Cybersixgill

LAST UPDATED: OCT 31, 2024

Overview

Cybersixgill collects intelligence in real-time on all items that appear in the monitored underground sources. It enables organizations to fight cybercrime, detect phishing, data leaks, fraud and vulnerabilities, and amplify incident response in nearly real time.

D3 SOAR is providing REST operations to function with Cybersixgill.

For example, you can use Cybersixgill to integrate with the SOAR system, pushing deep and dark web-based IOCs with actionable insights. With the help of Cybersixgill’s CSM team, the service was expanded to the Sixgill investigative portal to deepen real-time investigation and receive customized fraud notifications.

Cybersixgill is available for use in:

D3 SOAR	V15.1.7.0+
Category	Threat Intelligence
Deployment Options	Option II, Option IV

Connection

To connect to Cybersixgill from D3 SOAR, please follow this part to collect the required information below:

Parameter	Description	Example
Server URL	The server URL of the Cybersixgill server.	https://api.cybersixgill.com
Client ID	The client ID to authenticate with the Cybersixgill server.	xx-xxxxxxxxxx
Client Secret	The client secret to authenticate with the Cybersixgill server.	xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx

WARNING

The Get Organizations command requires the Multi-Tenancy API permission.
The Get IOCs, Test Connection, Consume IOCs Enrich IOCs and Enrich Sixgill Field commands required the IOC API permission.
For MSSP accounts, the Organization ID parameter must be defined for the Fetch Event, Get Actionable Alert Details and Update Actionable Alerts commands. You will also require the Multi-Tenancy API permission.
For non-MSSP accounts, do not define the Organization ID parameter for the Fetch Event, Get Actionable Alert Details and Update Actionable Alerts commands. The Multi-Tenancy API permission is not required.

Permission Requirements

Each endpoint in the Cybersixgill API requires a certain permission scope. The following are required scopes for the commands in this integration:

Command	Required Permission
Consume IOCs	Darkfeed
Enrich IOC	Darkfeed Enrichment
Enrich SixgillField	Darkfeed Enrichment
Fetch Event	MSSP connections require the Actionable Alerts & Multi Tenant API; non-MSSP connections require Actionable Alerts
Get Actionable Alert Details	MSSP accounts require Actionable Alerts & Multi Tenant API; non-MSSP connections require Actionable Alerts
Get IOCs	Darkfeed Enrichment
Get Organizations	Multi Tenant API
Update Actionable Alerts	MSSP accounts require Actionable Alerts & Multi Tenant API; non-MSSP connections require Actionable Alerts
Test Connection	Darkfeed Enrichment

WARNING

The Test Connection command requires the Darkfeed Enrichment permission. Therefore, MSSP accounts using the Test Connection command or the Test Connection button in the connection configuration will not be able to pass the connection. A failed connection may still work with commands supported by the multi tenant API, given that the credentials are valid.

Configuring Cybersixgill to Work with D3 SOAR

Go to the Cybersixgill portal. Click CYBERSIXGRILL.
You will be directed to the login page. Enter your login credentials and sign in.
If this is your first time logging in, click GENERATE API CLIENT AND SECRET.
Copy and save the client ID and client secret in a secure location. Note: The client ID and client secret is only be viewable once after generation.
If you need to generate a new API client secret, click GENERATE NEW SECRET. You will need to apply the new secret to any application using the previous client secret.

Configuring D3 SOAR to Work with Cybersixgill

Log in to D3 SOAR.
Find the Cybersixgill integration.
1. Navigate to Configuration on the top header menu.
2. Click on the Integration icon on the left sidebar.
3. Type Cybersixgill in the search box to find the integration, then click it to select it.
4. Click + New Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to Cybersixgill.
1. Connection Name: The desired name for the connection.
2. Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
3. Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.
4. Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
5. Description (Optional): Add your desired description for the connection.
6. Tenant (Optional): When configuring the connection from a master tenant site, you have the option to choose the specific tenant sites you want to share the connection with. Once you enable this setting, you can filter and select the desired tenant sites from the dropdowns to share the connection.
7. Configure User Permissions: Defines which users have access to the connection.
8. Active: Check the tick box to ensure the connection is available for use.
9. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
  1. Input your domain level Server URL. The default value is https://api.cybersixgill.com.
  2. Input your Client ID.
  3. Input your Client Secret.
10. Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.
  To set up a connection health check, check the Connection Health Check tickbox. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.
11. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.
Test the connection.
1. Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmark appear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.
2. Click OK to close the alert window.
3. Click + Add to create and add the configured connection.

