    "detectionType": {
                        "totalValues": 1,
                        "values": [
                            "RANSOMWARE"
                        ]
                    },
                    "malopActivityTypes": {
                        "totalValues": 1,
                        "values": [
                            "RANSOMWARE"
                        ]
                    },
                    "elementDisplayName": {
                        "totalValues": 1,
                        "values": [
                            "RANSOMWARE"
                        ]
                    },
                    "creationTime": {
                        "totalValues": 1,
                        "values": [
                            "***"
                        ]
                    },
                    "iconBase64": {
                        "totalValues": 1,
                        "values": [
                            "***"
                        ]
                    },
                    "isBlocked": {
                        "totalValues": 1,
                        "values": [
                            "false"
                        ]
                    },
                    "rootCauseElementTypes": {
                        "totalValues": 1,
                        "values": [
                            "Process"
                        ]
                    },
                    "malopStartTime": {
                        "totalValues": 1,
                        "values": [
                            "***"
                        ]
                    },
                    "rootCauseElementNames": {
                        "totalValues": 1,
                        "values": [
                            "python.exe"
                        ]
                    },
                    "malopLastUpdateTime": {
                        "totalValues": 1,
                        "values": [
                            "***"
                        ]
                    },
                    "allRansomwareProcessesSuspended": {
                        "totalValues": 1,
                        "values": [
                            "true"
                        ]
                    },
                    "rootCauseElementHashes": {
                        "totalValues": 1,
                        "values": [
                            "***"
                        ]
                    },
                    "managementStatus": {
                        "totalValues": 1,
                        "values": [
                            "OPEN"
                        ]
                    },
                    "closeTime": {
                        "totalValues": 1,
                        "values": [
                            null
                        ]
                    },
                    "closerName": {
                        "totalValues": 1,
                        "values": [
                            null
                        ]
                    },
                    "customClassification": {
                        "totalValues": 1,
                        "values": [
                            "None"
                        ]
                    },
                    "comments": {
                        "totalValues": 8,
                        "values": [
                            {
                                "commentId": "***-***-***-***-***",
                                "username": "***",
                                "message": "Resilient ID: ***",
                                "timestamp": 1631094322975
                            },
                            {
                                "commentId": "***",
                                "username": "***",
                                "message": "Resilient ID: ***",
                                "timestamp": 1631176153777
                            }
                        ]
                    }
                },
                "elementValues": {
                    "primaryRootCauseElements": {
                        "totalValues": 1,
                        "elementValues": [
                            {
                                "elementType": "Process",
                                "guid": "***",
                                "name": "python.exe",
                                "hasSuspicions": true,
                                "hasMalops": true
                            }
                        ],
                        "totalSuspicious": 1,
                        "totalMalicious": 1,
                        "guessedTotal": 0
                    },
                    "affectedUsers": {
                        "totalValues": 1,
                        "elementValues": [
                            {
                                "elementType": "User",
                                "guid": "0.-***",
                                "name": "***\\***",
                                "hasSuspicions": false,
                                "hasMalops": false
                            }
                        ],
                        "totalSuspicious": 0,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    },
                    "affectedMachines": {
                        "totalValues": 1,
                        "elementValues": [
                            {
                                "elementType": "Machine",
                                "guid": "***",
                                "name": "***",
                                "hasSuspicions": false,
                                "hasMalops": false
                            }
                        ],
                        "totalSuspicious": 0,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    }
                },
                "suspicions": null,
                "filterData": {
                    "sortInGroupValue": "11.-***",
                    "groupByValue": "MalopProcessRuntime:11.-***"
                },
                "isMalicious": false,
                "suspicionCount": 0,
                "guidString": "11.-***",
                "labelsIds": [],
                "malopPriority": null,
                "suspect": false,
                "malicious": false
            }
        ],
        "suspicionsMap": {},
        "evidenceMap": {},
        "totalPossibleResults": 1,
        "guessedPossibleResults": 0,
        "queryLimits": {
            "totalResultLimit": 1000,
            "perGroupLimit": 10,
            "perFeatureLimit": 10,
            "groupingFeature": {
                "elementInstanceType": "MalopProcess",
                "featureName": "self"
            },
            "sortInGroupFeature": null
        },
        "queryTerminated": false,
        "pathResultCounts": [
            {
                "featureDescriptor": {
                    "elementInstanceType": "MalopProcess",
                    "featureName": null
                },
                "count": 1
            }
        ],
        "guids": []
    },
    "status": "SUCCESS",
    "hidePartialSuccess": false,
    "message": "",
    "expectedResults": 1,
    "failures": 0
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "MalopIDs": [
        "***",
        "***",
        "***"
    ]
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Incident Field Mapping

For this integration, the default incident fields in D3 SOAR are fixed with no built-in source fields. Users can specify the source fields as needed.

Event and Incident Intake Field Mapping

Please note that incident and event intake commands require both Event Field and Incident Field Mapping. These field mappings are the default event/incident field mappings for D3 system integrations. You can edit the provided mappings or create custom mappings as needed. Please refer to Event and Incident Intake Field Mapping for more details.

Incident Main JSON Path: $.data.resultIdToElementDataMap

A JSON path expression begins with $, representing the root element. The path is formed by appending a sequence of child elements to $, each separated by a dot (.). This format is known as the dot notation. Square brackets with nested quotation marks ([‘...’]), known as the bracket notation, should be used to separate child elements in JSON arrays.

For example, the root node of a JSON Path is data.resultIdToElementDataMap. The child node denoting the Title field would be guidString. Putting it together, the JSON Path expression to extract Title is $.data.resultIdToElementDataMap.guidString.

Field Name

Source Field

Title

User to define

Description

User to define

Severity

User to define, default is “Low”

Incident Type *

User to define, default is the first Incident form in D3 SOAR system

Incident Creator

User to define

Incident Owner

User to define

Incident Playbook

User to define

Due In Date

User to define

Unique Key

User to define

Tactics

User to define

Techniques

User to define

Event Field Mapping

Main Event JSON Path

  • $.data.resultIdToElementDataMap

The event field mapping in Fetch Incident is the same as the one in Command Fetch Event.

Please refer to the command Fetch Event for detail.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Fetch Incident failed. An error occurred when calling the Fetch Incident operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybereason portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: 'searchCondition' is not valid JSON input.

Error Sample Data

Fetch Incident failed. An error occurred when calling the Fetch Incident operation.

Status Code: 400.

Message: 'searchCondition' is not valid JSON input

Get Malop Labels

Returns a list of all Malop labels.

Input

N/A

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
[
    {
        "id": 1,
        "labelText": "Custom:SIVA",
        "totalCount": 3,
        "selectionCount": 0
    },
    {
        "id": 2,
        "labelText": "Location:test",
        "totalCount": 10,
        "selectionCount": 0
    },
    {
        "id": 3,
        "labelText": "Department:test",
        "totalCount": 8,
        "selectionCount": 0
    },
    {
        "id": 4,
        "labelText": "Custom:ps",
        "totalCount": 6,
        "selectionCount": 0
    },
    {
        "id": 6,
        "labelText": "Triaged",
        "totalCount": 5,
        "selectionCount": 0
    },
    {
        "id": 9,
        "labelText": "1",
        "totalCount": 1,
        "selectionCount": 0
    },
    {
        "id": 10,
        "labelText": "new_label",
        "totalCount": 1,
        "selectionCount": 0
    },
    {
        "id": 11,
        "labelText": "new_label2",
        "totalCount": 1,
        "selectionCount": 0
    },
    {
        "id": 12,
        "labelText": "new_label3",
        "totalCount": 1,
        "selectionCount": 0
    },
    {
        "id": 13,
        "labelText": "newlabeltest",
        "totalCount": 0,
        "selectionCount": 0
    },
    {
        "id": 14,
        "labelText": "newlabel",
        "totalCount": 0,
        "selectionCount": 0
    },
    {
        "id": 15,
        "labelText": "testingagain",
        "totalCount": 2,
        "selectionCount": 0
    },
    {
        "id": 16,
        "labelText": "SPTestingOne",
        "totalCount": 1,
        "selectionCount": 0
    },
    {
        "id": 17,
        "labelText": "Cyber2",
        "totalCount": 0,
        "selectionCount": 0
    },
    {
        "id": 20,
        "labelText": "CyberSecurity22",
        "totalCount": 0,
        "selectionCount": 0
    },
    {
        "id": 21,
        "labelText": "CyberSecurity11122",
        "totalCount": 0,
        "selectionCount": 0
    },
    {
        "id": 23,
        "labelText": "w31242",
        "totalCount": 0,
        "selectionCount": 0
    },
    {
        "id": 24,
        "labelText": "CyberSecurity",
        "totalCount": 0,
        "selectionCount": 0
    },
    {
        "id": 25,
        "labelText": "test123",
        "totalCount": 1,
        "selectionCount": 0
    },
    {
        "id": 26,
        "labelText": "test100",
        "totalCount": 0,
        "selectionCount": 0
    },
    {
        "id": 27,
        "labelText": "Timmytest3",
        "totalCount": 0,
        "selectionCount": 0
    },
    {
        "id": 28,
        "labelText": "in progress",
        "totalCount": 0,
        "selectionCount": 0
    },
    {
        "id": 30,
        "labelText": "low",
        "totalCount": 0,
        "selectionCount": 0
    },
    {
        "id": 31,
        "labelText": "D3Event",
        "totalCount": 1,
        "selectionCount": 0
    },
    {
        "id": 32,
        "labelText": "RedScan COPs",
        "totalCount": 0,
        "selectionCount": 0
    },
    {
        "id": 33,
        "labelText": "ck",
        "totalCount": 1,
        "selectionCount": 0
    },
    {
        "id": 35,
        "labelText": "Some new label",
        "totalCount": 1,
        "selectionCount": 0
    },
    {
        "id": 36,
        "labelText": "it",
        "totalCount": 0,
        "selectionCount": 0
    },
    {
        "id": 37,
        "labelText": "Critical",
        "totalCount": 1,
        "selectionCount": 0
    },
    {
        "id": 38,
        "labelText": "PRSQ",
        "totalCount": 2,
        "selectionCount": 0
    },
    {
        "id": 39,
        "labelText": "SomeData PRSQ",
        "totalCount": 0,
        "selectionCount": 0
    },
    {
        "id": 40,
        "labelText": "SomeText PQRSAD",
        "totalCount": 1,
        "selectionCount": 0
    },
    {
        "id": 41,
        "labelText": "reqdata.split('",
        "totalCount": 1,
        "selectionCount": 0
    },
    {
        "id": 42,
        "labelText": "SomeTagValue",
        "totalCount": 1,
        "selectionCount": 0
    },
    {
        "id": 43,
        "labelText": "Something_ASDF",
        "totalCount": 1,
        "selectionCount": 0
    },
    {
        "id": 44,
        "labelText": "Something_ASDFC",
        "totalCount": 1,
        "selectionCount": 0
    },
    {
        "id": 45,
        "labelText": "bbbbbb",
        "totalCount": 1,
        "selectionCount": 0
    },
    {
        "id": 46,
        "labelText": "chandan",
        "totalCount": 1,
        "selectionCount": 0
    },
    {
        "id": 47,
        "labelText": "Johns_Mac",
        "totalCount": 1,
        "selectionCount": 0
    },
    {
        "id": 48,
        "labelText": "Custom Artifact",
        "totalCount": 1,
        "selectionCount": 0
    },
    {
        "id": 49,
        "labelText": "Galway",
        "totalCount": 1,
        "selectionCount": 0
    },
    {
        "id": 50,
        "labelText": "IT",
        "totalCount": 1,
        "selectionCount": 0
    },
    {
        "id": 51,
        "labelText": "mac,laptop,ip",
        "totalCount": 1,
        "selectionCount": 0
    },
    {
        "id": 52,
        "labelText": "5500",
        "totalCount": 1,
        "selectionCount": 0
    },
    {
        "id": 55,
        "labelText": "Spear Phishing label3",
        "totalCount": 0,
        "selectionCount": 0
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "LabelIDs": [
        1,
        2,
        3
    ],
    "LabelTexts": [
        "Custom:SIVA",
        "Location:test",
        "Department:test"
    ]
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ID

LABELTEXT

TOTALCOUNT

SELECTIONCOUNT

1

Custom:SIVA

3

0

2

Location:test

10

0

3

Department:test

8

0

4

Custom:ps

6

0

6

Triaged

5

0

9

1

1

0

10

new_label

1

0

11

new_label2

1

0

12

new_label3

1

0

13

newlabeltest

0

0

14

newlabel

0

0

15

testingagain

2

0

16

SPTestingOne

1

0

17

Cyber2

0

0

20

CyberSecurity22

0

0

21

CyberSecurity11122

0

0

23

w31242

0

0

24

CyberSecurity

0

0

25

test123

1

0

26

test100

0

0

27

Timmytest3

0

0

28

in progress

0

0

30

low

0

0

31

D3Event

1

0

32

RedScan COPs

0

0

33

ck

1

0

35

Some new label

1

0

36

it

0

0

37

Critical

1

0

38

PRSQ

2

0

39

SomeData PRSQ

0

0

40

SomeText PQRSAD

1

0

41

reqdata.split('

1

0

42

SomeTagValue

1

0

43

Something_ASDF

1

0

44

Something_ASDFC

1

0

45

bbbbbb

1

0

46

chandan

1

0

47

Johns_Mac

1

0

48

Custom Artifact

1

0

49

Galway

1

0

50

IT

1

0

51

mac,laptop,ip

1

0

52

5500

1

0

55

Spear Phishing label3

0

0

 Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Malop Labels failed. An error occurred when calling the Get Malop Labels operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybereason portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Please ensure username and password are correct.

Error Sample Data

Get Malop Labels failed. An error occurred when calling the Get Malop Labels operation.

Status Code: 400.

Message: Please ensure username and password are correct.

Get Malop Remediation Details

Retrieves details about remediation actions performed on a particular Malop.

READER NOTE

Malop ID is an optional parameter to run this command.

  • Run the Get All Malops command to obtain Malop ID. Malop IDs can be found in the returned raw data at the path $.malop[*].guid.

If Malop ID is empty, a list of NOMALOP remediations will be returned.

Input

Input Parameter

Required/Optional

Description

Example

Malop ID

Optional

The unique ID of the Malop to retrieve remediation details. Malop IDs can be obtained using the Get All Malops command. The default value of this Malop ID is NOMALOP.

11.***

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
[
    {
        "malopId": null,
        "remediationId": "***-***-***-***-***",
        "start": 1637727306808,
        "end": 1637727308144,
        "initiatingUser": "test@example.com",
        "statusLog": [
            {
                "machineId": "-***",
                "targetId": "-***.-***",
                "status": "PENDING",
                "actionType": "QUARANTINE_FILE",
                "error": null,
                "timestamp": 1637727307398
            },
            {
                "machineId": "-***",
                "targetId": "-***.-***",
                "status": "IN_PROGRESS",
                "actionType": "QUARANTINE_FILE",
                "error": null,
                "timestamp": 1637727308014
            },
            {
                "machineId": "-***",
                "targetId": "-***.-***",
                "status": "FAILURE",
                "actionType": "QUARANTINE_FILE",
                "error": {
                    "message": "The probe access to the file was denied",
                    "errorType": "PROBE_ACCESS_IS_DENIED"
                },
                "timestamp": 1637727308118
            }
        ]
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "MachineIDs": [
        "-***"
    ],
    "TargetIDs": [
        "-***.-***"
    ],
    "ActionType": [
        "QUARANTINE_FILE"
    ],
    "statuses": [
        "IN_PROGRESS"
    ],
    "Timestamps": [
        1637727308014
    ]
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

MALOPID

REMEDIATIONID

START

END

INITIATINGUSER

STATUSLOG

None

***-***-***-***-***

1637727306808

1637727308144

test@example.com

[{'machineId': '-***', 'targetId': '-***.-***', 'status': 'PENDING', 'actionType': 'QUARANTINE_FILE', 'error': None, 'timestamp': 1637727307398}, {'machineId': '-***', 'targetId': '-***.-**', 'status': 'IN_PROGRESS', 'actionType': 'QUARANTINE_FILE', 'error': None, 'timestamp': 1637727308014}, {'machineId': '-***', 'targetId': '-***.-***', 'status': 'FAILURE', 'actionType': 'QUARANTINE_FILE', 'error': {'message': 'The probe access to the file was denied', 'errorType': 'PROBE_ACCESS_IS_DENIED'}, 'timestamp': 1637727308118}]

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Malop Remediation Details failed. An error occurred when calling the Get Malop Remediation Details operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybereason portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Please check if the Malop IDs are correct.

Error Sample Data

Get Malop Remediation Details failed. An error occurred when calling the Get Malop Remediation Details operation.

Status Code: 400.

Message: Please check if the Malop IDs are correct.

Get All Malops

Returns details about all Malops, including the last updated time, the detection engine, and detection type of EDR in your environment. This command will return details about all Auto Hunt Malops and Endpoint Protection Malops in your environment, including active, remediate, close, and excluded malops.

Input

Input Parameter

Required/Optional

Description

Example

Start Time

Required

The start time of the time range to retrieve Malops in UTC time.

2021-11-01 00:00

End Time

Required

The end time of the time range to retrieve Malops in UTC time.