Commands

Cybersixgill includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the Cybersixgill API, please refer to the Cybersixgill API reference.

READER NOTE

Certain permissions are required for each command. Please refer to the Permission Requirements and Configuring Cybersixgill to Work with D3 SOAR for details.

Note for Time-related parameters

The input format of time-related parameters may vary based on your account settings. As a result, the sample data provided in our commands is different from what you see. To set your preferred time format, follow these steps:

Navigate to Configuration > Application Settings. Select Date/Time Format.
Choose your desired date and time format.

After that, you will be able to view your preferred time format when configuring the DateTime input parameters for commands.

Consume IOCs

Acknowledge that you have consumed a bundle (as set by the Limit parameter of the Get IOCs command) of IOC items. Each time after running the Get IOCs command, run this command to consume the IOC items. This ensures that next time the Get IOCs command runs, the next bundle of IOC items will be returned.

READER NOTE

The response data will return the number of consumed IOCs. This value is inherited from the input value of the Limit parameter of the Get IOCs command. If the Limit parameter has not been defined, this command will return 100 consumed IOCs by default.

Input

N/A

Output

Raw Data

The primary response data from the API request.

The original API returns the number of consumed IOCs without an assigned field. D3 SOAR enriches the raw data from the original API response by assigning the number to the field name “numberOfConsumedIOCs”.

SAMPLE DATA

CODE

{
    "numberOfConsumedIOCs": 100
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

numberOfConsumedIOCs

100

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Consume IOCs failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybersixgill portal. Refer to the HTTP Status Code Registry for details.	Status Code: 401.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: access_denied.

Error Sample Data

Consume IOCs failed.

Status Code: 401.

Message: access_denied.

Enrich IOC

Retrieves STIX-formatted information relating to the specified IOC. To search other IOC patterns created by the same actor that is associated with this IOC, use the Enrich SixgillField command with the output actor name from running this command.

READER NOTE

If the command runs successfully with no returned results, the input IOC value may not exist in the Cybersixgill system. Only suspicious IPs, domains, URLs and file hashes will be returned.

Input

Input Parameter	Required/Optional	Description	Example
IOC Type	Required	The IOC type to enrich.	IP
IOC Value	Required	The IOC value to enrich.	100.100.00.100
Limit	Optional	The maximum number of IOC items to return. The default value is 50.	100

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

{
    "items": [
        {
            "created": "2022-04-02T14:45:29.578Z",
            "description": "A Twitter account reported this IP as malicious",
            "id": "indicator--***-***-***-***-***",
            "labels": [
                "malicious-activity",
                "ip",
                "malware"
            ],
            "lang": "en",
            "modified": "2022-04-02T14:45:29.578Z",
            "pattern": "[ipv4-addr:value = '1.2.3.4']",
            "sixgill_actor": "elfdigest",
            "sixgill_confidence": 80,
            "sixgill_feedid": "***",
            "sixgill_feedname": "malicious_ips_from_twitter",
            "sixgill_postid": "***",
            "sixgill_posttitle": "elfdigest Tweeted",
            "sixgill_severity": 80,
            "sixgill_source": "twitter",
            "spec_version": "2.0",
            "type": "indicator",
            "valid_from": "2022-04-02T14:41:42Z"
        }
    ],
    "total": 1
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "IOCIDs": [
        "indicator--***-***-***-***-***"
    ],
    "IOCPatterns": [
        "[ipv4-addr:value = '1.2.3.4']"
    ],
    "Descriptions": [
        "A Twitter account reported this IP as malicious"
    ],
    "ActorNames": [
        "elfdigest"
    ],
    "PostIDs": [
        "***"
    ],
    "Confidence": [
        80
    ],
    "Severities": [
        80
    ],
    "Sources": [
        "twitter"
    ]
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CREATED	DESCRIPTION	ID	LABELS	LANG	MODIFIED	PATTERN	SIXGILL_ACTOR	SIXGILL_CONFIDENCE	SIXGILL_FEEDID	SIXGILL_FEEDNAME	SIXGILL_POSTID	SIXGILL_POSTTITLE	SIXGILL_SEVERITY	SIXGILL_SOURCE	SPEC_VERSION	TYPE	VALID_FROM
2022-04-02T14:45:29.578Z	A Twitter account reported this IP as malicious	indicator--*----**	['malicious-activity', 'ip', 'malware']	en	2022-04-02T14:45:29.578Z	[ipv4-addr:value = '.2.3.4']	***	80	darkfeed_015	malicious_ips_from_twitter	***	elfdigest Tweeted	80	twitter	2.0

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Enrich IOC failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybersixgill portal. Refer to the HTTP Status Code Registry for details.	Status Code: 401.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: access_denied.

Error Sample Data

Enrich IOC failed.

Status Code: 401.

Message: access_denied.

Enrich SixgillField

Retrieves STIX-formatted items relating to the specified Sixgill field, actor name, or post ID.

READER NOTE

Sixgill Field and Field Value are required parameters to run this command.

Run the Enrich IOC command in order to obtain the field value (Actor Name and Post ID), please make sure your input Sixgill Field matches the value.
For an example use case, see Enrich IOC and Enrich SixgillField Comands.

Input

Input Parameter	Required/Optional	Description	Example
Sixgill Field	Required	The type of Sixgill field to enrich.	Actor Name
Field Value	Required	The Actor Name or Post ID to enrich. Actor Names and Post IDs can be obtained using the Enrich IOC command.	***
Limit	Optional	The maximum number of Sixgill field items to return. The default value is 50.	100

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

{
    "items": [
        {
            "created": "2022-04-02T14:45:29.578Z",
            "description": "A Twitter account reported this IP as malicious",
            "id": "indicator--***-***-***-***-***",
            "labels": [
                "malicious-activity",
                "ip",
                "malware"
            ],
            "lang": "en",
            "modified": "2022-04-02T14:45:29.578Z",
            "pattern": "[ipv4-addr:value = '1.2.3.4']",
            "sixgill_actor": "***",
            "sixgill_confidence": 80,
            "sixgill_feedid": "***",
            "sixgill_feedname": "malicious_ips_from_twitter",
            "sixgill_postid": "***",
            "sixgill_posttitle": "elfdigest Tweeted",
            "sixgill_severity": 80,
            "sixgill_source": "twitter",
            "spec_version": "2.0",
            "type": "indicator",
            "valid_from": "2022-04-02T14:41:42Z"
        },
        {
            "created": "2022-04-02T14:45:38.859Z",
            "description": "A Twitter account reported this IP as malicious",
            "id": "indicator--***-***-***-***-***",
            "labels": [
                "elf",
                "iot",
                "botnet",
                "malicious-activity",
                "ip",
                "malware"
            ],
            "lang": "en",
            "modified": "2022-04-02T14:45:38.859Z",
            "pattern": "[ipv4-addr:value = '1.2.3.4']",
            "sixgill_actor": "***",
            "sixgill_confidence": 80,
            "sixgill_feedid": "***",
            "sixgill_feedname": "malicious_ips_from_twitter",
            "sixgill_postid": "***",
            "sixgill_posttitle": "elfdigest Tweeted",
            "sixgill_severity": 80,
            "sixgill_source": "twitter",
            "spec_version": "2.0",
            "type": "indicator",
            "valid_from": "2022-04-02T14:42:07Z"
        }
    ],
    "total": 489
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "IOCIDs": [
        "indicator--***-***-***-***-***"
    ],
    "IOCPatterns": [
        "[ipv4-addr:value = '1.1.1.1']"
    ],
    "Descriptions": [
        "A Twitter account reported this IP as malicious"
    ],
    "ActorNames": [
        "***"
    ],
    "PostIDs": [
        "***"
    ],
    "Confidence": [
        80
    ],
    "Severities": [
        80
    ],
    "Sources": [
        "twitter"
    ]
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CREATED	DESCRIPTION	ID	LABELS	LANG	MODIFIED	PATTERN	SIXGILL_ACTOR	SIXGILL_CONFIDENCE	SIXGILL_FEEDID	SIXGILL_FEEDNAME	SIXGILL_POSTID	SIXGILL_POSTTITLE	SIXGILL_SEVERITY	SIXGILL_SOURCE	SPEC_VERSION	TYPE	VALID_FROM
2022-04-02T14:45:29.578Z	A Twitter account reported this IP as malicious	indicator--*----**	['malicious-activity', 'ip', 'malware']	en	2022-04-02T14:45:29.578Z	[ipv4-addr:value = '1.1.1.1']	***	80	darkfeed_015	malicious_ips_from_twitter	***	***Tweeted	80	twitter	2.0	indicator	2022-04-02T14:41:42Z

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Enrich SixgillField failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybersixgill portal. Refer to the HTTP Status Code Registry for details.	Status Code: 401.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: access_denied.