2022-04-21 00:00

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
[
    {
        "simpleValues": {
            "hasRansomwareSuspendedProcesses": {
                "totalValues": 1,
                "values": [
                    "false"
                ]
            },
            "decisionFeatureSet": {
                "totalValues": 1,
                "values": [
                    "Process.lsassMemoryAccessMalop(Malop decision)"
                ]
            },
            "rootCauseElementCompanyProduct": {
                "totalValues": 1,
                "values": [
                    "***(Benjamin DELPY) : ***"
                ]
            },
            "decisionFeature": {
                "totalValues": 1,
                "values": [
                    "***(Malop decision)"
                ]
            },
            "detectionType": {
                "totalValues": 1,
                "values": [
                    "***"
                ]
            },
            "malopActivityTypes": {
                "totalValues": 2,
                "values": [
                    "***",
                    "***"
                ]
            },
            "creationTime": {
                "totalValues": 1,
                "values": [
                    "***"
                ]
            },
            "iconBase64": {
                "totalValues": 1,
                "values": [
                    "***"
                ]
            },
            "isBlocked": {
                "totalValues": 1,
                "values": [
                    "false"
                ]
            },
            "rootCauseElementTypes": {
                "totalValues": 1,
                "values": [
                    "Process"
                ]
            },
            "malopStartTime": {
                "totalValues": 1,
                "values": [
                    "***"
                ]
            },
            "rootCauseElementNames": {
                "totalValues": 1,
                "values": [
                    "**.exe"
                ]
            },
            "malopLastUpdateTime": {
                "totalValues": 1,
                "values": [
                    "***"
                ]
            },
            "allRansomwareProcessesSuspended": {
                "totalValues": 1,
                "values": [
                    "false"
                ]
            },
            "rootCauseElementHashes": {
                "totalValues": 3,
                "values": [
                    "***",
                    "**",
                    "***"
                ]
            },
            "managementStatus": {
                "totalValues": 1,
                "values": [
                    "OPEN"
                ]
            },
            "closeTime": {
                "totalValues": 1,
                "values": [
                    null
                ]
            },
            "closerName": {
                "totalValues": 1,
                "values": [
                    null
                ]
            },
            "customClassification": {
                "totalValues": 1,
                "values": [
                    "None"
                ]
            },
            "comments": {
                "totalValues": 27,
                "values": [
                    {
                        "commentId": "***-***-***-***-***",
                        "username": "***",
                        "message": "ServiceNow Ticket ID: ***",
                        "timestamp": 1596071451123
                    },
                    {
                        "commentId": "***-***-***-***-***",
                        "username": "***",
                        "message": "Testing Delta CEF",
                        "timestamp": 1596104524811
                    },
                    {
                        "commentId": "d0872f30-0835-4c8f-96bb-2c9aa9d03e94",
                        "username": "parag@metronlabs.io",
                        "message": "Testing for delta CEF",
                        "timestamp": 1596106115403
                    }
                ]
            }
        },
        "elementValues": {
            "suspects": {
                "totalValues": 4,
                "elementValues": [
                    {
                        "elementType": "Process",
                        "guid": "-***",
                        "name": "**.exe",
                        "hasSuspicions": true,
                        "hasMalops": true
                    },
                    {
                        "elementType": "Process",
                        "guid": "-***.-***",
                        "name": "***.exe",
                        "hasSuspicions": true,
                        "hasMalops": true
                    },
                    {
                        "elementType": "Process",
                        "guid": "***",
                        "name": "**.exe",
                        "hasSuspicions": true,
                        "hasMalops": true
                    }
                ],
                "totalSuspicious": 4,
                "totalMalicious": 4,
                "guessedTotal": 0
            },
            "filesToRemediate": {
                "totalValues": 4,
                "elementValues": [
                    {
                        "elementType": "File",
                        "guid": "-**.-***",
                        "name": "**.exe",
                        "hasSuspicions": true,
                        "hasMalops": false
                    },
                    {
                        "elementType": "File",
                        "guid": "-***",
                        "name": "***.exe",
                        "hasSuspicions": true,
                        "hasMalops": false
                    },
                    {
                        "elementType": "File",
                        "guid": "**",
                        "name": "***.exe",
                        "hasSuspicions": true,
                        "hasMalops": false
                    }
                ],
                "totalSuspicious": 4,
                "totalMalicious": 0,
                "guessedTotal": 0
            },
            "primaryRootCauseElements": {
                "totalValues": 1,
                "elementValues": [
                    {
                        "elementType": "Process",
                        "guid": "***",
                        "name": "mimikatz.exe",
                        "hasSuspicions": true,
                        "hasMalops": true
                    }
                ],
                "totalSuspicious": 1,
                "totalMalicious": 1,
                "guessedTotal": 0
            },
            "affectedUsers": {
                "totalValues": 3,
                "elementValues": [
                    {
                        "elementType": "User",
                        "guid": "***",
                        "name": "**\\**",
                        "hasSuspicions": false,
                        "hasMalops": false
                    },
                    {
                        "elementType": "User",
                        "guid": "**",
                        "name": "***\\system",
                        "hasSuspicions": false,
                        "hasMalops": false
                    },
                    {
                        "elementType": "User",
                        "guid": "0.-***",
                        "name": "***\\system",
                        "hasSuspicions": false,
                        "hasMalops": false
                    }
                ],
                "totalSuspicious": 0,
                "totalMalicious": 0,
                "guessedTotal": 0
            },
            "rootCauseElements": {
                "totalValues": 4,
                "elementValues": [
                    {
                        "elementType": "Process",
                        "guid": "-***",
                        "name": "**.exe",
                        "hasSuspicions": true,
                        "hasMalops": true
                    },
                    {
                        "elementType": "Process",
                        "guid": "-*.-**",
                        "name": "**.exe",
                        "hasSuspicions": true,
                        "hasMalops": true
                    },
                    {
                        "elementType": "Process",
                        "guid": "**",
                        "name": "mimikatz.exe",
                        "hasSuspicions": true,
                        "hasMalops": true
                    }
                ],
                "totalSuspicious": 4,
                "totalMalicious": 4,
                "guessedTotal": 0
            },
            "affectedMachines": {
                "totalValues": 3,
                "elementValues": [
                    {
                        "elementType": "Machine",
                        "guid": "-**",
                        "name": "c**",
                        "hasSuspicions": false,
                        "hasMalops": false
                    },
                    {
                        "elementType": "Machine",
                        "guid": "-**",
                        "name": "**",
                        "hasSuspicions": false,
                        "hasMalops": false
                    },
                    {
                        "elementType": "Machine",
                        "guid": "*",
                        "name": "***-***-***-***-***",
                        "hasSuspicions": false,
                        "hasMalops": false
                    }
                ],
                "totalSuspicious": 0,
                "totalMalicious": 0,
                "guessedTotal": 0
            }
        },
        "suspicions": {},
        "filterData": {
            "sortInGroupValue": "**",
            "groupByValue": "MalopProcessRuntime:**"
        },
        "isMalicious": false,
        "suspicionCount": 0,
        "guidString": "**",
        "labelsIds": [
            31
        ],
        "malopPriority": null,
        "suspect": false,
        "malicious": false
    },
    {
        "simpleValues": {
            "hasRansomwareSuspendedProcesses": {
                "totalValues": 1,
                "values": [
                    "false"
                ]
            },
            "decisionFeatureSet": {
                "totalValues": 1,
                "values": [
                    "Process.*(Malop decision)"
                ]
            },
            "decisionFeature": {
                "totalValues": 1,
                "values": [
                    "Process.*(Malop decision)"
                ]
            },
            "detectionType": {
                "totalValues": 1,
                "values": [
                    "BLACKLIST"
                ]
            },
            "malopActivityTypes": {
                "totalValues": 1,
                "values": [
                    "MALICIOUS_INFECTION"
                ]
            },
            "creationTime": {
                "totalValues": 1,
                "values": [
                    "*"
                ]
            },
            "isBlocked": {
                "totalValues": 1,
                "values": [
                    "false"
                ]
            },
            "rootCauseElementTypes": {
                "totalValues": 1,
                "values": [
                    "Module"
                ]
            },
            "malopStartTime": {
                "totalValues": 1,
                "values": [
                    "1618938548004"
                ]
            },
            "rootCauseElementNames": {
                "totalValues": 1,
                "values": [
                    "1894337963.axp (prevented)"
                ]
            },
            "malopLastUpdateTime": {
                "totalValues": 1,
                "values": [
                    "1626081082083"
                ]
            },
            "allRansomwareProcessesSuspended": {
                "totalValues": 1,
                "values": [
                    "false"
                ]
            },
            "rootCauseElementHashes": {
                "totalValues": 1,
                "values": [
                    "**"
                ]
            },
            "managementStatus": {
                "totalValues": 1,
                "values": [
                    "OPEN"
                ]
            },
            "closeTime": {
                "totalValues": 1,
                "values": [
                    null
                ]
            },
            "closerName": {
                "totalValues": 1,
                "values": [
                    null
                ]
            },
            "customClassification": {
                "totalValues": 1,
                "values": [
                    "None"
                ]
            },
            "comments": {
                "totalValues": 5,
                "values": [
                    {
                        "commentId": "***-***-***-***-***",
                        "username": "***",
                        "message": "Resilient ID: ***",
                        "timestamp": 1626082560770
                    },
                    {
                        "commentId": "***-***-***-***-***",
                        "username": "***",
                        "message": "Resilient ID: ***",
                        "timestamp": 1626089293599
                    }
                ]
            }
        },
        "elementValues": {
            "suspects": {
                "totalValues": 1,
                "elementValues": [
                    {
                        "elementType": "Process",
                        "guid": "***",
                        "name": "wmiprvse.exe",
                        "hasSuspicions": true,
                        "hasMalops": true
                    }
                ],
                "totalSuspicious": 1,
                "totalMalicious": 1,
                "guessedTotal": 0
            },
            "filesToRemediate": {
                "totalValues": 0,
                "elementValues": null,
                "totalSuspicious": 0,
                "totalMalicious": 0,
                "guessedTotal": 0
            },
            "primaryRootCauseElements": {
                "totalValues": 1,
                "elementValues": [
                    {
                        "elementType": "Module",
                        "guid": "***",
                        "name": "***.axp (prevented)",
                        "hasSuspicions": true,
                        "hasMalops": false
                    }
                ],
                "totalSuspicious": 1,
                "totalMalicious": 0,
                "guessedTotal": 0
            },
            "affectedUsers": {
                "totalValues": 1,
                "elementValues": [
                    {
                        "elementType": "User",
                        "guid": "0.-***",
                        "name": "***\\network service",
                        "hasSuspicions": false,
                        "hasMalops": false
                    }
                ],
                "totalSuspicious": 0,
                "totalMalicious": 0,
                "guessedTotal": 0
            },
            "rootCauseElements": {
                "totalValues": 1,
                "elementValues": [
                    {
                        "elementType": "Module",
                        "guid": "**",
                        "name": "**.axp (prevented)",
                        "hasSuspicions": true,
                        "hasMalops": false
                    }
                ],
                "totalSuspicious": 1,
                "totalMalicious": 0,
                "guessedTotal": 0
            },
            "affectedMachines": {
                "totalValues": 1,
                "elementValues": [
                    {
                        "elementType": "Machine",
                        "guid": "**",
                        "name": "**",
                        "hasSuspicions": false,
                        "hasMalops": false
                    }
                ],
                "totalSuspicious": 0,
                "totalMalicious": 0,
                "guessedTotal": 0
            }
        },
        "suspicions": {},
        "filterData": {
            "sortInGroupValue": "**",
            "groupByValue": "MalopProcessRuntime:**"
        },
        "isMalicious": false,
        "suspicionCount": 0,
        "guidString": "**",
        "labelsIds": [],
        "malopPriority": null,
        "suspect": false,
        "malicious": false
    },
    {
        "simpleValues": {
            "hasRansomwareSuspendedProcesses": {
                "totalValues": 1,
                "values": [
                    "false"
                ]
            },
            "decisionFeatureSet": {
                "totalValues": 1,
                "values": [
                    "Process.blackListedFileHash(Malop decision)"
                ]
            },
            "decisionFeature": {
                "totalValues": 1,
                "values": [
                    "Process.blackListedFileHash(Malop decision)"
                ]
            },
            "detectionType": {
                "totalValues": 1,
                "values": [
                    "BLACKLIST"
                ]
            },
            "malopActivityTypes": {
                "totalValues": 1,
                "values": [
                    "MALICIOUS_INFECTION"
                ]
            },
            "creationTime": {
                "totalValues": 1,
                "values": [
                    "**"
                ]
            },
            "isBlocked": {
                "totalValues": 1,
                "values": [
                    "true"
                ]
            },
            "rootCauseElementTypes": {
                "totalValues": 1,
                "values": [
                    "File"
                ]
            },
            "malopStartTime": {
                "totalValues": 1,
                "values": [
                    "***"
                ]
            },
            "rootCauseElementNames": {
                "totalValues": 1,
                "values": [
                    "**.bin"
                ]
            },
            "malopLastUpdateTime": {
                "totalValues": 1,
                "values": [
                    "**"
                ]
            },
            "allRansomwareProcessesSuspended": {
                "totalValues": 1,
                "values": [
                    "false"
                ]
            },
            "rootCauseElementHashes": {
                "totalValues": 1,
                "values": [
                    "**"
                ]
            },
            "managementStatus": {
                "totalValues": 1,
                "values": [
                    "UNREAD"
                ]
            },
            "closeTime": {
                "totalValues": 1,
                "values": [
                    null
                ]
            },
            "closerName": {
                "totalValues": 1,
                "values": [
                    null
                ]
            },
            "customClassification": {
                "totalValues": 1,
                "values": [
                    "None"
                ]
            },
            "comments": {
                "totalValues": 8,
                "values": [
                    {
                        "commentId": "***-***-***-***-***",
                        "username": "**o",
                        "message": "Resilient ID: **",
                        "timestamp": 1626083243567
                    }
                ]
            }
        },
        "elementValues": {
            "suspects": {
                "totalValues": 1,
                "elementValues": [
                    {
                        "elementType": "Process",
                        "guid": "**.-**",
                        "name": "**.bin",
                        "hasSuspicions": true,
                        "hasMalops": true
                    }
                ],
                "totalSuspicious": 1,
                "totalMalicious": 1,
                "guessedTotal": 0
            },
            "filesToRemediate": {
                "totalValues": 1,
                "elementValues": [
                    {
                        "elementType": "File",
                        "guid": "**",
                        "name": "**.bin",
                        "hasSuspicions": true,
                        "hasMalops": false
                    }
                ],
                "totalSuspicious": 1,
                "totalMalicious": 0,
                "guessedTotal": 0
            },
            "primaryRootCauseElements": {
                "totalValues": 1,
                "elementValues": [
                    {
                        "elementType": "File",
                        "guid": "**",
                        "name": "bdata.bin",
                        "hasSuspicions": true,
                        "hasMalops": false
                    }
                ],
                "totalSuspicious": 1,
                "totalMalicious": 0,
                "guessedTotal": 0
            },
            "affectedUsers": {
                "totalValues": 1,
                "elementValues": [
                    {
                        "elementType": "User",
                        "guid": "**",
                        "name": "***\\system",
                        "hasSuspicions": false,
                        "hasMalops": false
                    }
                ],
                "totalSuspicious": 0,
                "totalMalicious": 0,
                "guessedTotal": 0
            },
            "rootCauseElements": {
                "totalValues": 1,
                "elementValues": [
                    {
                        "elementType": "File",
                        "guid": "**",
                        "name": "**.bin",
                        "hasSuspicions": true,
                        "hasMalops": false
                    }
                ],
                "totalSuspicious": 1,
                "totalMalicious": 0,
                "guessedTotal": 0
            },
            "affectedMachines": {
                "totalValues": 1,
                "elementValues": [
                    {
                        "elementType": "Machine",
                        "guid": "**",
                        "name": "**",
                        "hasSuspicions": false,
                        "hasMalops": false
                    }
                ],
                "totalSuspicious": 0,
                "totalMalicious": 0,
                "guessedTotal": 0
            }
        },
        "suspicions": {},
        "filterData": {
            "sortInGroupValue": "**",
            "groupByValue": "MalopProcessRuntime:** "
        },
        "isMalicious": false,
        "suspicionCount": 0,
        "guidString": "**",
        "labelsIds": [],
        "malopPriority": null,
        "suspect": false,
        "malicious": false
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "MalopIDs": [
        "**"
    ]
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

SIMPLEVALUES

ELEMENTVALUES

SUSPICIONS

FILTERDATA

ISMALICIOUS

SUSPICIONCOUNT

GUIDSTRING

LABELSIDS

MALOPPRIORITY

SUSPECT

MALICIOUS

{}

{'sortInGroupValue': '11.983641244937078175', 'groupByValue': 'MalopProcessRuntime:***'}

False

0

**8

[***]

None

False

False

{}

{'sortInGroupValue': '***', 'groupByValue': 'MalopProcessRuntime:***'}

False

0

***

[]

None

False

False

{}

{'sortInGroupValue': '***', 'groupByValue': 'MalopProcessRuntime:***'}

False

0

***

[]

None

False

False

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get All Malops failed. An error occurred when calling the Get All Malops operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybereason portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Please ensure username and password are correct.

Error Sample Data

Get All Malops failed. An error occurred when calling the Get All Malops operation.

Status Code: 400.

Message: Please ensure username and password are correct.

Get Remediation Progress

Gets the remediation progress statuses.

READER NOTE

The parameter Remediation IDs is required to run this command.

  • Run the Remediate command to obtain Remediation IDs. Remediation IDs can be found in the returned Raw Data at the path $.remediationId.

Malop ID is an optional parameter to run this command.

  • Run the Remediate command to obtain Malop ID. Malop IDs can be found in the returned Raw Data at the path $.malopId.

Please note that the Malop ID must match to Remediation IDs. Please run the Remediate command and use the pair of values you get.

Input

Input Parameter

Required/Optional

Description

Example

Malop ID

Optional

The unique ID of the Malop to return the remediation status. Malop IDs can be obtained using the Remediate command. The default value of this Malop ID is NOMALOP.

**

Remediation IDs

Required

The IDs of the remediations to query. Remediation IDs can be obtained using the Remediate command.

["***-***-***-***-***"]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
[
    {
        "malopId": "***",
        "remediationId": "***-***-***-***-***",
        "start": 1639534980103,
        "end": 1639534982330,
        "initiatingUser": "test@example.com",
        "statusLog": [
            {
                "machineId": "-***",
                "targetId": "-***.-***",
                "status": "PENDING",
                "actionType": "KILL_PROCESS",
                "error": null,
                "timestamp": 1639534981620
            },
            {
                "machineId": "-***",
                "targetId": "-**.-**",
                "status": "IN_PROGRESS",
                "actionType": "KILL_PROCESS",
                "error": null,
                "timestamp": 1639534982249
            },
            {
                "machineId": "-***",
                "targetId": "-***.-***",
                "status": "FAILURE",
                "actionType": "KILL_PROCESS",
                "error": {
                    "message": "The probe couldn't find the file",
                    "errorType": "PROBE_FILE_NOT_FOUND"
                },
                "timestamp": 1639534982293
            }
        ]
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "PENDING": [
        "***-***-***-***-***"
    ],
    "IN_PROGRESS": [
        "***-***-***-***-***"
    ],
    "FAILURE": [
        "***-***-***-***-***"
    ],
    "SUCCESS": [
        "***-***-***-***-***"
    ]
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

MALOPID

REMEDIATIONID

START

END

INITIATINGUSER

STATUSLOG


***-***-***-***-***

1639534980103

1639534982330

test@example.com

[{'machineId': '-***', 'targetId': '-***.-***', 'status': 'PENDING', 'actionType': 'KILL_PROCESS', 'error': None, 'timestamp': 1639534981620}, {'machineId': '-***', 'targetId': '-***.-***', 'status': 'IN_PROGRESS', 'actionType': 'KILL_PROCESS', 'error': None, 'timestamp': 1639534982249}, {'machineId': '-**', 'targetId': '-***.-***', 'status': 'FAILURE', 'actionType': 'KILL_PROCESS', 'error': {'message': "The probe couldn't find the file", 'errorType': 'PROBE_FILE_NOT_FOUND'}, 'timestamp': 1639534982293}]

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Remediation Progress failed. An error occurred when calling the Get Remediation Progress operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybereason portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Remediation IDs Not Found.

Error Sample Data

Get Remediation Progress failed. An error occurred when calling the Get Remediation Progress operation.

Status Code: 404.

Message: Remediation IDs Not Found.

Is Host Connected

Checks if the specified machine is connecting to the Cybereason server currently.

READER NOTE

The parameter Machine Names is required to run this command.

  • Run the Query Sensors command to obtain Machine Names. Machine Names can be found in the returned raw data at the path $.sensors[*].pylumId.

Input

Input Parameter

Required/Optional

Description

Example

Machine Names

Required

The names of the machines to check connection statuses. Machine names can be obtained using the Query Sensors command.

[ "machine1","machine2" ]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "totalResults": 2,
    "sensorsStatus": {
        "onlineCount": 1,
        "offlineCount": 0,
        "staleCount": 0,
        "archivedCount": 1,
        "turnedOnCount": 0,
        "turnedOffCount": 0,
        "suspendedCount": 0,
        "advancedCount": 1,
        "outdatedCount": 0,
        "serviceErrorCount": 0
    },
    "sensors": [
        {
            "sensorId": "**:**-***",
            "pylumId": "**-***",
            "guid": "-***",
            "fqdn": "***",
            "machineName": "***",
            "internalIpAddress": "1.1.1.1",
            "externalIpAddress": "3.3.3.3",
            "siteName": "Default",
            "siteId": 0,
            "ransomwareStatus": "DETECT_ONLY",
            "preventionStatus": "DISABLED",
            "isolated": false,
            "disconnectionTime": 1635268257665,
            "lastPylumInfoMsgUpdateTime": 1637374163880,
            "status": "Online",
            "serviceStatus": "Up",
            "onlineTimeMS": 0,
            "offlineTimeMS": 0,
            "staleTimeMS": 0,
            "archiveTimeMs": null,
            "statusTimeMS": 0,
            "lastStatusAction": "None",
            "archivedOrUnarchiveComment": "",
            "sensorArchivedByUser": "",
            "serverName": "***",
            "serverId": "***",
            "serverIp": "1.1.1.1",
            "privateServerIp": "1.1.1.1",
            "collectiveUuid": null,
            "osType": "WINDOWS",
            "osVersionType": "Windows_10",
            "collectionStatus": "ADVANCED",
            "version": "20.2.244.0",
            "consoleVersion": null,
            "firstSeenTime": 1588487423866,
            "upTime": 2036968690,
            "cpuUsage": 0.0166625,
            "memoryUsage": 83181568,
            "outdated": false,
            "amStatus": "**",
            "amModeOrigin": null,
            "avDbVersion": "86243",
            "avDbLastUpdateTime": 1637371508000,
            "powerShellStatus": "PS_DISABLED",
            "remoteShellStatus": "AC_ENABLED",
            "usbStatus": "DISABLED",
            "fwStatus": "DISABLED",
            "antiExploitStatus": "AE_DISABLED",
            "documentProtectionStatus": "DS_UNKNOWN",
            "documentProtectionMode": "DM_UNKNOWN",
            "organizationalUnit": "",
            "antiMalwareStatus": "AM_ENABLED",
            "antiMalwareModeOrigin": null,
            "organization": "integration",
            "proxyAddress": "",
            "preventionError": "",
            "exitReason": "STOP_REQUEST_FROM_PYLUM",
            "actionsInProgress": 0,
            "pendingActions": [],
            "lastUpgradeResult": "AlreadyUpdated",
            "department": null,
            "location": null,
            "criticalAsset": null,
            "deviceType": null,
            "customTags": null,
            "lastUpgradeSteps": [
                {
                    "name": "Started",
                    "startTime": 1633083148298
                },
                {
                    "name": "AlreadyUpdated",
                    "startTime": 1633083148299
                }
            ],
            "disconnected": false,
            "staticAnalysisDetectMode": "DISABLED",
            "staticAnalysisDetectModeOrigin": null,
            "staticAnalysisPreventMode": "DISABLED",
            "staticAnalysisPreventModeOrigin": null,
            "collectionComponents": [
                "Metadata"
            ],
            "sensorLastUpdate": 0,
            "fullScanStatus": "IDLE",
            "quickScanStatus": "IDLE",
            "lastFullScheduleScanSuccessTime": 0,
            "lastQuickScheduleScanSuccessTime": 1592877946000,
            "policyName": "Ransomware",
            "deliveryTime": 1636295271153,
            "policyId": "***-***-***-***-***",
            "compliance": true,
            "groupId": null,
            "groupName": "Group2"
        }
    ],
    "hasMoreResults": false
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path $.sensors in API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
   {
            "sensorId": "**:**-***",
            "pylumId": "**-***",
            "guid": "-***",
            "fqdn": "***",
            "machineName": "***",
            "internalIpAddress": "1.1.1.1",
            "externalIpAddress": "3.3.3.3",
            "siteName": "Default",
            "siteId": 0,
            "ransomwareStatus": "DETECT_ONLY",
            "preventionStatus": "DISABLED",
            "isolated": false,
            "disconnectionTime": 1635268257665,
            "lastPylumInfoMsgUpdateTime": 1637374163880,
            "status": "Online",
            "serviceStatus": "Up",
            "onlineTimeMS": 0,
            "offlineTimeMS": 0,
            "staleTimeMS": 0,
            "archiveTimeMs": null,
            "statusTimeMS": 0,
            "lastStatusAction": "None",
            "archivedOrUnarchiveComment": "",
            "sensorArchivedByUser": "",
            "serverName": "***",
            "serverId": "***",
            "serverIp": "1.1.1.1",
            "privateServerIp": "1.1.1.1",
            "collectiveUuid": null,
            "osType": "WINDOWS",
            "osVersionType": "Windows_10",
            "collectionStatus": "ADVANCED",
            "version": "20.2.244.0",
            "consoleVersion": null,
            "firstSeenTime": 1588487423866,
            "upTime": 2036968690,
            "cpuUsage": 0.0166625,
            "memoryUsage": 83181568,
            "outdated": false,
            "amStatus": "**",
            "amModeOrigin": null,
            "avDbVersion": "86243",
            "avDbLastUpdateTime": 1637371508000,
            "powerShellStatus": "PS_DISABLED",
            "remoteShellStatus": "AC_ENABLED",
            "usbStatus": "DISABLED",
            "fwStatus": "DISABLED",
            "antiExploitStatus": "AE_DISABLED",
            "documentProtectionStatus": "DS_UNKNOWN",
            "documentProtectionMode": "DM_UNKNOWN",
            "organizationalUnit": "",
            "antiMalwareStatus": "AM_ENABLED",
            "antiMalwareModeOrigin": null,
            "organization": "integration",
            "proxyAddress": "",
            "preventionError": "",
            "exitReason": "STOP_REQUEST_FROM_PYLUM",
            "actionsInProgress": 0,
            "pendingActions": [],
            "lastUpgradeResult": "AlreadyUpdated",
            "department": null,
            "location": null,
            "criticalAsset": null,
            "deviceType": null,
            "customTags": null,
            "lastUpgradeSteps": [
                {
                    "name": "Started",
                    "startTime": 1633083148298
                },
                {
                    "name": "AlreadyUpdated",
                    "startTime": 1633083148299
                }
            ],
            "disconnected": false,
            "staticAnalysisDetectMode": "DISABLED",
            "staticAnalysisDetectModeOrigin": null,
            "staticAnalysisPreventMode": "DISABLED",
            "staticAnalysisPreventModeOrigin": null,
            "collectionComponents": [
                "Metadata"
            ],
            "sensorLastUpdate": 0,
            "fullScanStatus": "IDLE",
            "quickScanStatus": "IDLE",
            "lastFullScheduleScanSuccessTime": 0,
            "lastQuickScheduleScanSuccessTime": 1592877946000,
            "policyName": "Ransomware",
            "deliveryTime": 1636295271153,
            "policyId": "***-***-***-***-***",
            "compliance": true,
            "groupId": null,
            "groupName": "Group2"
        }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "SensorIDs": [
        "***",
        "***"
    ],
    "GUIDs": [
        "-**",
        "-***"
    ],
    "MachineNames": [
        "***",
        "***"
    ],
    "InternalIpAddresses": [
        "1.1.1.1",
        "1.2.3.4"
    ],
    "ExternalIpAddresses": [
        "3.4.5.6",
        "1.2.3.4"
    ],
    "Disconnected": [
        false,
        true
    ]
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