Error Sample Data

Enrich SixgillField failed.

Status Code: 401.

Message: access_denied.

Fetch Event

Returns actionable alert(s) from the Cybersixgill platform based on specified search conditions.

READER NOTE

The Organization ID parameter is only required for MSSP users that require a multi-tenancy API permission. Do not input an organization ID if you are a non-MSSP user and do not require a multi-tenancy API permission.
- Run the Get Organizations command with MSSP connection to obtain the Organization ID. Organization IDs can be found in the returned raw data at the path $.[*].organization_id.
The default value of the Get Content Items parameter is No. If you select Yes, the key “contentItems” with details will be attached to the returned raw data.

Input

Input Parameter	Required/Optional	Description	Example
Start Time	Required	The start time of the time range to fetching actionable alert(s) which are updated or created after the specified start time in UTC time.	2022-11-01 00:00
End Time	Required	The end time of the time range to fetching actionable alert(s) which are updated or created after the specified end time in UTC time.	2022-11-17 00:00
Number of Event(s) Fetched	Optional	The maximum number of events to return. The default value is 50. For performance optimization, it is not recommended to set this value greater than 200.	100
Organization ID	Optional	The ID of the organization to fetch events from. You can obtain organization IDs using the Get Organizations command. Note: This parameter is required for multi-tenant API connections.	***
Threat Level	Optional	The threat level to filter the fetched events. If this field is not defined, actionable alerts of all threat levels will return.	Emerging
Threat Type	Optional	The threat type to filter the fetched events. The valid threat types are Brand Protection, Compromised Accounts, DDoS Attack, Data Leak, Defacement, Fraud, Malware, Phishing, Vulnerability Exploit, Web Attack and General Mention. If this field is not defined, actionable alerts of all threat types will be returned.	General Mention
Get Content Items	Optional	Specifies whether Actionable Alert Content Details will be included in the response data. If this parameter is not defined, the default value is No. You can also retrieve Content Items of specfic Alertable Alert(s) using the Get Actionable Alert Details command. Note: If set to Yes, performance may be impacted due to the large volumes of content items returned.	Yes

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

[
    {
        "additional_info": {
            "asset_attributes": [
                "organization_aliases",
                "organization_name"
            ],
            "excluded_assets": {},
            "matched_organization_aliases": [
                "acct1"
            ],
            "matched_organization_name": [
                "acct1"
            ],
            "organization_aliases": [
                "Acct1"
            ],
            "organization_name": "Acct1",
            "query_attributes": [
                "organization_aliases",
                "organization_name"
            ],
            "template_id": "***",
            "vendor": "Cybersixgill"
        },
        "alert_id": "***",
        "alert_name": "Recent mentions of your organization in the underground",
        "alert_type": "PercolatedQueryBasedManagedAlertRule",
        "alert_type_id": "***",
        "assessment": "",
        "category": "regular",
        "content_type": "search_result_item",
        "create_time": "2022-11-23 06:35:45",
        "description": "The following is a summary of recent mentions of your organization in the cyber underground.",
        "es_id": "***",
        "es_item": {
            "collection_date": "2022-11-23T01:18:43",
            "content": "... .ae:success\**@**",
            "contentItems": [
                {
                    "_id": "***",
                    "_ignored": [
                        "content.keyword"
                    ],
                    "_source": {
                        "collection_date": "2022-11-23T01:18:43",
                        "content": "Document URL"
                    },
                    "triggered_alert": true
                }
            ],
            "creator": "anonymous",
            "date": "2022-11-23T01:18:43",
            "highlight": {
                "content": [
                    "***"
                ]
            },
            "id": "***",
            "ips": [
                "6.6.6.6",
                "4.4.4.4",
                "1.2.3.4",
                "1.1.1.1"
            ],
            "rep_grade": 5,
            "site": "hosting_anonfiles",
            "tags": [
                "IP_global",
                "IP",
                "Wickr_address",
                "Litecoin_address",
                "email",
                "Litecoin",
                "Credit_card",
                "Email_address",
                "QQ_address",
                "APT",
                "Cryptocurrency",
                "Malware",
                "Twitter_handle",
                "Bitcoin",
                "IP_v4",
                "WeChat_address",
                "Download_link",
                "Adult",
                "Email_domain"
            ],
            "title": "***.txt",
            "type": "file"
        },
        "id": "***",
        "matched_assets": {
            "organization_aliases": [
                "***"
            ],
            "organization_name": [
                "***"
            ]
        },
        "read": false,
        "recommendations": [],
        "severity": 1,
        "site": "hosting_anonfiles",
        "status": {
            "name": "treatment_required"
        },
        "summary": "",
        "threat_level": "emerging",
        "threats": [
            "General Mention"
        ],
        "title": "Recent mentions of your organization in the underground",
        "update_time": "2022-11-23 06:35:45",
        "user_id": "***"
    }
]