SENSORID

PYLUMID

GUID

FQDN

MACHINENAME

INTERNALIPADDRESS

EXTERNALIPADDRESS

SITENAME

SITEID

RANSOMWARESTATUS

PREVENTIONSTATUS

ISOLATED

DISCONNECTIONTIME

LASTPYLUMINFOMSGUPDATETIME

STATUS

SERVICESTATUS

ONLINETIMEMS

OFFLINETIMEMS

STALETIMEMS

ARCHIVETIMEMS

STATUSTIMEMS

LASTSTATUSACTION

ARCHIVEDORUNARCHIVECOMMENT

SENSORARCHIVEDBYUSER

SERVERNAME

SERVERID

SERVERIP

PRIVATESERVERIP

COLLECTIVEUUID

OSTYPE

OSVERSIONTYPE

COLLECTIONSTATUS

VERSION

CONSOLEVERSION

FIRSTSEENTIME

UPTIME

CPUUSAGE

MEMORYUSAGE

OUTDATED

AMSTATUS

AMMODEORIGIN

AVDBVERSION

AVDBLASTUPDATETIME

POWERSHELLSTATUS

REMOTESHELLSTATUS

USBSTATUS

FWSTATUS

ANTIEXPLOITSTATUS

DOCUMENTPROTECTIONSTATUS

DOCUMENTPROTECTIONMODE

ORGANIZATIONALUNIT

ANTIMALWARESTATUS

ANTIMALWAREMODEORIGIN

ORGANIZATION

PROXYADDRESS

PREVENTIONERROR

EXITREASON

ACTIONSINPROGRESS

PENDINGACTIONS

LASTUPGRADERESULT

DEPARTMENT

LOCATION

CRITICALASSET

DEVICETYPE

CUSTOMTAGS

LASTUPGRADESTEPS

DISCONNECTED

STATICANALYSISDETECTMODE

STATICANALYSISDETECTMODEORIGIN

STATICANALYSISPREVENTMODE

STATICANALYSISPREVENTMODEORIGIN

COLLECTIONCOMPONENTS

SENSORLASTUPDATE

FULLSCANSTATUS

QUICKSCANSTATUS

LASTFULLSCHEDULESCANSUCCESSTIME

LASTQUICKSCHEDULESCANSUCCESSTIME

POLICYNAME

DELIVERYTIME

POLICYID

COMPLIANCE

GROUPID

GROUPNAME

***

***

-***

***

***

1.2.3.4

3.4.5.6

Default

0

DETECT_ONLY

DISABLED

False

1635268257665

1637374163880

Online

Up

0

0

0

None

0

None

integration-1-t

***

1.1.1.1

1.2.3.4

None

WINDOWS

Windows_10

ADVANCED

20.2.244.0

None

1588487423866

2036968690

0.0166625

83181568

False

AM_DETECT_ONLY

None

86243

1637371508000

PS_DISABLED

AC_ENABLED

DISABLED

DISABLED

AE_DISABLED

DS_UNKNOWN

DM_UNKNOWN

AM_ENABLED

None

integration

STOP_REQUEST_FROM_PYLUM

0

[]

AlreadyUpdated

None

None

None

None

None

[{'name': 'Started', 'startTime': 1633083148298}, {'name': 'AlreadyUpdated', 'startTime': 1633083148299}]

False

DISABLED

None

DISABLED

None

['Metadata']

0

IDLE

IDLE

0

1592877946000

Ransomware

1636295271153

d98a9bee-b822-435e-87a6-171aa7a409cc

True

None

Group2

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Is Host Connected failed. An error occurred when calling the Is Host Connected operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybereason portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Machine Names Not Found.

Error Sample Data

Is Host Connected failed. An error occurred when calling the Is Host Connected operation.

Status Code: 404.

Message: Machine Names Not Found.

Isolate Machine

Isolates a machine or machines involved in a specific Malop.

READER NOTE

The parameter Machine Names is required to run this command.

  • Run the Query Sensors command to obtain Machine Names. Machine Names can be found in the returned raw data at the path $.sensors[*].pylumId.

Malops ID is an optional parameter to run this command.

  • Run the Get All Malops command to obtain Malop ID. Malop ID can be found in the returned raw data at the path $.malop[*].guid.

Input

Input Parameter

Required/Optional

Description

Example

Machine Names

Required

The names of the machines to isolate. Machine names can be obtained using the Query Sensors command.

[ "***" ]

Malop ID

Optional

The GUID of the Malop associated with the specified machine names. Malop IDs can be obtained using the Get All Malops command. The default value of this Malop ID is NOMALOP.

***

Output

Raw Data

The primary response data from the API request.

To enrich the original Cybereason API response, D3 customizes the raw data by adding the input Machine Names to indicate which machine(s) were isolated.

SAMPLE DATA

CODE
[
    {
        "MachineName": "***",
        "***-**": "Succeeded"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "PylumIDs": [
        "**-**"
    ]
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

MACHINENAME

***-**

**-poc

Succeeded

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Isolate Machine failed. An error occurred when calling the Isolate Machine operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybereason portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Machine Names Not Found.

Error Sample Data

Isolate Machine failed. An error occurred when calling the Isolate Machine operation.

Status Code: 404.

Message: Machine Names Not Found.

Kill Process

Kills specified processes running on a machine.

READER NOTE

The parameter Process IDs is required to run this command.

  • Run the Query Process command to obtain Process IDs. Process IDs can be found in the returned raw data at the path $.data.resultIdToElementDataMap.<id>.

Input

Input Parameter

Required/Optional

Description

Example

Process IDs

Required

The IDs of the processes to kill. Process IDs can be obtained using the Query Process command.

[ "**" ]

Output

Raw Data

The primary response data from the API request.

To enrich the original Cybereason API response, D3 customized the raw data by adding the input processId(s) to indicate which process(es) be killed.

SAMPLE DATA

CODE
[
    {
        "malopId": "NOMALOP",
        "remediationId": "***-***-***-***-***",
        "start": 1637612593810,
        "end": null,
        "initiatingUser": "test@example.com",
        "statusLog": [
            {
                "machineId": "***",
                "targetId": "***",
                "status": "PENDING",
                "actionType": "KILL_PROCESS",
                "error": null,
                "timestamp": 1637612594344
            }
        ],
        "proccessId": "***"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "ProcessIDs": [
        "***"
    ],
    "MachineIDs": [
        "***"
    ],
    "Statuses": [
        "PENDING"
    ]
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

MALOPID

REMEDIATIONID

START

END

INITIATINGUSER

STATUSLOG

PROCCESSID

NOMALOP

***-***-***-***-***

1637612593810

None

test @example.com

[{'machineId': '***', 'targetId': '***', 'status': 'PENDING', 'actionType': 'KILL_PROCESS', 'error': None, 'timestamp': 1637612594344}]

***

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Kill Process failed. An error occurred when calling the Kill Process operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybereason portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Process IDs Not Found.

Error Sample Data

Kill Process failed. An error occurred when calling the Kill Process operation.

Status Code: 400.

Message: Process IDs Not Found.

Query Domain

Retrieves information of domain(s) based on domain name(s).

READER NOTE

All input parameters are optional. If all inputs are empty, the first 100 domains from the cybereason dataset will be returned.

Input

Input Parameter

Required/Optional

Description

Example

Domains

Optional

The names of the domains to query.

[ "***.co.uk" ]

Limit

Optional

The maximum number of domains to return. A valid input value is an integer between 1 and 1000. The default value is 100.

10

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": {
        "resultIdToElementDataMap": {
            "***": {
                "simpleValues": {
                    "sinkholedClassificationEvidence": {
                        "totalValues": 1,
                        "values": [
                            "true"
                        ]
                    },
                    "maliciousClassificationType": {
                        "totalValues": 1,
                        "values": [
                            "indifferent"
                        ]
                    },
                    "hasResolvedClassificationEvidence": {
                        "totalValues": 1,
                        "values": [
                            "true"
                        ]
                    },
                    "elementDisplayName": {
                        "totalValues": 1,
                        "values": [
                            "***.co.uk"
                        ]
                    }
                },
                "elementValues": {},
                "suspicions": {
                    "domainClassificationSuspicion": ***
                },
                "filterData": {
                    "sortInGroupValue": "***",
                    "groupByValue": "DomainNameRuntime:*** "
                },
                "isMalicious": false,
                "suspicionCount": 1,
                "guidString": "***",
                "labelsIds": null,
                "malopPriority": null,
                "suspect": true,
                "malicious": false
            }
        },
        "suspicionsMap": {
            "domainClassificationSuspicion": {
                "potentialEvidence": [
                    "malwareClassificationEvidence",
                    "sinkholedClassificationEvidence"
                ],
                "firstTimestamp": 1585092142623,
                "totalSuspicions": 1
            }
        },
        "evidenceMap": {
            "hasResolvedClassificationEvidence": 1,
            "sinkholedClassificationEvidence": 1
        },
        "totalPossibleResults": 1,
        "guessedPossibleResults": 0,
        "queryLimits": {
            "totalResultLimit": 1000,
            "perGroupLimit": 100,
            "perFeatureLimit": 100,
            "groupingFeature": {
                "elementInstanceType": "DomainName",
                "featureName": "self"
            },
            "sortInGroupFeature": null
        },
        "queryTerminated": false,
        "pathResultCounts": [
            {
                "featureDescriptor": {
                    "elementInstanceType": "DomainName",
                    "featureName": null
                },
                "count": 1
            }
        ],
        "guids": []
    },
    "status": "SUCCESS",
    "hidePartialSuccess": false,
    "message": "",
    "expectedResults": 1,
    "failures": 0
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path $.data in API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
{
    "resultIdToElementDataMap": {
        "***": {
            "simpleValues": {
                "sinkholedClassificationEvidence": {
                    "totalValues": 1,
                    "values": [
                        "true"
                    ]
                },
                "maliciousClassificationType": {
                    "totalValues": 1,
                    "values": [
                        "indifferent"
                    ]
                },
                "hasResolvedClassificationEvidence": {
                    "totalValues": 1,
                    "values": [
                        "true"
                    ]
                },
                "elementDisplayName": {
                    "totalValues": 1,
                    "values": [
                        "***.co.uk"
                    ]
                }
            },
            "elementValues": {},
            "suspicions": {
                "domainClassificationSuspicion": **
            },
            "filterData": {
                "sortInGroupValue": "***",
                "groupByValue": "DomainNameRuntime:***"
            },
            "isMalicious": false,
            "suspicionCount": 1,
            "guidString": "***",
            "labelsIds": null,
            "malopPriority": null,
            "suspect": true,
            "malicious": false
        }
    },
    "suspicionsMap": {
        "domainClassificationSuspicion": {
            "potentialEvidence": [
                "malwareClassificationEvidence",
                "sinkholedClassificationEvidence"
            ],
            "firstTimestamp": 1585092142623,
            "totalSuspicions": 1
        }
    },
    "evidenceMap": {
        "hasResolvedClassificationEvidence": 1,
        "sinkholedClassificationEvidence": 1
    },
    "totalPossibleResults": 1,
    "guessedPossibleResults": 0,
    "queryLimits": {
        "totalResultLimit": 1000,
        "perGroupLimit": 100,
        "perFeatureLimit": 100,
        "groupingFeature": {
            "elementInstanceType": "DomainName",
            "featureName": "self"
        },
        "sortInGroupFeature": null
    },
    "queryTerminated": false,
    "pathResultCounts": [
        {
            "featureDescriptor": {
                "elementInstanceType": "DomainName",
                "featureName": null
            },
            "count": 1
        }
    ],
    "guids": []
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

resultIdToElementDataMap

{'**': {'simpleValues': {'sinkholedClassificationEvidence': {'totalValues': 1, 'values': ['true']}, 'maliciousClassificationType': {'totalValues': 1, 'values': ['indifferent']}, 'hasResolvedClassificationEvidence': {'totalValues': 1, 'values': ['true']}, 'elementDisplayName': {'totalValues': 1, 'values': ['**.co.uk']}}, 'elementValues': {}, 'suspicions': {'domainClassificationSuspicion': ***}, 'filterData': {'sortInGroupValue': '***', 'groupByValue': 'DomainNameRuntime:***'}, 'isMalicious': False, 'suspicionCount': 1, 'guidString': '***', 'labelsIds': None, 'malopPriority': None, 'suspect': True, 'malicious': False}}

suspicionsMap

{'domainClassificationSuspicion': {'potentialEvidence': ['malwareClassificationEvidence', 'sinkholedClassificationEvidence'], 'firstTimestamp': **, 'totalSuspicions': 1}}

evidenceMap

{'hasResolvedClassificationEvidence': 1, 'sinkholedClassificationEvidence': 1}

totalPossibleResults

1

guessedPossibleResults

0

queryLimits

{'totalResultLimit': 1000, 'perGroupLimit': 100, 'perFeatureLimit': 100, 'groupingFeature': {'elementInstanceType': 'DomainName', 'featureName': 'self'}, 'sortInGroupFeature': None}

queryTerminated

False

pathResultCounts

  • {'featureDescriptor': {'elementInstanceType': 'DomainName', 'featureName': None}, 'count': 1}

guids

[]

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Query Domain failed. An error occurred when calling the Query Domain operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybereason portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: The value for parameter (Limit) is invalid.

Error Sample Data

Query Domain failed. An error occurred when calling the Query Domain operation.

Status Code: 400.

Message: The value for parameter (Limit) is invalid.

Query File

Retrieves information of file(s) based on file hash(es).

READER NOTE

The parameter File Hashes is optional to run this command.

  • You should already have your desired file hashes on hand to run this command. If you don’t, you may use the Fetch Event command with defined filters to retrieve the desired file hashes. It can be found in the returned raw data at the path $.data.resultIdToElementDataMap[*].rootCauseElementHashes.

  • You can also find file hashes from the Cybereason user interface.

All input parameters of this command are optional. If all inputs are empty, the first 100 files from the Cybereason dataset will be returned.

Input

Input Parameter

Required/Optional

Description

Example

File Hashes

Optional

The file hashes to query.

[ "***" ]

Limit

Optional

The maximum number of files to return. A valid input value is an integer between 1 and 1,000. The default value is 100.

10

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": {
        "resultIdToElementDataMap": {
            "***": {
                "simpleValues": {
                    "correctedPath": {
                        "totalValues": 1,
                        "values": [
                            "c:\\users\\***\\downloads\\***.pdf.exe"
                        ]
                    },
                    "maliciousClassificationType": {
                        "totalValues": 1,
                        "values": [
                            "indifferent"
                        ]
                    },
                    "signatureVerified": {
                        "totalValues": 1,
                        "values": [
                            "true"
                        ]
                    },
                    "sha1String": {
                        "totalValues": 1,
                        "values": [
                            "***"
                        ]
                    },
                    "sha256String": {
                        "totalValues": 1,
                        "values": [
                            "***"
                        ]
                    },
                    "productType": {
                        "totalValues": 1,
                        "values": [
                            "NONE"
                        ]
                    },
                    "elementDisplayName": {
                        "totalValues": 1,
                        "values": [
                            "***.pdf.exe"
                        ]
                    },
                    "size": {
                        "totalValues": 1,
                        "values": [
                            "***"
                        ]
                    },
                    "modifiedTime": {
                        "totalValues": 1,
                        "values": [
                            "***"
                        ]
                    },
                    "createdTime": {
                        "totalValues": 1,
                        "values": [
                            "***"
                        ]
                    },
                    "isSigned": {
                        "totalValues": 1,
                        "values": [
                            "true"
                        ]
                    },
                    "md5String": {
                        "totalValues": 1,
                        "values": [
                            "**"
                        ]
                    },
                    "extensionType": {
                        "totalValues": 1,
                        "values": [
                            "***"
                        ]
                    },
                    "companyName": {
                        "totalValues": 1,
                        "values": [
                            "***"
                        ]
                    }
                },
                "elementValues": {
                    "ownerMachine": {
                        "totalValues": 1,
                        "elementValues": [
                            {
                                "elementType": "Machine",
                                "guid": "***",
                                "name": "desktop-**",
                                "hasSuspicions": false,
                                "hasMalops": false
                            }
                        ],
                        "totalSuspicious": 0,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    }
                },
                "suspicions": null,
                "filterData": {
                    "sortInGroupValue": "***",
                    "groupByValue": "FileHashRuntime:**"
                },
                "isMalicious": false,
                "suspicionCount": 0,
                "guidString": "***",
                "labelsIds": null,
                "malopPriority": null,
                "suspect": false,
                "malicious": false
            },
            "-***.-***": {
                "simpleValues": {
                    "correctedPath": {
                        "totalValues": 1,
                        "values": [
                            "c:\\users\\***\\downloads\\***.pdf.exe"
                        ]
                    },
                    "maliciousClassificationType": {
                        "totalValues": 1,
                        "values": [
                            "indifferent"
                        ]
                    },
                    "signatureVerified": {
                        "totalValues": 1,
                        "values": [
                            "true"
                        ]
                    },
                    "sha1String": {
                        "totalValues": 1,
                        "values": [
                            "***"
                        ]
                    },
                    "sha256String": {
                        "totalValues": 1,
                        "values": [
                            "***"
                        ]
                    },
                    "productType": {
                        "totalValues": 1,
                        "values": [
                            "NONE"
                        ]
                    },
                    "elementDisplayName": {
                        "totalValues": 1,
                        "values": [
                            "**.pdf.exe"
                        ]
                    },
                    "size": {
                        "totalValues": 1,
                        "values": [
                            "6331472"
                        ]
                    },
                    "modifiedTime": {
                        "totalValues": 1,
                        "values": [
                            "***"
                        ]
                    },
                    "createdTime": {
                        "totalValues": 1,
                        "values": [
                            "1636624928082"
                        ]
                    },
                    "isSigned": {
                        "totalValues": 1,
                        "values": [
                            "true"
                        ]
                    },
                    "md5String": {
                        "totalValues": 1,
                        "values": [
                            "***"
                        ]
                    },
                    "extensionType": {
                        "totalValues": 1,
                        "values": [
                            "***"
                        ]
                    },
                    "companyName": {
                        "totalValues": 1,
                        "values": [
                            "***                                                                                                                                                                                                                                                                                                       "
                        ]
                    }
                },
                "elementValues": {
                    "ownerMachine": {
                        "totalValues": 1,
                        "elementValues": [
                            {
                                "elementType": "Machine",
                                "guid": "-**",
                                "name": "desktop-***",
                                "hasSuspicions": false,
                                "hasMalops": false
                            }
                        ],
                        "totalSuspicious": 0,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    }
                },
                "suspicions": null,
                "filterData": {
                    "sortInGroupValue": "-***.-**",
                    "groupByValue": "FileHashRuntime:**"
                },
                "isMalicious": false,
                "suspicionCount": 0,
                "guidString": "-**.-***",
                "labelsIds": null,
                "malopPriority": null,
                "suspect": false,
                "malicious": false
            }
        },
        "suspicionsMap": {},
        "evidenceMap": {},
        "totalPossibleResults": 2,
        "guessedPossibleResults": 0,
        "queryLimits": {
            "totalResultLimit": 100,
            "perGroupLimit": 100,
            "perFeatureLimit": 100,
            "groupingFeature": {
                "elementInstanceType": "File",
                "featureName": "fileHash"
            },
            "sortInGroupFeature": null
        },
        "queryTerminated": false,
        "pathResultCounts": [
            {
                "featureDescriptor": {
                    "elementInstanceType": "File",
                    "featureName": null
                },
                "count": 2
            }
        ],
        "guids": []
    },
    "status": "SUCCESS",
    "hidePartialSuccess": false,
    "message": "",
    "expectedResults": 1,
    "failures": 0
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path $.data.resultIdToElementDataMap in API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
{
    "***": {
        "simpleValues": {
            "correctedPath": {
                "totalValues": 1,
                "values": [
                    "c:\\users\\***\\downloads\\***.pdf.exe"
                ]
            },
            "maliciousClassificationType": {
                "totalValues": 1,
                "values": [
                    "indifferent"
                ]
            },
            "signatureVerified": {
                "totalValues": 1,
                "values": [
                    "true"
                ]
            },
            "sha1String": {
                "totalValues": 1,
                "values": [
                    "***"
                ]
            },
            "sha256String": {
                "totalValues": 1,
                "values": [
                    "***"
                ]
            },
            "productType": {
                "totalValues": 1,
                "values": [
                    "NONE"
                ]
            },
            "elementDisplayName": {
                "totalValues": 1,
                "values": [
                    "***.pdf.exe"
                ]
            },
            "size": {
                "totalValues": 1,
                "values": [
                    "6331472"
                ]
            },
            "modifiedTime": {
                "totalValues": 1,
                "values": [
                    "1636626318647"
                ]
            },
            "createdTime": {
                "totalValues": 1,
                "values": [
                    "1636626193401"
                ]
            },
            "isSigned": {
                "totalValues": 1,
                "values": [
                    "true"
                ]
            },
            "md5String": {
                "totalValues": 1,
                "values": [
                    "***"
                ]
            },
            "extensionType": {
                "totalValues": 1,
                "values": [
                    "***"
                ]
            },
            "companyName": {
                "totalValues": 1,
                "values": [
                    "***"                                                                                                                                                                                                                                                                                                       "
                ]
            }
        },
        "elementValues": {
            "ownerMachine": {
                "totalValues": 1,
                "elementValues": [
                    {
                        "elementType": "Machine",
                        "guid": "***",
                        "name": "desktop-***",
                        "hasSuspicions": false,
                        "hasMalops": false
                    }
                ],
                "totalSuspicious": 0,
                "totalMalicious": 0,
                "guessedTotal": 0
            }
        },
        "suspicions": null,
        "filterData": {
            "sortInGroupValue": "***",
            "groupByValue": "FileHashRuntime:***"
        },
        "isMalicious": false,
        "suspicionCount": 0,
        "guidString": "***",
        "labelsIds": null,
        "malopPriority": null,
        "suspect": false,
        "malicious": false
    },
    "-***.-***": {
        "simpleValues": {
            "correctedPath": {
                "totalValues": 1,
                "values": [
                    "c:\\users\\***\\downloads\\***.pdf.exe"
                ]
            },
            "maliciousClassificationType": {
                "totalValues": 1,
                "values": [
                    "indifferent"
                ]
            },
            "signatureVerified": {
                "totalValues": 1,
                "values": [
                    "true"
                ]
            },
            "sha1String": {
                "totalValues": 1,
                "values": [
                    "***"
                ]
            },
            "sha256String": {
                "totalValues": 1,
                "values": [
                    "**"
                ]
            },
            "productType": {
                "totalValues": 1,
                "values": [
                    "NONE"
                ]
            },
            "elementDisplayName": {
                "totalValues": 1,
                "values": [
                    "***.pdf.exe"
                ]
            },
            "size": {
                "totalValues": 1,
                "values": [
                    "6331472"
                ]
            },
            "modifiedTime": {
                "totalValues": 1,
                "values": [
                    "1636624982874"
                ]
            },
            "createdTime": {
                "totalValues": 1,
                "values": [
                    "1636624928082"
                ]
            },
            "isSigned": {
                "totalValues": 1,
                "values": [
                    "true"
                ]
            },
            "md5String": {
                "totalValues": 1,
                "values": [
                    "***"
                ]
            },
            "extensionType": {
                "totalValues": 1,
                "values": [
                    "EXECUTABLE_WINDOWS"
                ]
            },
            "companyName": {
                "totalValues": 1,
                "values": [
                   **"
                ]
            }
        },
        "elementValues": {
            "ownerMachine": {
                "totalValues": 1,
                "elementValues": [
                    {
                        "elementType": "Machine",
                        "guid": "-*",
                        "name": "desktop-**",
                        "hasSuspicions": false,
                        "hasMalops": false
                    }
                ],
                "totalSuspicious": 0,
                "totalMalicious": 0,
                "guessedTotal": 0
            }
        },
        "suspicions": null,
        "filterData": {
            "sortInGroupValue": "-**.-***",
            "groupByValue": "FileHashRuntime:***"
        },
        "isMalicious": false,
        "suspicionCount": 0,
        "guidString": "-**.-**",
        "labelsIds": null,
        "malopPriority": null,
        "suspect": false,
        "malicious": false
    }
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA


{'simpleValues': {'correctedPath': {'totalValues': 1, 'values': ['c:\\users\\***\\downloads\\***.pdf.exe']}, 'maliciousClassificationType': {'totalValues': 1, 'values': ['indifferent']}, 'signatureVerified': {'totalValues': 1, 'values': ['true']}, 'sha1String': {'totalValues': 1, 'values': ['***']}, 'sha256String': {'totalValues': 1, 'values': ['***']}, 'productType': {'totalValues': 1, 'values': ['NONE']}, 'elementDisplayName': {'totalValues': 1, 'values': ['***.pdf.exe']}, 'size': {'totalValues': 1, 'values': ['**']}, 'modifiedTime': {'totalValues': 1, 'values': ['***']}, 'createdTime': {'totalValues': 1, 'values': ['**']}, 'isSigned': {'totalValues': 1, 'values': ['true']}, 'md5String': {'totalValues': 1, 'values': ['**']}, 'extensionType': {'totalValues': 1, 'values': ['***']}, 'companyName': {'totalValues': 1, 'values': ['***']}}, 'elementValues': {'ownerMachine': {'totalValues': 1, 'elementValues': [{'elementType': 'Machine', 'guid': '**', 'name': 'desktop-***', 'hasSuspicions': False, 'hasMalops': False}], 'totalSuspicious': 0, 'totalMalicious': 0, 'guessedTotal': 0}}, 'suspicions': None, 'filterData': {'sortInGroupValue': '**', 'groupByValue': 'FileHashRuntime:***'}, 'isMalicious': False, 'suspicionCount': 0, 'guidString': '***', 'labelsIds': None, 'malopPriority': None, 'suspect': False, 'malicious': False}

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Query File failed. An error occurred when calling the Query File operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybereason portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: The value for parameter (Limit) is invalid.

Error Sample Data

Query File failed. An error occurred when calling the Query File operation.

Status Code: 400.

Message: The value for parameter (Limit) is invalid.

Query Malops

Retrieves Malop process(es) from defined search conditions.

READER NOTE

The parameter Malops IDs is required to run this command.

  • Run the Get All Malops command to obtain Malops IDs. Malop IDs can be found in the returned raw data at the path $.malop[*].guid.

All input parameters of this command are optional. If all inputs are empty, the first 100 malops from the Cybereason dataset will be returned.

Input

Input Parameter

Required/Optional

Description

Example

Results Limit

Optional

The maximum number of results (up to 1,000) to return. The default value is 100.

10

Template Context

Optional

The level of detail to provide in the response data. The available options are Overview, Details, Specific, Full, Malop, Malop_Communication and Custom. The default value is Malop.

Specific

Malop IDs

Optional

The GUIDs of the Malops to query. Malop IDs can be obtained using the Get All Malops command.

[ "***" ]

Filters

Optional

The JSON array of filter conditions to narrow down query results. See Add Filters to a Request from Cybereason’s API documentation for more information about the filter syntax.

[

{

"facetName": "creationTime",

"filterType": "GreaterThan",

"values": [

***

]

}

]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "ProcessType": {
        "data": {
            "resultIdToElementDataMap": {
                "***": {
                    "simpleValues": {
                        "hasRansomwareSuspendedProcesses": {
                            "totalValues": 1,
                            "values": [
                                "false"
                            ]
                        },
                        "decisionFeature": {
                            "totalValues": 1,
                            "values": [
                                "Process.maliciousExecutionOfPowerShell(Malop decision)"
                            ]
                        },
                        "rootCauseElementCompanyProduct": {
                            "totalValues": 1,
                            "values": [
                                "Microsoft Corporation : Microsoft® Windows® Operating System"
                            ]
                        },
                        "malopStartTime": {
                            "totalValues": 1,
                            "values": [
                                "1606228037684"
                            ]
                        },
                        "detectionType": {
                            "totalValues": 1,
                            "values": [
                                "CNC"
                            ]
                        },
                        "malopActivityTypes": {
                            "totalValues": 1,
                            "values": [
                                "MALICIOUS_INFECTION"
                            ]
                        },
                        "elementDisplayName": {
                            "totalValues": 1,
                            "values": [
                                "MALICIOUS_INFECTION"
                            ]
                        },
                        "creationTime": {
                            "totalValues": 1,
                            "values": [
                                "1606228162669"
                            ]
                        },
                        "iconBase64": {
                            "totalValues": 1,
                            "values": [
                                "***"
                            ]
                        },
                        "isBlocked": {
                            "totalValues": 1,
                            "values": [
                                "false"
                            ]
                        },
                        "rootCauseElementTypes": {
                            "totalValues": 1,
                            "values": [
                                "Process"
                            ]
                        },
                        "rootCauseElementNames": {
                            "totalValues": 1,
                            "values": [
                                "***.exe"
                            ]
                        },
                        "malopLastUpdateTime": {
                            "totalValues": 1,
                            "values": [
                                "1606237179258"
                            ]
                        },
                        "allRansomwareProcessesSuspended": {
                            "totalValues": 1,
                            "values": [
                                "false"
                            ]
                        },
                        "rootCauseElementHashes": {
                            "totalValues": 1,
                            "values": [
                                "***"
                            ]
                        },
                        "managementStatus": {
                            "totalValues": 1,
                            "values": [
                                "TODO"
                            ]
                        },
                        "closeTime": {
                            "totalValues": 1,
                            "values": [
                                null
                            ]
                        },
                        "closerName": {
                            "totalValues": 1,
                            "values": [
                                null
                            ]
                        },
                        "customClassification": {
                            "totalValues": 1,
                            "values": [
                                "None"
                            ]
                        },
                        "comments": {
                            "totalValues": 14,
                            "values": [
                                {
                                    "commentId": "***-***-***-***-***",
                                    "username": "***",
                                    "message": "ServiceNow Ticket ID: ***",
                                    "timestamp": 1607678753145
                                },
                                {
                                    "commentId": "***-***-***-***-***",
                                    "username": "***",
                                    "message": "ServiceNow Ticket ID: ***",
                                    "timestamp": 1608027654510
                                }
                            ]
                        }
                    },
                    "elementValues": {
                        "primaryRootCauseElements": {
                            "totalValues": 1,
                            "elementValues": [
                                {
                                    "elementType": "Process",
                                    "guid": "-***",
                                    "name": "***.exe",
                                    "hasSuspicions": true,
                                    "hasMalops": true
                                }
                            ],
                            "totalSuspicious": 1,
                            "totalMalicious": 1,
                            "guessedTotal": 0
                        },
                        "affectedUsers": {
                            "totalValues": 1,
                            "elementValues": [
                                {
                                    "elementType": "User",
                                    "guid": "***",
                                    "name": "**\\***",
                                    "hasSuspicions": false,
                                    "hasMalops": false
                                }
                            ],
                            "totalSuspicious": 0,
                            "totalMalicious": 0,
                            "guessedTotal": 0
                        },
                        "affectedMachines": {
                            "totalValues": 1,
                            "elementValues": [
                                {
                                    "elementType": "Machine",
                                    "guid": "-***",
                                    "name": "***",
                                    "hasSuspicions": false,
                                    "hasMalops": false
                                }
                            ],
                            "totalSuspicious": 0,
                            "totalMalicious": 0,
                            "guessedTotal": 0
                        }
                    },
                    "suspicions": null,
                    "filterData": {
                        "sortInGroupValue": "***",
                        "groupByValue": "MalopProcessRuntime:*** "
                    },
                    "isMalicious": false,
                    "suspicionCount": 0,
                    "guidString": "***",
                    "labelsIds": [],
                    "malopPriority": null,
                    "suspect": false,
                    "malicious": false
                }
            },
            "suspicionsMap": {},
            "evidenceMap": {},
            "totalPossibleResults": 1,
            "guessedPossibleResults": 0,
            "queryLimits": {
                "totalResultLimit": 10,
                "perGroupLimit": 100,
                "perFeatureLimit": 100,
                "groupingFeature": {
                    "elementInstanceType": "MalopProcess",
                    "featureName": "self"
                },
                "sortInGroupFeature": null
            },
            "queryTerminated": false,
            "pathResultCounts": [
                {
                    "featureDescriptor": {
                        "elementInstanceType": "MalopProcess",
                        "featureName": null
                    },
                    "count": 1
                }
            ],
            "guids": []
        },
        "status": "SUCCESS",
        "hidePartialSuccess": false,
        "message": "",
        "expectedResults": 1,
        "failures": 0
    },
    "LoggonSessionType": {
        "data": {
            "resultIdToElementDataMap": {},
            "suspicionsMap": {},
            "evidenceMap": {},
            "totalPossibleResults": 0,
            "guessedPossibleResults": 0,
            "queryLimits": {
                "totalResultLimit": 10,
                "perGroupLimit": 100,
                "perFeatureLimit": 100,
                "groupingFeature": {
                    "elementInstanceType": "MalopLogonSession",
                    "featureName": "self"
                },
                "sortInGroupFeature": null
            },
            "queryTerminated": false,
            "pathResultCounts": [
                {
                    "featureDescriptor": {
                        "elementInstanceType": "MalopLogonSession",
                        "featureName": null
                    },
                    "count": 0
                }
            ],
            "guids": []
        },
        "status": "SUCCESS",
        "hidePartialSuccess": false,
        "message": "",
        "expectedResults": 1,
        "failures": 0
    }
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ProcessType

{'data': {'resultIdToElementDataMap': {'***': {'simpleValues': {'hasRansomwareSuspendedProcesses': {'totalValues': 1, 'values': ['false']}, 'decisionFeature': {'totalValues': 1, 'values': ['Process.maliciousExecutionOfPowerShell(Malop decision)']}, 'rootCauseElementCompanyProduct': {'totalValues': 1, 'values': ['Microsoft Corporation : Microsoft® Windows® Operating System']}, 'malopStartTime': {'totalValues': 1, 'values': ['***']}, 'detectionType': {'totalValues': 1, 'values': ['CNC']}, 'malopActivityTypes': {'totalValues': 1, 'values': ['MALICIOUS_INFECTION']}, 'elementDisplayName': {'totalValues': 1, 'values': ['MALICIOUS_INFECTION']}, 'creationTime': {'totalValues': 1, 'values': ['***']}, 'iconBase64': {'totalValues': 1, 'values': ['***']}, 'isBlocked': {'totalValues': 1, 'values': ['false']}, 'rootCauseElementTypes': {'totalValues': 1, 'values': ['Process']}, 'rootCauseElementNames': {'totalValues': 1, 'values': ['***.exe']}, 'malopLastUpdateTime': {'totalValues': 1, 'values': ['***']}, 'allRansomwareProcessesSuspended': {'totalValues': 1, 'values': ['false']}, 'rootCauseElementHashes': {'totalValues': 1, 'values': ['***']}, 'managementStatus': {'totalValues': 1, 'values': ['TODO']}, 'closeTime': {'totalValues': 1, 'values': [None]}, 'closerName': {'totalValues': 1, 'values': [None]}, 'customClassification': {'totalValues': 1, ‘values': ['None']}, 'comments': {'totalValues': 14, 'values': [{'commentId': '***-***-***-***-***', 'username': '***', 'message': 'ServiceNow Ticket ID: ***', 'timestamp': 1607678753145}, {'commentId': '***-***-***-***-***', 'username': '***', 'message': 'ServiceNow Ticket ID: **', 'timestamp': 1608027654510}, {'commentId': '***-***-***-***-***', 'username': '**', 'message': 'Resilient ID: ***', 'timestamp': 1614335212348}, {'commentId': '***-***-***-***-***, 'username': '**’, 'message': 'ServiceNow Ticket ID: ***', 'timestamp': 1616583055333}, {'commentId': '***-***-***-***-***', 'username': '**', 'message': 'Resilient ID: ***', 'timestamp': 1631169951573}]}}, 'elementValues': {'primaryRootCauseElements': {'totalValues': 1, 'elementValues': [{'elementType': 'Process', 'guid': '-***', 'name': 'powershell.exe', 'hasSuspicions': True, 'hasMalops': True}], 'totalSuspicious': 1, 'totalMalicious': 1, 'guessedTotal': 0}, 'affectedUsers': {'totalValues': 1, 'elementValues': [{'elementType': 'User', 'guid': '***', 'name': '**\\**', 'hasSuspicions': False, 'hasMalops': False}], 'totalSuspicious': 0, 'totalMalicious': 0, 'guessedTotal': 0}, 'affectedMachines': {'totalValues': 1, 'elementValues': [{'elementType': 'Machine', 'guid': '-***', 'name': '**', 'hasSuspicions': False, 'hasMalops': False}], 'totalSuspicious': 0, 'totalMalicious': 0, 'guessedTotal': 0}}, 'suspicions': None, 'filterData': {'sortInGroupValue': '**', 'groupByValue': 'MalopProcessRuntime:* '}, 'isMalicious': False, 'suspicionCount': 0, 'guidString': '***', 'labelsIds': [], 'malopPriority': None, 'suspect': False, 'malicious': False}}, 'suspicionsMap': {}, 'evidenceMap': {}, 'totalPossibleResults': 1, 'guessedPossibleResults': 0, 'queryLimits': {'totalResultLimit': 10, 'perGroupLimit': 100, 'perFeatureLimit': 100, 'groupingFeature': {'elementInstanceType': 'MalopProcess', 'featureName': 'self'}, 'sortInGroupFeature': None}, 'queryTerminated': False, 'pathResultCounts': [{'featureDescriptor': {'elementInstanceType': 'MalopProcess', 'featureName': None}, 'count': 1}], 'guids': []}, 'status': 'SUCCESS', 'hidePartialSuccess': False, 'message': '', 'expectedResults': 1, 'failures': 0}

LoggonSessionType

{'data': {'resultIdToElementDataMap': {}, 'suspicionsMap': {}, 'evidenceMap': {}, 'totalPossibleResults': 0, 'guessedPossibleResults': 0, 'queryLimits': {'totalResultLimit': 10, 'perGroupLimit': 100, 'perFeatureLimit': 100, 'groupingFeature': {'elementInstanceType': 'MalopLogonSession', 'featureName': 'self'}, 'sortInGroupFeature': None}, 'queryTerminated': False, 'pathResultCounts': [{'featureDescriptor': {'elementInstanceType': 'MalopLogonSession', 'featureName': None}, 'count': 0}], 'guids': []}, 'status': 'SUCCESS', 'hidePartialSuccess': False, 'message': '', 'expectedResults': 1, 'failures

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Query Malops failed. An error occurred when calling the Query Malops operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybereason portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Malop IDs Not Valid.

Error Sample Data

Query Malops failed. An error occurred when calling the Query Malops operation.

Status Code: 400.

Message: Malop IDs Not Valid.

Query Processes

Retrieves process(es) from a specified query criteria.

READER NOTE

For details about the parameters used in this command, see PROCESS (EDR) in Query Elements and Features from Cybereason’s API documentation.

All input parameters in this command are optional. If all inputs are empty, the first 100 processes from the Cybereason dataset will be returned.

Input

Input Parameter

Required/Optional

Description

Example

Machine

Optional

The name of the owner machine to query.

“***-2016”

Process Name

Optional

The name of the process to query.

“**.exe”

Limit

Optional

The maximum number of results (up to 1,000) to return. The default value is 100.

10

Has Suspicions

Optional

The option to query processes associated with any suspicious activities.

True

Has Incoming Connection

Optional

The option to query processes with incoming connections.

False

Has Outgoing Connection

Optional

The option to query processes with outgoing connections.

False

Has External Connection

Optional

The option to query processes with external connections.

False

Unsigned Unknown Reputation

Optional

The option to query processes with unsigned process image files and unknown to reputation services.

False

From Temporary Folder

Optional

The option to query processes running from a temporary folder.

False

Privilege Escalation

Optional

The option to query processes that behave like a privilege escalation tool.

False

Malicious Psexec

Optional

The option to query processes that were executed by the PsExec service maliciously.

False

Custom Fields

Optional

An array containing a list of features of selected elements to return data. Refer to PROCESS (EDR) in see Query Elements and Features from Cybereason’s API documentation for details about the available features to use.

[ "elementDisplayName",

"creationTime",

"endTime",

"commandLine",

"productType"