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "IDs": [
        "***"
    ],
    "AlertNames": [
        "Recent mentions of your organization in the underground"
    ],
    "AlertTypeIDs": [
        "***"
    ],
    "ContentPreviews": [
        "... .ae:success\&***"
    ],
    "CreateTime": [
        "2022-11-23 06:35:45"
    ],
    "Titles": [
        "Recent mentions of your organization in the underground"
    ],
    "AlertIDs": [
        "***"
    ]
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ADDITIONAL_INFO	ALERT_ID	ALERT_NAME	ALERT_TYPE	ALERT_TYPE_ID	ASSESSMENT	CATEGORY	CONTENT_TYPE	CREATE_TIME	DESCRIPTION	ES_ID	ES_ITEM	ID	MATCHED_ASSETS	READ	RECOMMENDATIONS	SEVERITY	SITE	STATUS	SUMMARY	THREAT_LEVEL	THREATS	TITLE	UPDATE_TIME	USER_ID
{'asset_attributes': ['organization_aliases', 'organization_name'], 'excluded_assets': {}, 'matched_organization_aliases': ['acct1'], 'matched_organization_name': ['acct1'], 'organization_aliases': ['Acct1'], 'organization_name': 'Acct1', 'query_attributes': ['organization_aliases', 'organization_name'], 'template_id': '***', 'vendor': 'Cybersixgill'}	***	Recent mentions of your organization in the underground	PercolatedQueryBasedManagedAlertRule	***		regular	search_result_item	2022-11-23 06:35:45	The following is a summary of recent mentions of your organization in the cyber underground.	***		***	{'organization_aliases': ['acct1'], 'organization_name': ['acct1']}	False	[]	1	***	{'name': 'treatment_required'}		***	['General Mention']	Recent mentions of your organization in the underground	2022-11-23 06:35:45	***

READER NOTE

The Unique Event Key field mapping is used to prevent duplicate event ingestions. D3 SOAR will check if the value of a selected JSON path matches any Unique Event Key of previously ingested events. If a match is found, the event will be dismissed. If no match is found, an event will be created. However, if no Unique Event Key is mapped, then the hash value from the event pending ingestion will be used to check for any matches with existing events. If no match is found, the event will be created.

Unlike most other D3 SOAR integrations, the Cybersixgill integration’s Fetch Event command’s Default Event Source mapping does not include Unique Event Key in order to fetch the same fetched actionable alert with multiple updates.

Fetch Event Field Mapping

Please note that Fetch Event commands require event field mapping. Field mapping plays a key role in the data normalization process part of the event pipeline. Field mapping converts the original data fields from the different providers to the D3 fields which are standardized by the D3 Model. Please refer to Event and Incident Intake Field Mapping for details.

If you require a custom field mapping, click +Add Field to add a custom field mapping. You may also remove built-in field mappings by clicking x. Please note that two underscore characters will automatically prefix the defined Field Name as the System Name for a custom field mapping. Additionally, if an input Field Name contains any spaces, they will automatically be replaced with underscores for the corresponding System Name.

As a system integration, the Cybersixgill integration has some pre-configured field mappings for default field mapping.