]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": {
        "resultIdToElementDataMap": {
            "-***": {
                "simpleValues": {
                    "imageFile.maliciousClassificationType": {
                        "totalValues": 1,
                        "values": [
                            "indifferent"
                        ]
                    },
                    "imageFile.companyName": {
                        "totalValues": 1,
                        "values": [
                            "Microsoft Corporation"
                        ]
                    },
                    "pid": {
                        "totalValues": 1,
                        "values": [
                            "**"
                        ]
                    },
                    "productType": {
                        "totalValues": 1,
                        "values": [
                            "NONE"
                        ]
                    },
                    "imageFile.productName": {
                        "totalValues": 1,
                        "values": [
                            "Microsoft速 Windows速 Operating System"
                        ]
                    },
                    "imageFile.isSigned": {
                        "totalValues": 1,
                        "values": [
                            "true"
                        ]
                    },
                    "isChainOfInjections": {
                        "totalValues": 1,
                        "values": [
                            "false"
                        ]
                    },
                    "creationTime": {
                        "totalValues": 1,
                        "values": [
                            "1604490115442"
                        ]
                    },
                    "imageFile.signatureVerified": {
                        "totalValues": 1,
                        "values": [
                            "true"
                        ]
                    },
                    "calculatedName": {
                        "totalValues": 1,
                        "values": [
                            "conhost.exe"
                        ]
                    },
                    "imageFile.sha256String": {
                        "totalValues": 1,
                        "values": [
                            "***"
                        ]
                    },
                    "imageFile.md5String": {
                        "totalValues": 1,
                        "values": [
                            "**"
                        ]
                    },
                    "iconBase64": {
                        "totalValues": 1,
                        "values": [
                            "***"
                        ]
                    },
                    "imageFile.classificationLink": {
                        "totalValues": 1,
                        "values": [
                            "https://www.virustotal.com/gui/file/**"
                        ]
                    },
                    "imageFile.sha1String": {
                        "totalValues": 1,
                        "values": [
                            "***"
                        ]
                    },
                    "markedForPrevention": {
                        "totalValues": 1,
                        "values": [
                            "false"
                        ]
                    },
                    "endTime": {
                        "totalValues": 1,
                        "values": [
                            "1604490115532"
                        ]
                    },
                    "commandLine": {
                        "totalValues": 1,
                        "values": [
                            "\\??\\C:\\WINDOWS\\***\\**.exe ** -**"
                        ]
                    },
                    "imageFile.productType": {
                        "totalValues": 1,
                        "values": [
                            "NONE"
                        ]
                    },
                    "imageFile.correctedPath": {
                        "totalValues": 1,
                        "values": [
                            "c:\\windows\\**\\**.exe"
                        ]
                    },
                    "isLiveProcess": {
                        "totalValues": 1,
                        "values": [
                            "false"
                        ]
                    },
                    "isWhiteListClassification": {
                        "totalValues": 1,
                        "values": [
                            "false"
                        ]
                    },
                    "executionPrevented": {
                        "totalValues": 1,
                        "values": [
                            "false"
                        ]
                    },
                    "elementDisplayName": {
                        "totalValues": 1,
                        "values": [
                            "***.exe"
                        ]
                    }
                },
                "elementValues": {
                    "blackListModuleEvidence": {
                        "totalValues": 1,
                        "elementValues": null,
                        "totalSuspicious": 1,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    },
                    "fileBlackListEvidence": {
                        "totalValues": 1,
                        "elementValues": [
                            {
                                "elementType": "File",
                                "guid": "-***",
                                "name": "***.exe",
                                "hasSuspicions": true,
                                "hasMalops": false
                            }
                        ],
                        "totalSuspicious": 1,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    },
                    "calculatedUser": {
                        "totalValues": 1,
                        "elementValues": [
                            {
                                "elementType": "User",
                                "guid": "0.-**",
                                "name": "***-2016\\system",
                                "hasSuspicions": false,
                                "hasMalops": false
                            }
                        ],
                        "totalSuspicious": 0,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    },
                    "ownerMachine": {
                        "totalValues": 1,
                        "elementValues": [
                            {
                                "elementType": "Machine",
                                "guid": "-***",
                                "name": "***-2016",
                                "hasSuspicions": false,
                                "hasMalops": false
                            }
                        ],
                        "totalSuspicious": 0,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    },
                    "hasNotInLoaderDbEvidence": {
                        "totalValues": 1,
                        "elementValues": null,
                        "totalSuspicious": 0,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    },
                    "loadedModules": {
                        "totalValues": 32,
                        "elementValues": null,
                        "totalSuspicious": 1,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    },
                    "parentProcess": {
                        "totalValues": 1,
                        "elementValues": [
                            {
                                "elementType": "Process",
                                "guid": "-***",
                                "name": "wmic.exe",
                                "hasSuspicions": false,
                                "hasMalops": false
                            }
                        ],
                        "totalSuspicious": 0,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    },
                    "imageFile": {
                        "totalValues": 1,
                        "elementValues": [
                            {
                                "elementType": "File",
                                "guid": "-***",
                                "name": "conhost.exe",
                                "hasSuspicions": true,
                                "hasMalops": false
                            }
                        ],
                        "totalSuspicious": 1,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    },
                    "self": {
                        "totalValues": 1,
                        "elementValues": [
                            {
                                "elementType": "Process",
                                "guid": "-**",
                                "name": "conhost.exe",
                                "hasSuspicions": true,
                                "hasMalops": false
                            }
                        ],
                        "totalSuspicious": 1,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    },
                    "systemUserEvidence": {
                        "totalValues": 1,
                        "elementValues": [
                            {
                                "elementType": "User",
                                "guid": "0.-**",
                                "name": "**-2016\\system",
                                "hasSuspicions": false,
                                "hasMalops": false
                            }
                        ],
                        "totalSuspicious": 0,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    }
                },
                "suspicions": {
                    "blackListModuleSuspicion": **,
                    "blackListFileSuspicion": ***
                },
                "filterData": {
                    "sortInGroupValue": "-***",
                    "groupByValue": "***.exe"
                },
                "isMalicious": false,
                "suspicionCount": 2,
                "guidString": "-***",
                "labelsIds": null,
                "malopPriority": null,
                "suspect": true,
                "malicious": false
            },
            "-**.-*": {
                "simpleValues": {
                    "imageFile.maliciousClassificationType": {
                        "totalValues": 1,
                        "values": [
                            "indifferent"
                        ]
                    },
                    "imageFile.companyName": {
                        "totalValues": 1,
                        "values": [
                            "Microsoft Corporation"
                        ]
                    },
                    "pid": {
                        "totalValues": 1,
                        "values": [
                            "**"
                        ]
                    },
                    "productType": {
                        "totalValues": 1,
                        "values": [
                            "NONE"
                        ]
                    },
                    "imageFile.productName": {
                        "totalValues": 1,
                        "values": [
                            "Microsoft速 Windows速 Operating System"
                        ]
                    },
                    "imageFile.isSigned": {
                        "totalValues": 1,
                        "values": [
                            "true"
                        ]
                    },
                    "isChainOfInjections": {
                        "totalValues": 1,
                        "values": [
                            "false"
                        ]
                    },
                    "creationTime": {
                        "totalValues": 1,
                        "values": [
                            "1599724428229"
                        ]
                    },
                    "imageFile.signatureVerified": {
                        "totalValues": 1,
                        "values": [
                            "true"
                        ]
                    },
                    "calculatedName": {
                        "totalValues": 1,
                        "values": [
                            "***.exe"
                        ]
                    },
                    "imageFile.sha256String": {
                        "totalValues": 1,
                        "values": [
                            "***"
                        ]
                    },
                    "imageFile.md5String": {
                        "totalValues": 1,
                        "values": [
                            "**"
                        ]
                    },
                    "iconBase64": {
                        "totalValues": 1,
                        "values": [
                            "**/*"
                        ]
                    },
                    "imageFile.classificationLink": {
                        "totalValues": 1,
                        "values": [
                            "https://www.virustotal.com/gui/file/*/detection/f-**-**"
                        ]
                    },
                    "imageFile.sha1String": {
                        "totalValues": 1,
                        "values": [
                            "**"
                        ]
                    },
                    "markedForPrevention": {
                        "totalValues": 1,
                        "values": [
                            "false"
                        ]
                    },
                    "endTime": {
                        "totalValues": 1,
                        "values": [
                            "1599724428319"
                        ]
                    },
                    "commandLine": {
                        "totalValues": 1,
                        "values": [
                            "\\??\\C:\\WINDOWS\\**\\conhost.exe **-**"
                        ]
                    },
                    "imageFile.productType": {
                        "totalValues": 1,
                        "values": [
                            "NONE"
                        ]
                    },
                    "imageFile.correctedPath": {
                        "totalValues": 1,
                        "values": [
                            "c:\\windows\\**\\**.exe"
                        ]
                    },
                    "isLiveProcess": {
                        "totalValues": 1,
                        "values": [
                            "false"
                        ]
                    },
                    "isWhiteListClassification": {
                        "totalValues": 1,
                        "values": [
                            "false"
                        ]
                    },
                    "executionPrevented": {
                        "totalValues": 1,
                        "values": [
                            "false"
                        ]
                    },
                    "elementDisplayName": {
                        "totalValues": 1,
                        "values": [
                            "conhost.exe"
                        ]
                    }
                },
                "elementValues": {
                    "blackListedFileHash": {
                        "totalValues": 1,
                        "elementValues": null,
                        "totalSuspicious": 1,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    },
                    "blackListModuleEvidence": {
                        "totalValues": 1,
                        "elementValues": null,
                        "totalSuspicious": 1,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    },
                    "fileBlackListEvidence": {
                        "totalValues": 1,
                        "elementValues": [
                            {
                                "elementType": "File",
                                "guid": "-**",
                                "name": "conhost.exe",
                                "hasSuspicions": true,
                                "hasMalops": false
                            }
                        ],
                        "totalSuspicious": 1,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    },
                    "calculatedUser": {
                        "totalValues": 1,
                        "elementValues": [
                            {
                                "elementType": "User",
                                "guid": "0.-**",
                                "name": "**-2016\\system",
                                "hasSuspicions": false,
                                "hasMalops": false
                            }
                        ],
                        "totalSuspicious": 0,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    },
                    "ownerMachine": {
                        "totalValues": 1,
                        "elementValues": [
                            {
                                "elementType": "Machine",
                                "guid": "-***",
                                "name": "**-2016",
                                "hasSuspicions": false,
                                "hasMalops": false
                            }
                        ],
                        "totalSuspicious": 0,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    },
                    "hasNotInLoaderDbEvidence": {
                        "totalValues": 1,
                        "elementValues": null,
                        "totalSuspicious": 0,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    },
                    "loadedModules": {
                        "totalValues": 32,
                        "elementValues": null,
                        "totalSuspicious": 1,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    },
                    "parentProcess": {
                        "totalValues": 1,
                        "elementValues": [
                            {
                                "elementType": "Process",
                                "guid": "-*",
                                "name": "wmic.exe",
                                "hasSuspicions": false,
                                "hasMalops": false
                            }
                        ],
                        "totalSuspicious": 0,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    },
                    "imageFile": {
                        "totalValues": 1,
                        "elementValues": [
                            {
                                "elementType": "File",
                                "guid": "-**",
                                "name": "conhost.exe",
                                "hasSuspicions": true,
                                "hasMalops": false
                            }
                        ],
                        "totalSuspicious": 1,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    },
                    "self": {
                        "totalValues": 1,
                        "elementValues": [
                            {
                                "elementType": "Process",
                                "guid": "-**.-**",
                                "name": "conhost.exe",
                                "hasSuspicions": true,
                                "hasMalops": true
                            }
                        ],
                        "totalSuspicious": 1,
                        "totalMalicious": 1,
                        "guessedTotal": 0
                    },
                    "systemUserEvidence": {
                        "totalValues": 1,
                        "elementValues": [
                            {
                                "elementType": "User",
                                "guid": "0.-**",
                                "name": "*-2016\\system",
                                "hasSuspicions": false,
                                "hasMalops": false
                            }
                        ],
                        "totalSuspicious": 0,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    }
                },
                "suspicions": {
                    "blackListModuleSuspicion": ***,
                    "blackListFileSuspicion": ***
                },
                "filterData": {
                    "sortInGroupValue": "-***.-***",
                    "groupByValue": "conhost.exe"
                },
                "isMalicious": true,
                "suspicionCount": 2,
                "guidString": "-**.-***",
                "labelsIds": null,
                "malopPriority": null,
                "suspect": true,
                "malicious": true
            },
            "-**": {
                "simpleValues": {
                    "imageFile.maliciousClassificationType": {
                        "totalValues": 1,
                        "values": [
                            "indifferent"
                        ]
                    },
                    "imageFile.companyName": {
                        "totalValues": 1,
                        "values": [
                            "Microsoft Corporation"
                        ]
                    },
                    "pid": {
                        "totalValues": 1,
                        "values": [
                            "5968"
                        ]
                    },
                    "productType": {
                        "totalValues": 1,
                        "values": [
                            "NONE"
                        ]
                    },
                    "imageFile.productName": {
                        "totalValues": 1,
                        "values": [
                            "Microsoft速 Windows速 Operating System"
                        ]
                    },
                    "imageFile.isSigned": {
                        "totalValues": 1,
                        "values": [
                            "true"
                        ]
                    },
                    "isChainOfInjections": {
                        "totalValues": 1,
                        "values": [
                            "false"
                        ]
                    },
                    "creationTime": {
                        "totalValues": 1,
                        "values": [
                            "Z**"
                        ]
                    },
                    "imageFile.signatureVerified": {
                        "totalValues": 1,
                        "values": [
                            "true"
                        ]
                    },
                    "calculatedName": {
                        "totalValues": 1,
                        "values": [
                            "**.exe"
                        ]
                    },
                    "imageFile.sha256String": {
                        "totalValues": 1,
                        "values": [
                            "*"
                        ]
                    },
                    "imageFile.md5String": {
                        "totalValues": 1,
                        "values": [
                            "**"
                        ]
                    },
                    "iconBase64": {
                        "totalValues": 1,
                        "values": [
                            "**"
                        ]
                    },
                    "imageFile.classificationLink": {
                        "totalValues": 1,
                        "values": [
                            "https://www.virustotal.com/gui/file/**/detection/f-***-1605248738"
                        ]
                    },
                    "imageFile.sha1String": {
                        "totalValues": 1,
                        "values": [
                            "***"
                        ]
                    },
                    "markedForPrevention": {
                        "totalValues": 1,
                        "values": [
                            "false"
                        ]
                    },
                    "endTime": {
                        "totalValues": 1,
                        "values": [
                            "**"
                        ]
                    },
                    "commandLine": {
                        "totalValues": 1,
                        "values": [
                            "\\??\\C:\\WINDOWS\\**\\**.exe **-**"
                        ]
                    },
                    "imageFile.productType": {
                        "totalValues": 1,
                        "values": [
                            "NONE"
                        ]
                    },
                    "imageFile.correctedPath": {
                        "totalValues": 1,
                        "values": [
                            "c:\\windows\\**\\**.exe"
                        ]
                    },
                    "isLiveProcess": {
                        "totalValues": 1,
                        "values": [
                            "false"
                        ]
                    },
                    "isWhiteListClassification": {
                        "totalValues": 1,
                        "values": [
                            "false"
                        ]
                    },
                    "executionPrevented": {
                        "totalValues": 1,
                        "values": [
                            "false"
                        ]
                    },
                    "elementDisplayName": {
                        "totalValues": 1,
                        "values": [
                            "conhost.exe"
                        ]
                    }
                },
                "elementValues": {
                    "blackListedFileHash": {
                        "totalValues": 1,
                        "elementValues": null,
                        "totalSuspicious": 1,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    },
                    "blackListModuleEvidence": {
                        "totalValues": 1,
                        "elementValues": null,
                        "totalSuspicious": 1,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    },
                    "fileBlackListEvidence": {
                        "totalValues": 1,
                        "elementValues": [
                            {
                                "elementType": "File",
                                "guid": "-***",
                                "name": "***.exe",
                                "hasSuspicions": true,
                                "hasMalops": false
                            }
                        ],
                        "totalSuspicious": 1,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    },
                    "calculatedUser": {
                        "totalValues": 1,
                        "elementValues": [
                            {
                                "elementType": "User",
                                "guid": "0.-***",
                                "name": "***-2016\\system",
                                "hasSuspicions": false,
                                "hasMalops": false
                            }
                        ],
                        "totalSuspicious": 0,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    },
                    "ownerMachine": {
                        "totalValues": 1,
                        "elementValues": [
                            {
                                "elementType": "Machine",
                                "guid": "-***",
                                "name": "***-2016",
                                "hasSuspicions": false,
                                "hasMalops": false
                            }
                        ],
                        "totalSuspicious": 0,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    },
                    "hasNotInLoaderDbEvidence": {
                        "totalValues": 1,
                        "elementValues": null,
                        "totalSuspicious": 0,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    },
                    "loadedModules": {
                        "totalValues": 32,
                        "elementValues": null,
                        "totalSuspicious": 1,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    },
                    "parentProcess": {
                        "totalValues": 1,
                        "elementValues": [
                            {
                                "elementType": "Process",
                                "guid": "-***.-***",
                                "name": "***.exe",
                                "hasSuspicions": false,
                                "hasMalops": false
                            }
                        ],
                        "totalSuspicious": 0,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    },
                    "imageFile": {
                        "totalValues": 1,
                        "elementValues": [
                            {
                                "elementType": "File",
                                "guid": "-***",
                                "name": "***.exe",
                                "hasSuspicions": true,
                                "hasMalops": false
                            }
                        ],
                        "totalSuspicious": 1,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    },
                    "self": {
                        "totalValues": 1,
                        "elementValues": [
                            {
                                "elementType": "Process",
                                "guid": "-*",
                                "name": "**.exe",
                                "hasSuspicions": true,
                                "hasMalops": true
                            }
                        ],
                        "totalSuspicious": 1,
                        "totalMalicious": 1,
                        "guessedTotal": 0
                    },
                    "systemUserEvidence": {
                        "totalValues": 1,
                        "elementValues": [
                            {
                                "elementType": "User",
                                "guid": "0.-**",
                                "name": "***-2016\\system",
                                "hasSuspicions": false,
                                "hasMalops": false
                            }
                        ],
                        "totalSuspicious": 0,
                        "totalMalicious": 0,
                        "guessedTotal": 0
                    }
                },
                "suspicions": {
                    "blackListModuleSuspicion": ***,
                    "blackListFileSuspicion": **
                },
                "filterData": {
                    "sortInGroupValue": "-***",
                    "groupByValue": "***.exe"
                },
                "isMalicious": true,
                "suspicionCount": 2,
                "guidString": "-***",
                "labelsIds": null,
                "malopPriority": null,
                "suspect": true,
                "malicious": true
            }
        },
        "suspicionsMap": {
            "blackListModuleSuspicion": {
                "potentialEvidence": [
                    "blackListModuleEvidence"
                ],
                "firstTimestamp": 1605287238848,
                "totalSuspicions": 100
            },
            "blackListFileSuspicion": {
                "potentialEvidence": [
                    "fileBlackListEvidence"
                ],
                "firstTimestamp": 1601025240901,
                "totalSuspicions": 100
            }
        },
        "evidenceMap": {
            "blackListModuleEvidence": 100,
            "fileBlackListEvidence": 100,
            "systemUserEvidence": 65,
            "hasNotInLoaderDbEvidence": 100
        },
        "totalPossibleResults": 482,
        "guessedPossibleResults": 0,
        "queryLimits": {
            "totalResultLimit": 100,
            "perGroupLimit": 100,
            "perFeatureLimit": 0,
            "groupingFeature": {
                "elementInstanceType": "Process",
                "featureName": "imageFileHash"
            },
            "sortInGroupFeature": null
        },
        "queryTerminated": false,
        "pathResultCounts": [
            {
                "featureDescriptor": {
                    "elementInstanceType": "Process",
                    "featureName": null
                },
                "count": 482
            }
        ],
        "guids": []
    },
    "status": "SUCCESS",
    "hidePartialSuccess": false,
    "message": "",
    "expectedResults": 1,
    "failures": 0
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path $.data.resultIdToElementDataMap in API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
{
      "-***": {
          "simpleValues": {
              "imageFile.maliciousClassificationType": {
                  "totalValues": 1,
                  "values": [
                      "indifferent"
                  ]
              },
              "imageFile.companyName": {
                  "totalValues": 1,
                  "values": [
                      "Microsoft Corporation"
                  ]
              },
              "pid": {
                  "totalValues": 1,
                  "values": [
                      "**"
                  ]
              },
              "productType": {
                  "totalValues": 1,
                  "values": [
                      "NONE"
                  ]
              },
              "imageFile.productName": {
                  "totalValues": 1,
                  "values": [
                      "Microsoft速 Windows速 Operating System"
                  ]
              },
              "imageFile.isSigned": {
                  "totalValues": 1,
                  "values": [
                      "true"
                  ]
              },
              "isChainOfInjections": {
                  "totalValues": 1,
                  "values": [
                      "false"
                  ]
              },
              "creationTime": {
                  "totalValues": 1,
                  "values": [
                      "1604490115442"
                  ]
              },
              "imageFile.signatureVerified": {
                  "totalValues": 1,
                  "values": [
                      "true"
                  ]
              },
              "calculatedName": {
                  "totalValues": 1,
                  "values": [
                      "conhost.exe"
                  ]
              },
              "imageFile.sha256String": {
                  "totalValues": 1,
                  "values": [
                      "***"
                  ]
              },
              "imageFile.md5String": {
                  "totalValues": 1,
                  "values": [
                      "**"
                  ]
              },
              "iconBase64": {
                  "totalValues": 1,
                  "values": [
                      "***"
                  ]
              },
              "imageFile.classificationLink": {
                  "totalValues": 1,
                  "values": [
                      "https://www.virustotal.com/gui/file/**"
                  ]
              },
              "imageFile.sha1String": {
                  "totalValues": 1,
                  "values": [
                      "***"
                  ]
              },
              "markedForPrevention": {
                  "totalValues": 1,
                  "values": [
                      "false"
                  ]
              },
              "endTime": {
                  "totalValues": 1,
                  "values": [
                      "1604490115532"
                  ]
              },
              "commandLine": {
                  "totalValues": 1,
                  "values": [
                      "\\??\\C:\\WINDOWS\\***\\**.exe ** -**"
                  ]
              },
              "imageFile.productType": {
                  "totalValues": 1,
                  "values": [
                      "NONE"
                  ]
              },
              "imageFile.correctedPath": {
                  "totalValues": 1,
                  "values": [
                      "c:\\windows\\**\\**.exe"
                  ]
              },
              "isLiveProcess": {
                  "totalValues": 1,
                  "values": [
                      "false"
                  ]
              },
              "isWhiteListClassification": {
                  "totalValues": 1,
                  "values": [
                      "false"
                  ]
              },
              "executionPrevented": {
                  "totalValues": 1,
                  "values": [
                      "false"
                  ]
              },
              "elementDisplayName": {
                  "totalValues": 1,
                  "values": [
                      "***.exe"
                  ]
              }
          },
          "elementValues": {
              "blackListModuleEvidence": {
                  "totalValues": 1,
                  "elementValues": null,
                  "totalSuspicious": 1,
                  "totalMalicious": 0,
                  "guessedTotal": 0
              },
              "fileBlackListEvidence": {
                  "totalValues": 1,
                  "elementValues": [
                      {
                          "elementType": "File",
                          "guid": "-***",
                          "name": "***.exe",
                          "hasSuspicions": true,
                          "hasMalops": false
                      }
                  ],
                  "totalSuspicious": 1,
                  "totalMalicious": 0,
                  "guessedTotal": 0
              },
              "calculatedUser": {
                  "totalValues": 1,
                  "elementValues": [
                      {
                          "elementType": "User",
                          "guid": "0.-**",
                          "name": "***-2016\\system",
                          "hasSuspicions": false,
                          "hasMalops": false
                      }
                  ],
                  "totalSuspicious": 0,
                  "totalMalicious": 0,
                  "guessedTotal": 0
              },
              "ownerMachine": {
                  "totalValues": 1,
                  "elementValues": [
                      {
                          "elementType": "Machine",
                          "guid": "-***",
                          "name": "***-2016",
                          "hasSuspicions": false,
                          "hasMalops": false
                      }
                  ],
                  "totalSuspicious": 0,
                  "totalMalicious": 0,
                  "guessedTotal": 0
              },
              "hasNotInLoaderDbEvidence": {
                  "totalValues": 1,
                  "elementValues": null,
                  "totalSuspicious": 0,
                  "totalMalicious": 0,
                  "guessedTotal": 0
              },
              "loadedModules": {
                  "totalValues": 32,
                  "elementValues": null,
                  "totalSuspicious": 1,
                  "totalMalicious": 0,
                  "guessedTotal": 0
              },
              "parentProcess": {
                  "totalValues": 1,
                  "elementValues": [
                      {
                          "elementType": "Process",
                          "guid": "-***",
                          "name": "wmic.exe",
                          "hasSuspicions": false,
                          "hasMalops": false
                      }
                  ],
                  "totalSuspicious": 0,
                  "totalMalicious": 0,
                  "guessedTotal": 0
              },
              "imageFile": {
                  "totalValues": 1,
                  "elementValues": [
                      {
                          "elementType": "File",
                          "guid": "-***",
                          "name": "conhost.exe",
                          "hasSuspicions": true,
                          "hasMalops": false
                      }
                  ],
                  "totalSuspicious": 1,
                  "totalMalicious": 0,
                  "guessedTotal": 0
              },
              "self": {
                  "totalValues": 1,
                  "elementValues": [
                      {
                          "elementType": "Process",
                          "guid": "-**",
                          "name": "conhost.exe",
                          "hasSuspicions": true,
                          "hasMalops": false
                      }
                  ],
                  "totalSuspicious": 1,
                  "totalMalicious": 0,
                  "guessedTotal": 0
              },
              "systemUserEvidence": {
                  "totalValues": 1,
                  "elementValues": [
                      {
                          "elementType": "User",
                          "guid": "0.-**",
                          "name": "**-2016\\system",
                          "hasSuspicions": false,
                          "hasMalops": false
                      }
                  ],
                  "totalSuspicious": 0,
                  "totalMalicious": 0,
                  "guessedTotal": 0
              }
          },
          "suspicions": {
              "blackListModuleSuspicion": **,
              "blackListFileSuspicion": ***
          },
          "filterData": {
              "sortInGroupValue": "-***",
              "groupByValue": "***.exe"
          },
          "isMalicious": false,
          "suspicionCount": 2,
          "guidString": "-***",
          "labelsIds": null,
          "malopPriority": null,
          "suspect": true,
          "malicious": false
      },
      "-**.-*": {
          "simpleValues": {
              "imageFile.maliciousClassificationType": {
                  "totalValues": 1,
                  "values": [
                      "indifferent"
                  ]
              },
              "imageFile.companyName": {
                  "totalValues": 1,
                  "values": [
                      "Microsoft Corporation"
                  ]
              },
              "pid": {
                  "totalValues": 1,
                  "values": [
                      "**"
                  ]
              },
              "productType": {
                  "totalValues": 1,
                  "values": [
                      "NONE"
                  ]
              },
              "imageFile.productName": {
                  "totalValues": 1,
                  "values": [
                      "Microsoft速 Windows速 Operating System"
                  ]
              },
              "imageFile.isSigned": {
                  "totalValues": 1,
                  "values": [
                      "true"
                  ]
              },
              "isChainOfInjections": {
                  "totalValues": 1,
                  "values": [
                      "false"
                  ]
              },
              "creationTime": {
                  "totalValues": 1,
                  "values": [
                      "1599724428229"
                  ]
              },
              "imageFile.signatureVerified": {
                  "totalValues": 1,
                  "values": [
                      "true"
                  ]
              },
              "calculatedName": {
                  "totalValues": 1,
                  "values": [
                      "***.exe"
                  ]
              },
              "imageFile.sha256String": {
                  "totalValues": 1,
                  "values": [
                      "***"
                  ]
              },
              "imageFile.md5String": {
                  "totalValues": 1,
                  "values": [
                      "**"
                  ]
              },
              "iconBase64": {
                  "totalValues": 1,
                  "values": [
                      "**/*"
                  ]
              },
              "imageFile.classificationLink": {
                  "totalValues": 1,
                  "values": [
                      "https://www.virustotal.com/gui/file/*/detection/f-**-**"
                  ]
              },
              "imageFile.sha1String": {
                  "totalValues": 1,
                  "values": [
                      "**"
                  ]
              },
              "markedForPrevention": {
                  "totalValues": 1,
                  "values": [
                      "false"
                  ]
              },
              "endTime": {
                  "totalValues": 1,
                  "values": [
                      "1599724428319"
                  ]
              },
              "commandLine": {
                  "totalValues": 1,
                  "values": [
                      "\\??\\C:\\WINDOWS\\**\\conhost.exe **-**"
                  ]
              },
              "imageFile.productType": {
                  "totalValues": 1,
                  "values": [
                      "NONE"
                  ]
              },
              "imageFile.correctedPath": {
                  "totalValues": 1,
                  "values": [
                      "c:\\windows\\**\\**.exe"
                  ]
              },
              "isLiveProcess": {
                  "totalValues": 1,
                  "values": [
                      "false"
                  ]
              },
              "isWhiteListClassification": {
                  "totalValues": 1,
                  "values": [
                      "false"
                  ]
              },
              "executionPrevented": {
                  "totalValues": 1,
                  "values": [
                      "false"
                  ]
              },
              "elementDisplayName": {
                  "totalValues": 1,
                  "values": [
                      "conhost.exe"
                  ]
              }
          },
          "elementValues": {
              "blackListedFileHash": {
                  "totalValues": 1,
                  "elementValues": null,
                  "totalSuspicious": 1,
                  "totalMalicious": 0,
                  "guessedTotal": 0
              },
              "blackListModuleEvidence": {
                  "totalValues": 1,
                  "elementValues": null,
                  "totalSuspicious": 1,
                  "totalMalicious": 0,
                  "guessedTotal": 0
              },
              "fileBlackListEvidence": {
                  "totalValues": 1,
                  "elementValues": [
                      {
                          "elementType": "File",
                          "guid": "-**",
                          "name": "conhost.exe",
                          "hasSuspicions": true,
                          "hasMalops": false
                      }
                  ],
                  "totalSuspicious": 1,
                  "totalMalicious": 0,
                  "guessedTotal": 0
              },
              "calculatedUser": {
                  "totalValues": 1,
                  "elementValues": [
                      {
                          "elementType": "User",
                          "guid": "0.-**",
                          "name": "**-2016\\system",
                          "hasSuspicions": false,
                          "hasMalops": false
                      }
                  ],
                  "totalSuspicious": 0,
                  "totalMalicious": 0,
                  "guessedTotal": 0
              },
              "ownerMachine": {
                  "totalValues": 1,
                  "elementValues": [
                      {
                          "elementType": "Machine",
                          "guid": "-***",
                          "name": "**-2016",
                          "hasSuspicions": false,
                          "hasMalops": false
                      }
                  ],
                  "totalSuspicious": 0,
                  "totalMalicious": 0,
                  "guessedTotal": 0
              },
              "hasNotInLoaderDbEvidence": {
                  "totalValues": 1,
                  "elementValues": null,
                  "totalSuspicious": 0,
                  "totalMalicious": 0,
                  "guessedTotal": 0
              },
              "loadedModules": {
                  "totalValues": 32,
                  "elementValues": null,
                  "totalSuspicious": 1,
                  "totalMalicious": 0,
                  "guessedTotal": 0
              },
              "parentProcess": {
                  "totalValues": 1,
                  "elementValues": [
                      {
                          "elementType": "Process",
                          "guid": "-*",
                          "name": "wmic.exe",
                          "hasSuspicions": false,
                          "hasMalops": false
                      }
                  ],
                  "totalSuspicious": 0,
                  "totalMalicious": 0,
                  "guessedTotal": 0
              },
              "imageFile": {
                  "totalValues": 1,
                  "elementValues": [
                      {
                          "elementType": "File",
                          "guid": "-**",
                          "name": "conhost.exe",
                          "hasSuspicions": true,
                          "hasMalops": false
                      }
                  ],
                  "totalSuspicious": 1,
                  "totalMalicious": 0,
                  "guessedTotal": 0
              },
              "self": {
                  "totalValues": 1,
                  "elementValues": [
                      {
                          "elementType": "Process",
                          "guid": "-**.-**",
                          "name": "conhost.exe",
                          "hasSuspicions": true,
                          "hasMalops": true
                      }
                  ],
                  "totalSuspicious": 1,
                  "totalMalicious": 1,
                  "guessedTotal": 0
              },
              "systemUserEvidence": {
                  "totalValues": 1,
                  "elementValues": [
                      {
                          "elementType": "User",
                          "guid": "0.-**",
                          "name": "*-2016\\system",
                          "hasSuspicions": false,
                          "hasMalops": false
                      }
                  ],
                  "totalSuspicious": 0,
                  "totalMalicious": 0,
                  "guessedTotal": 0
              }
          },
          "suspicions": {
              "blackListModuleSuspicion": ***,
              "blackListFileSuspicion": ***
          },
          "filterData": {
              "sortInGroupValue": "-***.-***",
              "groupByValue": "conhost.exe"
          },
          "isMalicious": true,
          "suspicionCount": 2,
          "guidString": "-**.-***",
          "labelsIds": null,
          "malopPriority": null,
          "suspect": true,
          "malicious": true
      },
      "-**": {
          "simpleValues": {
              "imageFile.maliciousClassificationType": {
                  "totalValues": 1,
                  "values": [
                      "indifferent"
                  ]
              },
              "imageFile.companyName": {
                  "totalValues": 1,
                  "values": [
                      "Microsoft Corporation"
                  ]
              },
              "pid": {
                  "totalValues": 1,
                  "values": [
                      "5968"
                  ]
              },
              "productType": {
                  "totalValues": 1,
                  "values": [
                      "NONE"
                  ]
              },
              "imageFile.productName": {
                  "totalValues": 1,
                  "values": [
                      "Microsoft速 Windows速 Operating System"
                  ]
              },
              "imageFile.isSigned": {
                  "totalValues": 1,
                  "values": [
                      "true"
                  ]
              },
              "isChainOfInjections": {
                  "totalValues": 1,
                  "values": [
                      "false"
                  ]
              },
              "creationTime": {
                  "totalValues": 1,
                  "values": [
                      "Z**"
                  ]
              },
              "imageFile.signatureVerified": {
                  "totalValues": 1,
                  "values": [
                      "true"
                  ]
              },
              "calculatedName": {
                  "totalValues": 1,
                  "values": [
                      "**.exe"
                  ]
              },
              "imageFile.sha256String": {
                  "totalValues": 1,
                  "values": [
                      "*"
                  ]
              },
              "imageFile.md5String": {
                  "totalValues": 1,
                  "values": [
                      "**"
                  ]
              },
              "iconBase64": {
                  "totalValues": 1,
                  "values": [
                      "**"
                  ]
              },
              "imageFile.classificationLink": {
                  "totalValues": 1,
                  "values": [
                      "https://www.virustotal.com/gui/file/**/detection/f-***-1605248738"
                  ]
              },
              "imageFile.sha1String": {
                  "totalValues": 1,
                  "values": [
                      "***"
                  ]
              },
              "markedForPrevention": {
                  "totalValues": 1,
                  "values": [
                      "false"
                  ]
              },
              "endTime": {
                  "totalValues": 1,
                  "values": [
                      "**"
                  ]
              },
              "commandLine": {
                  "totalValues": 1,
                  "values": [
                      "\\??\\C:\\WINDOWS\\**\\**.exe **-**"
                  ]
              },
              "imageFile.productType": {
                  "totalValues": 1,
                  "values": [
                      "NONE"
                  ]
              },
              "imageFile.correctedPath": {
                  "totalValues": 1,
                  "values": [
                      "c:\\windows\\**\\**.exe"
                  ]
              },
              "isLiveProcess": {
                  "totalValues": 1,
                  "values": [
                      "false"
                  ]
              },
              "isWhiteListClassification": {
                  "totalValues": 1,
                  "values": [
                      "false"
                  ]
              },
              "executionPrevented": {
                  "totalValues": 1,
                  "values": [
                      "false"
                  ]
              },
              "elementDisplayName": {
                  "totalValues": 1,
                  "values": [
                      "conhost.exe"
                  ]
              }
          },
          "elementValues": {
              "blackListedFileHash": {
                  "totalValues": 1,
                  "elementValues": null,
                  "totalSuspicious": 1,
                  "totalMalicious": 0,
                  "guessedTotal": 0
              },
              "blackListModuleEvidence": {
                  "totalValues": 1,
                  "elementValues": null,
                  "totalSuspicious": 1,
                  "totalMalicious": 0,
                  "guessedTotal": 0
              },
              "fileBlackListEvidence": {
                  "totalValues": 1,
                  "elementValues": [
                      {
                          "elementType": "File",
                          "guid": "-***",
                          "name": "***.exe",
                          "hasSuspicions": true,
                          "hasMalops": false
                      }
                  ],
                  "totalSuspicious": 1,
                  "totalMalicious": 0,
                  "guessedTotal": 0
              },
              "calculatedUser": {
                  "totalValues": 1,
                  "elementValues": [
                      {
                          "elementType": "User",
                          "guid": "0.-***",
                          "name": "***-2016\\system",
                          "hasSuspicions": false,
                          "hasMalops": false
                      }
                  ],
                  "totalSuspicious": 0,
                  "totalMalicious": 0,
                  "guessedTotal": 0
              },
              "ownerMachine": {
                  "totalValues": 1,
                  "elementValues": [
                      {
                          "elementType": "Machine",
                          "guid": "-***",
                          "name": "***-2016",
                          "hasSuspicions": false,
                          "hasMalops": false
                      }
                  ],
                  "totalSuspicious": 0,
                  "totalMalicious": 0,
                  "guessedTotal": 0
              },
              "hasNotInLoaderDbEvidence": {
                  "totalValues": 1,
                  "elementValues": null,
                  "totalSuspicious": 0,
                  "totalMalicious": 0,
                  "guessedTotal": 0
              },
              "loadedModules": {
                  "totalValues": 32,
                  "elementValues": null,
                  "totalSuspicious": 1,
                  "totalMalicious": 0,
                  "guessedTotal": 0
              },
              "parentProcess": {
                  "totalValues": 1,
                  "elementValues": [
                      {
                          "elementType": "Process",
                          "guid": "-***.-***",
                          "name": "***.exe",
                          "hasSuspicions": false,
                          "hasMalops": false
                      }
                  ],
                  "totalSuspicious": 0,
                  "totalMalicious": 0,
                  "guessedTotal": 0
              },
              "imageFile": {
                  "totalValues": 1,
                  "elementValues": [
                      {
                          "elementType": "File",
                          "guid": "-***",
                          "name": "***.exe",
                          "hasSuspicions": true,
                          "hasMalops": false
                      }
                  ],
                  "totalSuspicious": 1,
                  "totalMalicious": 0,
                  "guessedTotal": 0
              },
              "self": {
                  "totalValues": 1,
                  "elementValues": [
                      {
                          "elementType": "Process",
                          "guid": "-*",
                          "name": "**.exe",
                          "hasSuspicions": true,
                          "hasMalops": true
                      }
                  ],
                  "totalSuspicious": 1,
                  "totalMalicious": 1,
                  "guessedTotal": 0
              },
              "systemUserEvidence": {
                  "totalValues": 1,
                  "elementValues": [
                      {
                          "elementType": "User",
                          "guid": "0.-**",
                          "name": "***-2016\\system",
                          "hasSuspicions": false,
                          "hasMalops": false
                      }
                  ],
                  "totalSuspicious": 0,
                  "totalMalicious": 0,
                  "guessedTotal": 0
              }
          },
          "suspicions": {
              "blackListModuleSuspicion": ***,
              "blackListFileSuspicion": **
          },
          "filterData": {
              "sortInGroupValue": "-***",
              "groupByValue": "***.exe"
          },
          "isMalicious": true,
          "suspicionCount": 2,
          "guidString": "-***",
          "labelsIds": null,
          "malopPriority": null,
          "suspect": true,
          "malicious": true
      }
  }
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "ProcesIDs": [
        "-***"
    ]
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
NO Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Query Processes failed. An error occurred when calling the Query Processes operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybereason portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Custom Fields are not valid json input.