Default Event Source
The Default Event Source is the default set of field mappings that are applied when this fetch event command is executed. For out-of-the-box integrations, you will find a set of field mapping provided by the system. Default event source provides field mappings for common fields from fetched events. The default event source has a “Main Event JSON Path” (i.e., $) that is used to extract a batch of events from the response raw data. Click Edit Main JSON Path to view the “Main Event JSON Path”.
- Main Event JSON Path: $
  The Main Event JSON Path determines the root path where the system starts parsing raw response data into D3 event data. The JSON path begins with $, representing the root element. The path is formed by appending a sequence of child elements to $, each separated by a dot (.). Square brackets with nested quotation marks ([‘...’]) should be used to separate child elements in JSON arrays.
  For example, the root node of a JSON Path is $. The child node denoting the Original event ID field would be id. Putting it together, the JSON Path expression to extract the Original event ID is $.id.

The pre-configured field mappings are detailed below:

Field Name	Source Field
Organization	.matched_assets.organization_name
Read	.read
Site	.site
User ID	.user_id
Content	.content
Event category	.category
Event level	.threat_level
Event name	.alert_name
Original event ID	.id
Event Type	.alert_type_id
Start Time	.date
Description	.title
Severity	.severity
Status	.status.name
Threat type	.threats

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Fetch Event failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybersixgill portal. Refer to the HTTP Status Code Registry for details.	Status Code: 401.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: access_denied.

Error Sample Data

Fetch Event failed.

Status Code: 401.

Message: access_denied.

Get Actionable Alert Details

Retrieves actionable alerts details, including content items.

READER NOTE

It is recommended to use this command to retrieve Actionable Alert Details instead of using the Fetch Event command by setting the Get Content Items parameter to Yes. Using this command instead will avoid potential performance issues of returning large amounts of data when using the Fetch Event command.
Input parameter Actionable Alert IDs is required to run this command.
- Run the Fetch Event command to obtain the Actionable Alert IDs. Actionable Alert IDs can be found in the returned raw data at the path $.[*].id.
Organization ID is an optional parameter to run this command.
- Run the Get Organizations command to obtain the Organization ID. Organization IDs can be found in the returned raw data at the path $.[*].organization_id.
- The Organization ID parameter is only required for MSSP users that require a multi-tenancy API permission. Do not input an organization ID if you are a non-MSSP user and do not require a multi-tenancy API permission.
Ensure you are using the correct connection when running commands. The Fetch Event and Get Actionable Alert Details command must use the same connection for the Actionable Alert IDs to be usable.

Input

Input Parameter	Required/Optional	Description	Example
Actionable Alert IDs	Required	The ID(s) of the actionable alert(s) to return. Actionable Alert IDs can be obtained using the Fetch Event command. Please note that MSSPs connections will only be able to view Actionable Alert Details from the same organization.	[ "***" ]
Organization ID	Optional	The ID of the organization to get Actionable Alert Details. You can obtain organization IDs using the Get Organizations command. Note: This parameter is required for multi-tenant API connections.	***

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

[
    {
        "additional_info": {
            "asset_attributes": [
                "organization_aliases",
                "organization_name"
            ],
            "excluded_assets": {},
            "matched_organization_aliases": [
                "acct1"
            ],
            "matched_organization_name": [
                "acct1"
            ],
            "organization_aliases": [
                "Acct1"
            ],
            "organization_name": "***",
            "query_attributes": [
                "organization_aliases",
                "organization_name"
            ],
            "template_id": "***",
            "vendor": "Cybersixgill"
        },
        "alert_id": "***",
        "alert_name": "Recent mentions of your organization in the underground",
        "alert_type": "PercolatedQueryBasedManagedAlertRule",
        "alert_type_id": "***",
        "assessment": "",
        "category": "regular",
        "content_type": "search_result_item",
        "create_time": "2022-11-23 06:35:45",
        "description": "The following is a summary of recent mentions of your organization in the cyber underground.",
        "es_id": "***",
        "es_item": {
            "collection_date": "2022-11-23T01:18:43",
            "content": "... .ae:success\***",
            "contentItems": [
                {
                    "_id": "***",
                    "_ignored": [
                        "content.keyword"
                    ],
                    "_source": {
                        "collection_date": "2022-11-23T01:18:43",
                        "content": "Document URL"
                    },
                    "triggered_alert": true
                }
            ],
            "creator": "anonymous",
            "date": "2022-11-23T01:18:43",
            "highlight": {
                "content": [
                    "\***"
                ]
            },
            "id": "***",
            "ips": [
                "1.2.3.4",
                "4.3.2.1",
                "1.1.1.2",
                "1.2.3..5"
            ],
            "rep_grade": 5,
            "site": "***",
            "tags": [
                "IP_global",
                "IP",
                "Wickr_address",
                "Litecoin_address",
                "email",
                "Litecoin",
                "Credit_card",
                "Email_address",
                "QQ_address",
                "APT",
                "Cryptocurrency",
                "Malware",
                "Twitter_handle",
                "Bitcoin",
                "IP_v4",
                "WeChat_address",
                "Download_link",
                "Adult",
                "Email_domain"
            ],
            "title": "***.txt",
            "type": "file"
        },
        "id": "***",
        "matched_assets": {
            "organization_aliases": [
                "***"
            ],
            "organization_name": [
                "***"
            ]
        },
        "read": false,
        "recommendations": [],
        "severity": 1,
        "site": "***",
        "status": {
            "name": "treatment_required"
        },
        "summary": "",
        "threat_level": "emerging",
        "threats": [
            "General Mention"
        ],
        "title": "Recent mentions of your organization in the underground",
        "update_time": "2022-11-23 06:35:45",
        "user_id": "***"
    }
]

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "IDs": [
        "***"
    ],
    "AlertNames": [
        "Recent mentions of your organization in the underground"
    ],
    "AlertTypeIDs": [
        "***"
    ],
    "ContentPreviews": [
        "... .ae:***"
    ],
    "CreateTime": [
        "2022-11-23 06:35:45"
    ],
    "Titles": [
        "Recent mentions of your organization in the underground"
    ],
    "AlertIDs": [
        "***"
    ]
}

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ADDITIONAL_INFO	ALERT_ID	ALERT_NAME	ALERT_TYPE	ALERT_TYPE_ID	ASSESSMENT	CATEGORY	CONTENT_TYPE	CREATE_TIME	DESCRIPTION	ES_ID	ES_ITEM	ID	MATCHED_ASSETS	READ	RECOMMENDATIONS	SEVERITY	SITE	STATUS	SUMMARY	THREAT_LEVEL	THREATS	TITLE	UPDATE_TIME	USER_ID
	***	Recent mentions of your organization in the underground	PercolatedQueryBasedManagedAlertRule	***		regular	search_result_item	2022-11-23 06:35:45	The following is a summary of recent mentions of your organization in the cyber underground.	***		***	{'organization_aliases': ['acct1'], 'organization_name': ['acct1']}	False	[]	1	***	{'name': 'treatment_required'}		***	['General Mention']	Recent mentions of your organization in the underground	2022-11-23 06:35:45	**

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Get Actionable Alert Details failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybersixgill portal. Refer to the HTTP Status Code Registry for details.	Status Code: 500.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.

Error Sample Data

Get Actionable Alert Details failed.

Status Code: 500.

Message: The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.

Get IOCs

Retrieves a bundle of Cybersixgill DarkFeed IOC items. Each time after running this command, run the Consume IOCs command to acknowledge that you have consumed a bundle (as set by the limit parameter) of IOC items. This ensures that next time this command runs, the next bundle of IOC items will be returned.

READER NOTE

The response raw data will return two id fields. The ID value corresponding to an IOC item is formatted as “indicator--....” (e.g. indicator–88888888-aaaa-4). The other ID value is formatted as “marking-definition–...” (e.g. marking--definition--a12a11) corresponds to the marking definition of an IOC item.

Input

Input Parameter	Required/Optional	Description	Example
Limit	Optional	The maximum number of IOCs to fetch. The default value is 100.	100