Error Sample Data

Query Processes failed. An error occurred when calling the Query Processes operation.

Status Code: 400.

Message: Custom Fields are not valid json input.

Query Sensors

Retrieves details of sensors according to filter conditions.

READER NOTE

All input parameters in this command are optional. If all inputs are empty, the first 100 sensors from the Cybereason dataset will be returned.

Input

Input Parameter

Required/Optional

Description

Example

Limit

Optional

The maximum number of sensors to send the query request. A valid input value is an integer between 1 and 1,000. The default value is 100.

10

Offset

Optional

The number of pages to paginate the returned results. The default value of 0 denotes the first page.

0

Sort Direction

Optional

The sorting order (i.e. Ascending or Descending) of the returned results.

Ascending

Filters

Optional

The JSON object of filters to query sensors. See Query Sensors from Cybereason’s API documentation for more information about using filters.

[

{

"fieldName": "osType",

"operator": "Equals",

"values": [

"WINDOWS",

"LINUX"

]

}

]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "totalResults": 4,
    "sensorsStatus": {
        "onlineCount": 4,
        "offlineCount": 0,
        "staleCount": 0,
        "archivedCount": 0,
        "turnedOnCount": 0,
        "turnedOffCount": 0,
        "suspendedCount": 0,
        "advancedCount": 0,
        "outdatedCount": 0,
        "serviceErrorCount": 0
    },
    "sensors": [
        {
            "sensorId": "**:***",
            "pylumId": "***",
            "guid": "-***",
            "fqdn": "***.**.**.com",
            "machineName": "**",
            "internalIpAddress": "1.1.1.1",
            "externalIpAddress": "5.4.3.2",
            "siteName": "Default",
            "siteId": 0,
            "ransomwareStatus": "DETECT_SUSPEND_PREVENT",
            "preventionStatus": "DISABLED",
            "isolated": false,
            "disconnectionTime": 1637678410628,
            "lastPylumInfoMsgUpdateTime": 1637709003812,
            "status": "Online",
            "serviceStatus": "Up",
            "onlineTimeMS": 0,
            "offlineTimeMS": 0,
            "staleTimeMS": 0,
            "archiveTimeMs": null,
            "statusTimeMS": 0,
            "lastStatusAction": "None",
            "archivedOrUnarchiveComment": "",
            "sensorArchivedByUser": "",
            "serverName": "***",
            "serverId": "***",
            "serverIp": "1.1.1.1",
            "privateServerIp": "1.1.1.1",
            "collectiveUuid": null,
            "osType": "WINDOWS",
            "osVersionType": "***",
            "collectionStatus": "ADVANCED",
            "version": "20.2.244.0",
            "consoleVersion": null,
            "firstSeenTime": 1617900116888,
            "upTime": 30550858,
            "cpuUsage": 0.016661668,
            "memoryUsage": 119742464,
            "outdated": false,
            "amStatus": "***",
            "amModeOrigin": null,
            "avDbVersion": "86280",
            "avDbLastUpdateTime": 1637696357000,
            "powerShellStatus": "PS_DISABLED",
            "remoteShellStatus": "AC_ENABLED",
            "usbStatus": "DISABLED",
            "fwStatus": "DISABLED",
            "antiExploitStatus": "AE_DISABLED",
            "documentProtectionStatus": "DS_UNKNOWN",
            "documentProtectionMode": "DM_UNKNOWN",
            "organizationalUnit": "",
            "antiMalwareStatus": "AM_ENABLED",
            "antiMalwareModeOrigin": null,
            "organization": "integration",
            "proxyAddress": "",
            "preventionError": "",
            "exitReason": "STOP_REQUEST_FROM_PYLUM",
            "actionsInProgress": 0,
            "pendingActions": [],
            "lastUpgradeResult": "Succeeded",
            "department": null,
            "location": null,
            "criticalAsset": null,
            "deviceType": null,
            "customTags": null,
            "lastUpgradeSteps": [
                {
                    "name": "Started",
                    "startTime": 1637678339538
                },
                {
                    "name": "InProgress",
                    "startTime": 1637678355927
                },
                {
                    "name": "Succeeded",
                    "startTime": 1637678459965
                }
            ],
            "disconnected": false,
            "staticAnalysisDetectMode": "DISABLED",
            "staticAnalysisDetectModeOrigin": null,
            "staticAnalysisPreventMode": "DISABLED",
            "staticAnalysisPreventModeOrigin": null,
            "collectionComponents": [
                "DPI",
                "Metadata",
                "File Events",
                "Registry Events"
            ],
            "sensorLastUpdate": 0,
            "fullScanStatus": "IDLE",
            "quickScanStatus": "IDLE",
            "lastFullScheduleScanSuccessTime": 0,
            "lastQuickScheduleScanSuccessTime": 1637460145000,
            "policyName": "AIQ Prevent",
            "deliveryTime": 1637678576168,
            "policyId": "***-***-***-***-***",
            "compliance": true,
            "groupId": null,
            "groupName": "Unassigned"
        },
        {
            "sensorId": "***:***-***",
            "pylumId": "***-**",
            "guid": "***",
            "fqdn": "desktop-***",
            "machineName": "desktop-***",
            "internalIpAddress": "1.1.1.1",
            "externalIpAddress": "8.7.6.5",
            "siteName": "Default",
            "siteId": 0,
            "ransomwareStatus": "DETECT_SUSPEND_PREVENT",
            "preventionStatus": "ENABLED",
            "isolated": false,
            "disconnectionTime": 1637700955214,
            "lastPylumInfoMsgUpdateTime": 1637700654058,
            "status": "Offline",
            "serviceStatus": "Down",
            "onlineTimeMS": 0,
            "offlineTimeMS": 0,
            "staleTimeMS": 0,
            "archiveTimeMs": null,
            "statusTimeMS": 0,
            "lastStatusAction": "None",
            "archivedOrUnarchiveComment": "",
            "sensorArchivedByUser": "",
            "serverName": "***",
            "serverId": "***",
            "serverIp": "1.1.1.1",
            "privateServerIp": "1.1.1.1",
            "collectiveUuid": null,
            "osType": "WINDOWS",
            "osVersionType": "Windows_10",
            "collectionStatus": "ADVANCED",
            "version": "20.2.244.0",
            "consoleVersion": null,
            "firstSeenTime": 1637231587337,
            "upTime": 25819657,
            "cpuUsage": 0,
            "memoryUsage": 0,
            "outdated": false,
            "amStatus": "AM_DETECT_ONLY",
            "amModeOrigin": null,
            "avDbVersion": "86278",
            "avDbLastUpdateTime": 1637683161000,
            "powerShellStatus": "PS_ENABLED",
            "remoteShellStatus": "AC_ENABLED",
            "usbStatus": "DISABLED",
            "fwStatus": "DISABLED",
            "antiExploitStatus": "AE_DISABLED",
            "documentProtectionStatus": "DS_DISABLED",
            "documentProtectionMode": "DM_CAUTIOUS",
            "organizationalUnit": "",
            "antiMalwareStatus": "AM_ENABLED",
            "antiMalwareModeOrigin": null,
            "organization": "integration",
            "proxyAddress": "",
            "preventionError": "",
            "exitReason": "STOP_REQUEST_FROM_PYLUM",
            "actionsInProgress": 0,
            "pendingActions": [],
            "lastUpgradeResult": "AlreadyUpdated",
            "department": null,
            "location": null,
            "criticalAsset": null,
            "deviceType": null,
            "customTags": null,
            "lastUpgradeSteps": [
                {
                    "name": "Started",
                    "startTime": 1637700653048
                },
                {
                    "name": "AlreadyUpdated",
                    "startTime": 1637700653050
                }
            ],
            "disconnected": true,
            "staticAnalysisDetectMode": "AGGRESSIVE",
            "staticAnalysisDetectModeOrigin": null,
            "staticAnalysisPreventMode": "MODERATE",
            "staticAnalysisPreventModeOrigin": null,
            "collectionComponents": [
                "DPI",
                "Metadata",
                "File Events",
                "Registry Events"
            ],
            "sensorLastUpdate": 0,
            "fullScanStatus": "IDLE",
            "quickScanStatus": "IDLE",
            "lastFullScheduleScanSuccessTime": 0,
            "lastQuickScheduleScanSuccessTime": 1637649449000,
            "policyName": "Default",
            "deliveryTime": 1637233331836,
            "policyId": "***-***-***-***-***",
            "compliance": true,
            "groupId": null,
            "groupName": "Unassigned"
        }
    ],
    "hasMoreResults": true
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path $.sensors in API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "sensorId": "5e77883de4b0575ddcf824ef:PYLUMCLIENT_INTEGRATION_BCYBDW8888W10E0_02004C4F4F50",
        "pylumId": "PYLUMCLIENT_INTEGRATION_BCYBDW8888W10E0_02004C4F4F50",
        "guid": "-2000085007.1198775089551518743",
        "fqdn": "bcybdw8888w10e0.cyberrange.attackiq.com",
        "machineName": "bcybdw8888w10e0",
        "internalIpAddress": "172.16.4.17",
        "externalIpAddress": "54.88.212.123",
        "siteName": "Default",
        "siteId": 0,
        "ransomwareStatus": "DETECT_SUSPEND_PREVENT",
        "preventionStatus": "DISABLED",
        "isolated": false,
        "disconnectionTime": 1637678410628,
        "lastPylumInfoMsgUpdateTime": 1637709003812,
        "status": "Online",
        "serviceStatus": "Up",
        "onlineTimeMS": 0,
        "offlineTimeMS": 0,
        "staleTimeMS": 0,
        "archiveTimeMs": null,
        "statusTimeMS": 0,
        "lastStatusAction": "None",
        "archivedOrUnarchiveComment": "",
        "sensorArchivedByUser": "",
        "serverName": "integration-1-t",
        "serverId": "5e77883de4b0575ddcf824ef",
        "serverIp": "10.203.17.16",
        "privateServerIp": "10.203.17.16",
        "collectiveUuid": null,
        "osType": "WINDOWS",
        "osVersionType": "Windows_20H2",
        "collectionStatus": "ADVANCED",
        "version": "20.2.244.0",
        "consoleVersion": null,
        "firstSeenTime": 1617900116888,
        "upTime": 30550858,
        "cpuUsage": 0.016661668,
        "memoryUsage": 119742464,
        "outdated": false,
        "amStatus": "AM_QUARANTINE",
        "amModeOrigin": null,
        "avDbVersion": "86280",
        "avDbLastUpdateTime": 1637696357000,
        "powerShellStatus": "PS_DISABLED",
        "remoteShellStatus": "AC_ENABLED",
        "usbStatus": "DISABLED",
        "fwStatus": "DISABLED",
        "antiExploitStatus": "AE_DISABLED",
        "documentProtectionStatus": "DS_UNKNOWN",
        "documentProtectionMode": "DM_UNKNOWN",
        "organizationalUnit": "",
        "antiMalwareStatus": "AM_ENABLED",
        "antiMalwareModeOrigin": null,
        "organization": "integration",
        "proxyAddress": "",
        "preventionError": "",
        "exitReason": "STOP_REQUEST_FROM_PYLUM",
        "actionsInProgress": 0,
        "pendingActions": [],
        "lastUpgradeResult": "Succeeded",
        "department": null,
        "location": null,
        "criticalAsset": null,
        "deviceType": null,
        "customTags": null,
        "lastUpgradeSteps": [
            {
                "name": "Started",
                "startTime": 1637678339538
            },
            {
                "name": "InProgress",
                "startTime": 1637678355927
            },
            {
                "name": "Succeeded",
                "startTime": 1637678459965
            }
        ],
        "disconnected": false,
        "staticAnalysisDetectMode": "DISABLED",
        "staticAnalysisDetectModeOrigin": null,
        "staticAnalysisPreventMode": "DISABLED",
        "staticAnalysisPreventModeOrigin": null,
        "collectionComponents": [
            "DPI",
            "Metadata",
            "File Events",
            "Registry Events"
        ],
        "sensorLastUpdate": 0,
        "fullScanStatus": "IDLE",
        "quickScanStatus": "IDLE",
        "lastFullScheduleScanSuccessTime": 0,
        "lastQuickScheduleScanSuccessTime": 1637460145000,
        "policyName": "AIQ Prevent",
        "deliveryTime": 1637678576168,
        "policyId": "dad8b75f-cac2-4785-8118-e5309b687279",
        "compliance": true,
        "groupId": null,
        "groupName": "Unassigned"
    },
    {
        "sensorId": "5e77883de4b0575ddcf824ef:PYLUMCLIENT_INTEGRATION_DESKTOP-D1QE9QU_C8F75045492F",
        "pylumId": "PYLUMCLIENT_INTEGRATION_DESKTOP-D1QE9QU_C8F75045492F",
        "guid": "182392977.1198775089551518743",
        "fqdn": "desktop-d1qe9qu",
        "machineName": "desktop-d1qe9qu",
        "internalIpAddress": "10.100.102.6",
        "externalIpAddress": "85.250.234.67",
        "siteName": "Default",
        "siteId": 0,
        "ransomwareStatus": "DETECT_SUSPEND_PREVENT",
        "preventionStatus": "ENABLED",
        "isolated": false,
        "disconnectionTime": 1637700955214,
        "lastPylumInfoMsgUpdateTime": 1637700654058,
        "status": "Offline",
        "serviceStatus": "Down",
        "onlineTimeMS": 0,
        "offlineTimeMS": 0,
        "staleTimeMS": 0,
        "archiveTimeMs": null,
        "statusTimeMS": 0,
        "lastStatusAction": "None",
        "archivedOrUnarchiveComment": "",
        "sensorArchivedByUser": "",
        "serverName": "integration-1-t",
        "serverId": "5e77883de4b0575ddcf824ef",
        "serverIp": "10.203.17.16",
        "privateServerIp": "10.203.17.16",
        "collectiveUuid": null,
        "osType": "WINDOWS",
        "osVersionType": "Windows_10",
        "collectionStatus": "ADVANCED",
        "version": "20.2.244.0",
        "consoleVersion": null,
        "firstSeenTime": 1637231587337,
        "upTime": 25819657,
        "cpuUsage": 0,
        "memoryUsage": 0,
        "outdated": false,
        "amStatus": "AM_DETECT_ONLY",
        "amModeOrigin": null,
        "avDbVersion": "86278",
        "avDbLastUpdateTime": 1637683161000,
        "powerShellStatus": "PS_ENABLED",
        "remoteShellStatus": "AC_ENABLED",
        "usbStatus": "DISABLED",
        "fwStatus": "DISABLED",
        "antiExploitStatus": "AE_DISABLED",
        "documentProtectionStatus": "DS_DISABLED",
        "documentProtectionMode": "DM_CAUTIOUS",
        "organizationalUnit": "",
        "antiMalwareStatus": "AM_ENABLED",
        "antiMalwareModeOrigin": null,
        "organization": "integration",
        "proxyAddress": "",
        "preventionError": "",
        "exitReason": "STOP_REQUEST_FROM_PYLUM",
        "actionsInProgress": 0,
        "pendingActions": [],
        "lastUpgradeResult": "AlreadyUpdated",
        "department": null,
        "location": null,
        "criticalAsset": null,
        "deviceType": null,
        "customTags": null,
        "lastUpgradeSteps": [
            {
                "name": "Started",
                "startTime": 1637700653048
            },
            {
                "name": "AlreadyUpdated",
                "startTime": 1637700653050
            }
        ],
        "disconnected": true,
        "staticAnalysisDetectMode": "AGGRESSIVE",
        "staticAnalysisDetectModeOrigin": null,
        "staticAnalysisPreventMode": "MODERATE",
        "staticAnalysisPreventModeOrigin": null,
        "collectionComponents": [
            "DPI",
            "Metadata",
            "File Events",
            "Registry Events"
        ],
        "sensorLastUpdate": 0,
        "fullScanStatus": "IDLE",
        "quickScanStatus": "IDLE",
        "lastFullScheduleScanSuccessTime": 0,
        "lastQuickScheduleScanSuccessTime": 1637649449000,
        "policyName": "Default",
        "deliveryTime": 1637233331836,
        "policyId": "be944da9-89e9-48e0-8c84-80000a6f2b29",
        "compliance": true,
        "groupId": null,
        "groupName": "Unassigned"
    },
    {
        "sensorId": "5e77883de4b0575ddcf824ef:PYLUMCLIENT_INTEGRATION_AMIPERLMUTTFC75_001C4208A1E2",
        "pylumId": "PYLUMCLIENT_INTEGRATION_AMIPERLMUTTFC75_001C4208A1E2",
        "guid": "730409581.1198775089551518743",
        "fqdn": "amiperlmuttfc75",
        "machineName": "amiperlmuttfc75",
        "internalIpAddress": "10.211.55.7",
        "externalIpAddress": "62.219.247.170",
        "siteName": "Default",
        "siteId": 0,
        "ransomwareStatus": "DETECT_SUSPEND_PREVENT",
        "preventionStatus": "ENABLED",
        "isolated": false,
        "disconnectionTime": 1637686084069,
        "lastPylumInfoMsgUpdateTime": 1637685757087,
        "status": "Offline",
        "serviceStatus": "Down",
        "onlineTimeMS": 0,
        "offlineTimeMS": 0,
        "staleTimeMS": 0,
        "archiveTimeMs": null,
        "statusTimeMS": 0,
        "lastStatusAction": "None",
        "archivedOrUnarchiveComment": "",
        "sensorArchivedByUser": "",
        "serverName": "integration-1-t",
        "serverId": "5e77883de4b0575ddcf824ef",
        "serverIp": "10.203.17.16",
        "privateServerIp": "10.203.17.16",
        "collectiveUuid": null,
        "osType": "WINDOWS",
        "osVersionType": "Windows_10",
        "collectionStatus": "ADVANCED",
        "version": "20.2.244.0",
        "consoleVersion": null,
        "firstSeenTime": 1637570044602,
        "upTime": 100349897,
        "cpuUsage": 0,
        "memoryUsage": 0,
        "outdated": false,
        "amStatus": "AM_DETECT_ONLY",
        "amModeOrigin": null,
        "avDbVersion": "86278",
        "avDbLastUpdateTime": 1637683869000,
        "powerShellStatus": "PS_ENABLED",
        "remoteShellStatus": "AC_ENABLED",
        "usbStatus": "DISABLED",
        "fwStatus": "DISABLED",
        "antiExploitStatus": "AE_DISABLED",
        "documentProtectionStatus": "DS_DISABLED",
        "documentProtectionMode": "DM_CAUTIOUS",
        "organizationalUnit": "",
        "antiMalwareStatus": "AM_ENABLED",
        "antiMalwareModeOrigin": null,
        "organization": "integration",
        "proxyAddress": "",
        "preventionError": "",
        "exitReason": "STOP_REQUEST_FROM_PYLUM",
        "actionsInProgress": 0,
        "pendingActions": [],
        "lastUpgradeResult": "AlreadyUpdated",
        "department": null,
        "location": null,
        "criticalAsset": null,
        "deviceType": null,
        "customTags": null,
        "lastUpgradeSteps": [
            {
                "name": "Started",
                "startTime": 1637681997572
            },
            {
                "name": "AlreadyUpdated",
                "startTime": 1637681997573
            }
        ],
        "disconnected": true,
        "staticAnalysisDetectMode": "AGGRESSIVE",
        "staticAnalysisDetectModeOrigin": null,
        "staticAnalysisPreventMode": "MODERATE",
        "staticAnalysisPreventModeOrigin": null,
        "collectionComponents": [
            "DPI",
            "Metadata",
            "File Events",
            "Registry Events"
        ],
        "sensorLastUpdate": 0,
        "fullScanStatus": "IDLE",
        "quickScanStatus": "IDLE",
        "lastFullScheduleScanSuccessTime": 1637053544000,
        "lastQuickScheduleScanSuccessTime": 1637649486000,
        "policyName": "Default",
        "deliveryTime": 1637046687906,
        "policyId": "be944da9-89e9-48e0-8c84-80000a6f2b29",
        "compliance": true,
        "groupId": null,
        "groupName": "Unassigned"
    },
    {
        "sensorId": "5e77883de4b0575ddcf824ef:PYLUMCLIENT_INTEGRATION_CYB10-562_0EAFBED2FC19",
        "pylumId": "PYLUMCLIENT_INTEGRATION_CYB10-562_0EAFBED2FC19",
        "guid": "1114284351.1198775089551518743",
        "fqdn": "cyb10-562.cyberrange.attackiq.com",
        "machineName": "cyb10-562",
        "internalIpAddress": "172.16.7.145",
        "externalIpAddress": "54.88.212.123",
        "siteName": "Default",
        "siteId": 0,
        "ransomwareStatus": "DISABLED",
        "preventionStatus": "NOT_INSTALLED",
        "isolated": false,
        "disconnectionTime": 1589805231286,
        "lastPylumInfoMsgUpdateTime": 1589805228797,
        "status": "Archived",
        "serviceStatus": "Down",
        "onlineTimeMS": 0,
        "offlineTimeMS": 0,
        "staleTimeMS": 0,
        "archiveTimeMs": 1615278828164,
        "statusTimeMS": 0,
        "lastStatusAction": "None",
        "archivedOrUnarchiveComment": "Auto-archived after 60 days stale",
        "sensorArchivedByUser": "Auto-archived",
        "serverName": "integration-1-t",
        "serverId": "5e77883de4b0575ddcf824ef",
        "serverIp": "10.203.17.16",
        "privateServerIp": "10.203.17.16",
        "collectiveUuid": null,
        "osType": "WINDOWS",
        "osVersionType": "Windows_10",
        "collectionStatus": "ADVANCED",
        "version": "18.1.91.0",
        "consoleVersion": null,
        "firstSeenTime": 1588698617400,
        "upTime": 385519965,
        "cpuUsage": 0,
        "memoryUsage": 0,
        "outdated": true,
        "amStatus": "AM_UNINSTALLED",
        "amModeOrigin": "SET_BY_POLICY",
        "avDbVersion": "0",
        "avDbLastUpdateTime": 0,
        "powerShellStatus": "PS_DISABLED",
        "remoteShellStatus": "AC_DISABLED",
        "usbStatus": "DISABLED",
        "fwStatus": "DISABLED",
        "antiExploitStatus": "AE_DISABLED",
        "documentProtectionStatus": "DS_DISABLED",
        "documentProtectionMode": "DM_CAUTIOUS",
        "organizationalUnit": "",
        "antiMalwareStatus": "AM_DISABLED",
        "antiMalwareModeOrigin": "SET_BY_POLICY",
        "organization": "integration",
        "proxyAddress": "",
        "preventionError": "",
        "exitReason": "STOP_REQUEST_FROM_PYLUM",
        "actionsInProgress": 0,
        "pendingActions": [],
        "lastUpgradeResult": "None",
        "department": null,
        "location": null,
        "criticalAsset": null,
        "deviceType": null,
        "customTags": null,
        "lastUpgradeSteps": [],
        "disconnected": true,
        "staticAnalysisDetectMode": "DISABLED",
        "staticAnalysisDetectModeOrigin": "SET_BY_POLICY",
        "staticAnalysisPreventMode": "DISABLED",
        "staticAnalysisPreventModeOrigin": "SET_BY_POLICY",
        "collectionComponents": [
            "Metadata"
        ],
        "sensorLastUpdate": 0,
        "fullScanStatus": "UNKNOWN",
        "quickScanStatus": "UNKNOWN",
        "lastFullScheduleScanSuccessTime": 0,
        "lastQuickScheduleScanSuccessTime": 0,
        "policyName": "Legacy Configuration",
        "deliveryTime": 0,
        "policyId": null,
        "compliance": null,
        "groupId": null,
        "groupName": "Default"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "SensorIDs": [
        "***:***-**"
    ],
    "PylumIDs": [
        "***-***"
    ],
    "MachineNames": [
        "***-3"
    ]
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

SENSORID

PYLUMID

GUID

FQDN

MACHINENAME

INTERNALIPADDRESS

EXTERNALIPADDRESS

SITENAME

SITEID

RANSOMWARESTATUS

PREVENTIONSTATUS

ISOLATED

DISCONNECTIONTIME

LASTPYLUMINFOMSGUPDATETIME

STATUS

SERVICESTATUS

ONLINETIMEMS

OFFLINETIMEMS

STALETIMEMS

ARCHIVETIMEMS

STATUSTIMEMS

LASTSTATUSACTION

ARCHIVEDORUNARCHIVECOMMENT

SENSORARCHIVEDBYUSER

SERVERNAME

SERVERID

SERVERIP

PRIVATESERVERIP

COLLECTIVEUUID

OSTYPE

OSVERSIONTYPE

COLLECTIONSTATUS

VERSION

CONSOLEVERSION

FIRSTSEENTIME

UPTIME

CPUUSAGE

MEMORYUSAGE

OUTDATED

AMSTATUS

AMMODEORIGIN

AVDBVERSION

AVDBLASTUPDATETIME

POWERSHELLSTATUS

REMOTESHELLSTATUS

USBSTATUS

FWSTATUS

ANTIEXPLOITSTATUS

DOCUMENTPROTECTIONSTATUS

DOCUMENTPROTECTIONMODE

ORGANIZATIONALUNIT

ANTIMALWARESTATUS

ANTIMALWAREMODEORIGIN

ORGANIZATION

PROXYADDRESS

PREVENTIONERROR

EXITREASON

ACTIONSINPROGRESS

PENDINGACTIONS

LASTUPGRADERESULT

DEPARTMENT

LOCATION

CRITICALASSET

DEVICETYPE

CUSTOMTAGS

LASTUPGRADESTEPS

DISCONNECTED

STATICANALYSISDETECTMODE

STATICANALYSISDETECTMODEORIGIN

STATICANALYSISPREVENTMODE

STATICANALYSISPREVENTMODEORIGIN

COLLECTIONCOMPONENTS

SENSORLASTUPDATE

FULLSCANSTATUS

QUICKSCANSTATUS

LASTFULLSCHEDULESCANSUCCESSTIME

LASTQUICKSCHEDULESCANSUCCESSTIME

POLICYNAME

DELIVERYTIME

POLICYID

COMPLIANCE

GROUPID

GROUPNAME

***:**

***

-***

http://***.***.attackiq.com

***

1.1.1.1

5.4.3.2

Default

0

DETECT_SUSPEND_PREVENT

DISABLED

False

1637678410628

1637709003812

Online

Up

0

0

0

None

0

None

integration-1-t

***

1.1.1.1

1.2.3.4

None

WINDOWS

**

ADVANCED

20.2.244.0

None

1617900116888

30550858

0.016661668

119742464

False

AM_QUARANTINE

None

86280

1637696357000

PS_DISABLED

AC_ENABLED

DISABLED

DISABLED

AE_DISABLED

DS_UNKNOWN

DM_UNKNOWN

AM_ENABLED

None

integration

STOP_REQUEST_FROM_PYLUM

0

[]

Succeeded

None

None

None

None

None

False

DISABLED

None

DISABLED

None

['DPI', 'Metadata', 'File Events', 'Registry Events']

0

IDLE

IDLE

0

1637460145000

AIQ Prevent

1637678576168

***-***-***-***-***

True

None

Unassigned

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Query Sensors failed. An error occurred when calling the Query Sensors operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybereason portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: The value for parameter (Filters) is invalid.

Error Sample Data

Query Sensors failed. An error occurred when calling the Query Sensors operation.

Status Code: 400.

Message: The value for parameter (Filters) is invalid.

Query User

Retrieves details of a user.

READER NOTE

Username is an optional parameter to run this command.

  • You can obtain usernames from the Cybereason UI.  Navigate to Investigation>User Account>Get results>choose to get details for one user account>Copy the User name.

All input parameters in this command are optional. If all inputs are empty, the first 100 users from the Cybereason dataset will be returned.

Input

Input Parameter

Required/Optional

Description

Example

Username

Optional

The username to query.

admin

Limit

Optional

The maximum number of users to return. A valid value is an integer between 0 and 1,000. The default value is 100.

10

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": {
        "resultIdToElementDataMap": {
            "***": {
                "simpleValues": {
                    "numberOfMachines": {
                        "totalValues": 1,
                        "values": [
                            "1"
                        ]
                    },
                    "privileges": {
                        "totalValues": 1,
                        "values": [
                            "UserPrivAdmin"
                        ]
                    },
                    "isLocalSystem": {
                        "totalValues": 1,
                        "values": [
                            "false"
                        ]
                    },
                    "username": {
                        "totalValues": 1,
                        "values": [
                            "admin"
                        ]
                    },
                    "comment": {
                        "totalValues": 1,
                        "values": [
                            ""
                        ]
                    },
                    "domain": {
                        "totalValues": 1,
                        "values": [
                            "a***"
                        ]
                    },
                    "passwordAgeDays": {
                        "totalValues": 1,
                        "values": [
                            "984"
                        ]
                    },
                    "elementDisplayName": {
                        "totalValues": 1,
                        "values": [
                            "***\\admin"
                        ]
                    }
                },
                "elementValues": {},
                "suspicions": null,
                "filterData": {
                    "sortInGroupValue": "***",
                    "groupByValue": "UserRuntime:*** adAssociatedDomain=null , adCanonicalName=null , adCompany=null , adCountry=null , adDepartment=null , adDisplayName=null , adLogonName=null , adMail=null , adMemberOf=null , adOU=null , adPrimaryGroupID=null , adSamAccountName=null , adSid=null , adTextCountry=null , adTitle=null , username=admin , "
                },
                "isMalicious": false,
                "suspicionCount": 0,
                "guidString": "***",
                "labelsIds": null,
                "malopPriority": null,
                "suspect": false,
                "malicious": false
            },
            "***": {
                "simpleValues": {
                    "numberOfMachines": {
                        "totalValues": 1,
                        "values": [
                            "1"
                        ]
                    },
                    "privileges": {
                        "totalValues": 1,
                        "values": [
                            "UserPrivAdmin"
                        ]
                    },
                    "isLocalSystem": {
                        "totalValues": 1,
                        "values": [
                            "false"
                        ]
                    },
                    "username": {
                        "totalValues": 1,
                        "values": [
                            "administrator"
                        ]
                    },
                    "comment": {
                        "totalValues": 1,
                        "values": [
                            "Built-in account for administering the computer/domain"
                        ]
                    },
                    "domain": {
                        "totalValues": 1,
                        "values": [
                            "ws02"
                        ]
                    },
                    "passwordAgeDays": {
                        "totalValues": 1,
                        "values": [
                            "5"
                        ]
                    },
                    "elementDisplayName": {
                        "totalValues": 1,
                        "values": [
                            "ws02\\administrator"
                        ]
                    }
                },
                "elementValues": {},
                "suspicions": null,
                "filterData": {
                    "sortInGroupValue": "***",
                    "groupByValue": "UserRuntime:***adAssociatedDomain=null , adCanonicalName=null , adCompany=null , adCountry=null , adDepartment=null , adDisplayName=null , adLogonName=null , adMail=null , adMemberOf=null , adOU=null , adPrimaryGroupID=null , adSamAccountName=null , adSid=null , adTextCountry=null , adTitle=null , username=administrator , "
                },
                "isMalicious": false,
                "suspicionCount": 0,
                "guidString": "***",
                "labelsIds": null,
                "malopPriority": null,
                "suspect": false,
                "malicious": false
            },
            "***": {
                "simpleValues": {
                    "numberOfMachines": {
                        "totalValues": 1,
                        "values": [
                            "1"
                        ]
                    },
                    "isLocalSystem": {
                        "totalValues": 1,
                        "values": [
                            "false"
                        ]
                    },
                    "username": {
                        "totalValues": 1,
                        "values": [
                            "administrators"
                        ]
                    },
                    "domain": {
                        "totalValues": 1,
                        "values": [
                            "desktop-***"
                        ]
                    },
                    "elementDisplayName": {
                        "totalValues": 1,
                        "values": [
                            "desktop-***\\***"
                        ]
                    }
                },
                "elementValues": {},
                "suspicions": null,
                "filterData": {
                    "sortInGroupValue": "***",
                    "groupByValue": "UserRuntime:***adAssociatedDomain=null , adCanonicalName=null , adCompany=null , adCountry=null , adDepartment=null , adDisplayName=null , adLogonName=null , adMail=null , adMemberOf=null , adOU=null , adPrimaryGroupID=null , adSamAccountName=null , adSid=null , adTextCountry=null , adTitle=null , username=administrators , "
                },
                "isMalicious": false,
                "suspicionCount": 0,
                "guidString": "***",
                "labelsIds": null,
                "malopPriority": null,
                "suspect": false,
                "malicious": false
            },
            "***": {
                "simpleValues": {
                    "numberOfMachines": {
                        "totalValues": 1,
                        "values": [
                            "1"
                        ]
                    },
                    "privileges": {
                        "totalValues": 1,
                        "values": [
                            "UserPrivAdmin"
                        ]
                    },
                    "isLocalSystem": {
                        "totalValues": 1,
                        "values": [
                            "false"
                        ]
                    },
                    "username": {
                        "totalValues": 1,
                        "values": [
                            "admin"
                        ]
                    },
                    "comment": {
                        "totalValues": 1,
                        "values": [
                            ""
                        ]
                    },
                    "domain": {
                        "totalValues": 1,
                        "values": [
                            "***-2"
                        ]
                    },
                    "passwordAgeDays": {
                        "totalValues": 1,
                        "values": [
                            "1237"
                        ]
                    },
                    "elementDisplayName": {
                        "totalValues": 1,
                        "values": [
                            "***-2\\admin"
                        ]
                    }
                },
                "elementValues": {},
                "suspicions": null,
                "filterData": {
                    "sortInGroupValue": "***",
                    "groupByValue": "UserRuntime:***adAssociatedDomain=null , adCanonicalName=null , adCompany=null , adCountry=null , adDepartment=null , adDisplayName=null , adLogonName=null , adMail=null , adMemberOf=null , adOU=null , adPrimaryGroupID=null , adSamAccountName=null , adSid=null , adTextCountry=null , adTitle=null , username=admin , "
                },
                "isMalicious": false,
                "suspicionCount": 0,
                "guidString": "***",
                "labelsIds": null,
                "malopPriority": null,
                "suspect": false,
                "malicious": false
            }
        },
        "suspicionsMap": {},
        "evidenceMap": {},
        "totalPossibleResults": 103,
        "guessedPossibleResults": 0,
        "queryLimits": {
            "totalResultLimit": 5,
            "perGroupLimit": 100,
            "perFeatureLimit": 100,
            "groupingFeature": {
                "elementInstanceType": "User",
                "featureName": "self"
            },
            "sortInGroupFeature": null
        },
        "queryTerminated": false,
        "pathResultCounts": [
            {
                "featureDescriptor": {
                    "elementInstanceType": "User",
                    "featureName": null
                },
                "count": 103
            }
        ],
        "guids": []
    },
    "status": "SUCCESS",
    "hidePartialSuccess": false,
    "message": "",
    "expectedResults": 1,
    "failures": 0
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path $.data.resultIdToElementDataMap in API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
{
    "***": {
        "simpleValues": {
            "numberOfMachines": {
                "totalValues": 1,
                "values": [
                    "1"
                ]
            },
            "privileges": {
                "totalValues": 1,
                "values": [
                    "UserPrivAdmin"
                ]
            },
            "isLocalSystem": {
                "totalValues": 1,
                "values": [
                    "false"
                ]
            },
            "username": {
                "totalValues": 1,
                "values": [
                    "admin"
                ]
            },
            "comment": {
                "totalValues": 1,
                "values": [
                    ""
                ]
            },
            "domain": {
                "totalValues": 1,
                "values": [
                    "***"
                ]
            },
            "passwordAgeDays": {
                "totalValues": 1,
                "values": [
                    "984"
                ]
            },
            "elementDisplayName": {
                "totalValues": 1,
                "values": [
                    "***\\admin"
                ]
            }
        },
        "elementValues": {},
        "suspicions": null,
        "filterData": {
            "sortInGroupValue": "***",
            "groupByValue": "UserRuntime:***adAssociatedDomain=null , adCanonicalName=null , adCompany=null , adCountry=null , adDepartment=null , adDisplayName=null , adLogonName=null , adMail=null , adMemberOf=null , adOU=null , adPrimaryGroupID=null , adSamAccountName=null , adSid=null , adTextCountry=null , adTitle=null , username=admin , "
        },
        "isMalicious": false,
        "suspicionCount": 0,
        "guidString": "***",
        "labelsIds": null,
        "malopPriority": null,
        "suspect": false,
        "malicious": false
    }
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA


{'simpleValues': {'numberOfMachines': {'totalValues': 1, 'values': ['1']}, 'privileges': {'totalValues': 1, 'values': ['UserPrivAdmin']}, 'isLocalSystem': {'totalValues': 1, 'values': ['false']}, 'username': {'totalValues': 1, 'values': ['admin']}, 'comment': {'totalValues': 1, 'values': ['']}, 'domain': {'totalValues': 1, 'values': ['***']}, 'passwordAgeDays': {'totalValues': 1, 'values': ['984']}, 'elementDisplayName': {'totalValues': 1, 'values': ['***\\admin']}}, 'elementValues': {}, 'suspicions': None, 'filterData': {'sortInGroupValue': '***', 'groupByValue': 'UserRuntime:***adAssociatedDomain=null , adCanonicalName=null , adCompany=null , adCountry=null , adDepartment=null , adDisplayName=null , adLogonName=null , adMail=null , adMemberOf=null , adOU=null , adPrimaryGroupID=null , adSamAccountName=null , adSid=null , adTextCountry=null , adTitle=null , username=admin , '}, 'isMalicious': False, 'suspicionCount': 0, 'guidString': '***', 'labelsIds': None, 'malopPriority': None, 'suspect': False, 'malicious': False}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Query User failed. An error occurred when calling the Query User operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybereason portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: The value for parameter (Filters) is invalid.

Error Sample Data

Query User failed. An error occurred when calling the Query User operation.

Status Code: 400.

Message: The value for parameter (Filters) is invalid.

Remediate

Remediates a specific process or file. Run the Get Remediation Progress command with Remediation IDs to view the remediation progress.

READER NOTE

The parameter Target IDs is required to run this command.

  • Run the Query Processes or Query Files command to obtain Target IDs. Target IDs can be found in the returned raw data at the path $.data.resultIdToElementDataMap.<id>.

  • For Unquarantine File, you can obtain the Target IDs by running the Run Query command.

    • Please note: Run Query Search conditions must contain: "requestedType" with value "QuarantineFile" and "templateContext" with value "OVERVIEW".

    • Please refer to the Run Query command example to get Unquarantine File Target ID.

Malop ID is an optional parameter to run this command.

  • Run the Get All Malops command to obtain Malop ID. Malop IDs can be found in the returned raw data at the path $.malop[*].guid.

Input

Input Parameter

Required/Optional

Description

Example

Malop ID

Optional

The unique ID of the Malop containing processes or files to remediate. Malop IDs can be obtained using the Get All Malops command. The default value of this Malop ID is NOMALOP.

11.***

Target IDs

Required

The GUID of the process or file to remediate. Target IDs can be obtained using the Query Process or Query Files command. For Unquarantine Files, you can retrieve the Target ID using the Run Query command.

Note: The value of the “requestedType” key must be “QuarantineFile”, and the value of the “templateContext” key must be “OVERVIEW” in the Run Query command’s Search Condition parameter.

["-***.-***"]

Action Type

Required

The remediation action to perform. The available action types are KILL PROCESS, QUARANTINE FILE, UNQUARANTINE FILE, BLOCK FILE, KILL PREVENT SUSPEND, and UNSUSPEND PROCESS.

QUARANTINE FILE

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
[
    {
        "malopId": "NOMALOP",
        "remediationId": "***-***-***-***-***",
        "start": 1637717163265,
        "end": null,
        "initiatingUser": "test@example.com",
        "statusLog": [
            {
                "machineId": "-***",
                "targetId": "-***.-***",
                "status": "PENDING",
                "actionType": "QUARANTINE_FILE",
                "error": null,
                "timestamp": 1637717163932
            }
        ],
        "targetId": "-***.-***"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "RemediationID": "***-***-***-***-***"
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

MALOPID

REMEDIATIONID

START

END

INITIATINGUSER

STATUSLOG

TARGETID

NOMALOP

***-***-***-***-***

1637717163265

None

test@example.com

[{'machineId': '-***', 'targetId': '-***.-***', 'status': 'PENDING', 'actionType': 'QUARANTINE_FILE', 'error': None, 'timestamp': 1637717163932}]

-***.-***

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Remediate failed. An error occurred when calling the Remediate operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybereason portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Malop IDs Not Found.

Error Sample Data

Remediate failed. An error occurred when calling the Remediate operation.

Status Code: 404.

Message: Malop IDs Not Found.

Run Query

Searches for specific indicators and behaviors throughout your environment.

Input

Input Parameter

Required/Optional

Description

Example

Search Condition

Required

The JSON-formatted queries to filter results. See Run a Query from Cybereason’s API documentation for more information about the query syntax.

{

"totalResultLimit": 1000,

"perGroupLimit": 100,

"perFeatureLimit": 100,

"templateContext": "MALOP",

"queryPath": [

{

"requestedType": "DomainName",

"filters": [

{

"facetName": "elementDisplayName",

"values": [

"syoblnnhsupt.co.uk"

],

"filterType": "ContainsIgnoreCase"

}

],

"isResult": true

}

]

}

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "data": {
        "resultIdToElementDataMap": {
            "***": {
                "simpleValues": {
                    "sinkholedClassificationEvidence": {
                        "totalValues": 1,
                        "values": [
                            "true"
                        ]
                    },
                    "maliciousClassificationType": {
                        "totalValues": 1,
                        "values": [
                            "indifferent"
                        ]
                    },
                    "hasResolvedClassificationEvidence": {
                        "totalValues": 1,
                        "values": [
                            "true"
                        ]
                    },
                    "elementDisplayName": {
                        "totalValues": 1,
                        "values": [
                            "***.co.uk"
                        ]
                    }
                },
                "elementValues": {},
                "suspicions": {
                    "domainClassificationSuspicion": ***
                },
                "filterData": {
                    "sortInGroupValue": "***",
                    "groupByValue": "DomainNameRuntime:***"
                },
                "isMalicious": false,
                "suspicionCount": 1,
                "guidString": "***",
                "labelsIds": null,
                "malopPriority": null,
                "suspect": true,
                "malicious": false
            }
        },
        "suspicionsMap": {
            "domainClassificationSuspicion": {
                "potentialEvidence": [
                    "malwareClassificationEvidence",
                    "sinkholedClassificationEvidence"
                ],
                "firstTimestamp": 1585092142623,
                "totalSuspicions": 1
            }
        },
        "evidenceMap": {
            "hasResolvedClassificationEvidence": 1,
            "sinkholedClassificationEvidence": 1
        },
        "totalPossibleResults": 1,
        "guessedPossibleResults": 0,
        "queryLimits": {
            "totalResultLimit": 1000,
            "perGroupLimit": 100,
            "perFeatureLimit": 100,
            "groupingFeature": {
                "elementInstanceType": "DomainName",
                "featureName": "self"
            },
            "sortInGroupFeature": null
        },
        "queryTerminated": false,
        "pathResultCounts": [
            {
                "featureDescriptor": {
                    "elementInstanceType": "DomainName",
                    "featureName": null
                },
                "count": 1
            }
        ],
        "guids": []
    },
    "status": "SUCCESS",
    "hidePartialSuccess": false,
    "message": "",
    "expectedResults": 1,
    "failures": 0
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path $.data.resultIdToElementDataMap in API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
{
    "***": {
        "simpleValues": {
            "sinkholedClassificationEvidence": {
                "totalValues": 1,
                "values": [
                    "true"
                ]
            },
            "maliciousClassificationType": {
                "totalValues": 1,
                "values": [
                    "indifferent"
                ]
            },
            "hasResolvedClassificationEvidence": {
                "totalValues": 1,
                "values": [
                    "true"
                ]
            },
            "elementDisplayName": {
                "totalValues": 1,
                "values": [
                    "***.co.uk"
                ]
            }
        },
        "elementValues": {},
        "suspicions": {
            "domainClassificationSuspicion": ***
        },
        "filterData": {
            "sortInGroupValue": "***",
            "groupByValue": "DomainNameRuntime:***"
        },
        "isMalicious": false,
        "suspicionCount": 1,
        "guidString": "***",
        "labelsIds": null,
        "malopPriority": null,
        "suspect": true,
        "malicious": false
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "IDs": [
        "***"
    ]
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

***

{'simpleValues': {'sinkholedClassificationEvidence': {'totalValues': 1, 'values': ['true']}, 'maliciousClassificationType': {'totalValues': 1, 'values': ['indifferent']}, 'hasResolvedClassificationEvidence': {'totalValues': 1, 'values': ['true']}, 'elementDisplayName': {'totalValues': 1, 'values': ['***.co.uk']}}, 'elementValues': {}, 'suspicions': {'domainClassificationSuspicion': ***}, 'filterData': {'sortInGroupValue': '***', 'groupByValue': 'DomainNameRuntime:***'}, 'isMalicious': False, 'suspicionCount': 1, 'guidString': '***', 'labelsIds': None, 'malopPriority': None, 'suspect': True, 'malicious': False}

 Request Example (Get Unquarantine File Target ID)

CODE
{

    "totalResultLimit": 100,

    "perGroupLimit": 100,

    "templateContext": "OVERVIEW",

    "queryPath": [

        {

            "requestedType": "QuarantineFile",

            "filters": [

                {

                    "facetName": "ownerMachine",

                    "values": [

                        "***-poc"

                    ]

                },

                {

                    "facetName": "elementDisplayName",

                    "values": [

                        "**.dll"

                    ],

                    "filterType": "ContainsIgnoreCase"

                }

            ],

            "isResult": true

        }

    ],

    "customFields": [

        "elementDisplayName",

        "ownerMachine"

    ]

}

Result Example (Get Unquarantine File Target ID)

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Run Query failed. An error occurred when calling the Run Query operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybereason portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: The value for parameter (Search Condition) is invalid.

Error Sample Data

Run Query failed. An error occurred when calling the Run Query operation.

Status Code: 400.

Message: The value for parameter (Search Condition) is invalid.

Set IOC Reputation

Sets a custom, organization-specific reputation (whitelist or blacklist) for a file, IP address, or domain name.

Input

Input Parameter

Required/Optional

Description

Example

Keys

Required

The file hash value (MD5 or SHA1), IP address, or domain name to set the IOC reputation.

[ "***" ]

Malicious Type

Required

The reputation to set (Blocklist or Allowlist).

Blocklist

Prevent

Required

Indicates whether to prevent the file's execution with Application Control. Note this option is ONLY applicable for the File type. You cannot prevent a file's execution if Malicious Type is Allowlist. If your request includes IP addresses or domain names to update, you must set this parameter to false.

True

Remove

Required

The option to remove the current reputation (True) or add a reputation (False). Note: Setting the value to True will override other parameters.

True

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "outcome": "success",
    "data": true
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

outcome

success

data

True

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Set IOC Reputation failed. An error occurred when calling the Set IOC Reputation operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybereason portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: The file hash value is invalid.

Error Sample Data

Set IOC Reputation failed. An error occurred when calling the Set IOC Reputation operation.

Status Code: 400.

Message: The file hash value is invalid.

Unisolate Machine

Removes machine(s) associated with a Malop from isolation.

READER NOTE

The parameter Machine Names is required to run this command.

  • Run the Query Sensors command to obtain Machine Names. Machine Names can be found in the returned raw data at the path $.sensors[*].pylumId.

Malop ID is an optional parameter to run this command.

  • Run the Get All Malops command to obtain Malop ID. Malop IDs can be found in the returned raw data at the path $.malop[*].guid.

Input

Input Parameter

Required/Optional

Description

Example

Machine Names

Required

The names of the machines to unisolate. Machine names can be obtained using the Query Sensors command.

[ "***-***" ]

Malop ID

Optional

The associated Malop ID of the sensor. Malop IDs can be obtained using the Get All Malops command. The default value of this Malop ID is NOMALOP.

11.-***

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
[
    {
        "MachineName": "***-***",
        "***-***": "Succeeded"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "PylumIDs": [
        "**-***"
    ]
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

MACHINENAME

***-***

***-poc

Succeeded

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Unisolate Machine failed. An error occurred when calling the Unisolate Machine operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybereason portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Machine Names Not Found.

Error Sample Data

Unisolate Machine failed. An error occurred when calling the Unisolate Machine operation.

Status Code: 404.

Message: Machine Names Not Found.

Update Malop Labels

Updates the labels of the specified Malops.

READER NOTE

The parameter Malop IDs is required to run this command.

  • Run the Get All Malops command to obtain Malop IDs. Malop IDs can be found in the returned raw data at the path $.malop[*].guid.

Added Labels and Removed Labels are optional parameters to run this command.

  • Run the Get Malops Label command to obtain Added Labels and Removed Labels. The label IDs can be found in the returned raw data at the path $.[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Malop IDs

Required

The GUID of Malops to update labels. Malop IDs can be obtained using the Get All Malops command.

["***"]

Added Labels

Optional

The list of label IDs to add to the specified Malops. Label IDs can be obtained using the Get Malops Label command. If an input label has already been added to the Malop, no error will return.

[59,60]

Removed Labels

Optional

The list of label IDs to remove from the specified Malops. Label IDs can be obtained using the Get Malops Label command. If the input label does not exist on the specified Malop, no error will be returned.

[59]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
{
    "UpdateMalopsLabel": "success"
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "IDs": [
        "***"
    ]
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

UpdateMalopsLabel

success

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Update Malop Labels failed. An error occurred when calling the Update Malop Labels operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybereason portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Malop IDs Not Found.

Error Sample Data

Update Malop Labels failed. An error occurred when calling the Update Malop Labels operation.

Status Code: 404.

Message: Malop IDs Not Found.

Update Malops Status

Updates the status of specified malops.

READER NOTE

The parameter Malop IDs is required to run this command.

  • Run the Get All Malops commands to obtain Malop IDs. Malop IDs can be found in the returned raw data at the path $.malop[*].guid.

Input

Input Parameter

Required/Optional

Description

Example

Malop IDs

Required

The GUIDs of the Malops to update statuses. Malop IDs can be obtained using the Get All Malops command.

["***", "***" ]

Malop Status

Required

The updated status to apply to the specified Malops. The available statuses are To review, Remediated, Unread, Not relevant, or Under investigation.

Remediated

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
[
    {
        "UpdateMalopsStatus": {
            "***": {
                "data": null,
                "status": "SUCCESS",
                "hidePartialSuccess": false,
                "message": "",
                "expectedResults": 0,
                "failures": 0
            },
            "***": {
                "data": null,
                "status": "SUCCESS",
                "hidePartialSuccess": false,
                "message": "",
                "expectedResults": 0,
                "failures": 0
            }
        }
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "IDs": [
        "***",
        "***"
    ]
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

UPDATEMALOPSSTATUS

{'***': {'data': None, 'status': 'SUCCESS', 'hidePartialSuccess': False, 'message': '', 'expectedResults': 0, 'failures': 0}, '***': {'data': None, 'status': 'SUCCESS', 'hidePartialSuccess': False, 'message': '', 'expectedResults': 0, 'failures': 0}}

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Update Malops Status failed. An error occurred when calling the Update Malops Status operation.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybereason portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Malop IDs Not Found.

Error Sample Data

Update Malops Status failed. An error occurred when calling the Update Malops Status operation.

Status Code: 404.

Message: Malop IDs Not Found.

Test Connection

Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful

Error Handling

If the Return Data is failed, an Error tab will appear in the Test Result window.

The error tab contains the responses from the third-party API calls including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Test Connection failed. Failed to check connector.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybereason portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Please ensure username and password are correct.

Error Sample Data

Test Connection failed. Failed to check connector.

Status Code: 400.

Message: Please ensure username and password are correct.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.