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

{
    "id": "bundle--***-***-***-***-***",
    "objects": [
        {
            "created": "2017-01-20T00:00:00.000Z",
            "definition": {
                "tlp": "amber"
            },
            "definition_type": "tlp",
            "id": "marking-definition--***-***-***-***-***",
            "type": "marking-definition"
        },
        {
            "created": "2019-12-26T00:00:00Z",
            "definition": {
                "statement": "Copyright Sixgill 2020. All rights reserved."
            },
            "definition_type": "statement",
            "id": "marking-definition--***-***-***-***-***",
            "type": "marking-definition"
        },
        {
            "created": "2022-06-25T15:07:34.334Z",
            "description": "Virustotal link that appeared on a dark web site, generally to show malware that is undetected",
            "external_reference": [
                {
                    "positive_rate": "high",
                    "source_name": "VirusTotal",
                    "url": "https://virustotal.com/#/file/***"
                }
            ],
            "id": "indicator--***-***-***-***-***",
            "labels": [
                "malicious-activity",
                "malware",
                "malicious",
                "Test capabilities",
                "Test signature detection for file upload/email filters"
            ],
            "lang": "en",
            "modified": "2022-06-25T15:07:34.334Z",
            "object_marking_refs": [
                "marking-definition--***-***-***-***-***",
                "marking-definition--***-***-***-***-***"
            ],
            "pattern": "[file:hashes.MD5 = '***' OR file:hashes.'SHA-1' = '***' OR file:hashes.'SHA-256' = '***']",
            "sixgill_actor": "**",
            "sixgill_confidence": 80,
            "sixgill_feedid": "***",
            "sixgill_feedname": "***",
            "sixgill_post_virustotallink": "https://virustotal.com/#/file/**",
            "sixgill_postid": "***",
            "sixgill_posttitle": "[CLEAN] ??Engine Spoofer ~ HWID Changer | Machine GUID, HDD-Serial, Product ID etc.??",
            "sixgill_severity": 70,
            "sixgill_source": "forum_cracked",
            "spec_version": "2.0",
            "type": "indicator",
            "valid_from": "2022-06-17T22:07:00Z"
        }
    ],
    "spec_version": "2.0",
    "type": "bundle"
}

Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path $.objects in API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE

No Sample Data

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "ID": [
        "indicator--***-***-***-***-***",
        "indicator--***-***-***-***-***"
    ]
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id	bundle--*----**
objects	{'created': '2017-01-20T00:00:00.000Z', 'definition': {'tlp': 'amber'}, 'definition_type': 'tlp', 'id': 'marking-definition--*----', 'type': 'marking-definition'} {'created': '2019-12-26T00:00:00Z', 'definition': {'statement': 'Copyright Sixgill 2020. All rights reserved.'}, 'definition_type': 'statement', 'id': 'marking-definition------', 'type': 'marking-definition'} {'created': '2022-06-25T15:07:34.334Z', 'description': 'Virustotal link that appeared on a dark web site, generally to show malware that is undetected', 'external_reference': [{'positive_rate': 'high', 'source_name': 'VirusTotal', 'url': 'https://virustotal.com/#/file/28946c3b11fcf289c2554531995aea4a1054bc9ed18b8b8827c54a1103388ce5 '}], 'id': 'i----', 'labels': ['malicious-activity', 'malware', 'malicious', 'Test capabilities', 'Test signature detection for file upload/email filters'], 'lang': 'en', 'modified': '2022-06-25T15:07:34.334Z', 'object_marking_refs': ['marking-definition------', 'marking-definition------'], 'pattern': "[file:hashes.MD5 = '' OR file:hashes.'SHA-1' = '' OR file:hashes.'SHA-256' = '']", 'sixgill_actor': 'xesyyy', 'sixgill_confidence': 80, 'sixgill_feedid': 'darkfeed_002', 'sixgill_feedname': 'darkweb_vt_links', 'sixgill_post_virustotallink': 'https://virustotal.com/#/file/28946c3b11fcf289c2554531995aea4a1054bc9ed18b8b8827c54a1103388ce5 ', 'sixgill_postid': '**', 'sixgill_posttitle': '[CLEAN] ??Engine Spoofer ~ HWID Changer \| Machine GUID, HDD-Serial, Product ID etc.??', 'sixgill_severity': 70, 'sixgill_source': 'forum_cracked', 'spec_version': '2.0', 'type': 'indicator', 'valid_from': '2022-06-17T22:07:00Z'}
spec_version	2.0
type	bundle

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Get IOCs failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybersixgill portal. Refer to the HTTP Status Code Registry for details.	Status Code: 403.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Request not authorized.

Error Sample Data

Get IOCs failed.

Status Code: 403.

Message: Request not authorized.

Get Organizations

Retrieves a list of current organizations in an MSSP instance of Cybersixgill.

READER NOTE

This command is only available for API connections with the multi-tenancy permission enabled.
Organization Name is an optional parameter to run this command.
- If the Organization Name parameter is not defined, all organization names will return.

Input

Input Parameter	Required/Optional	Description	Example
Organization Name	Optional	The whole or partial names of the organizations to list. If this parameter is not defined, all organizations names will return.	orgname

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

[
    {
        "assigned_users": [
            {
                "role_id": "***",
                "role_name": "owner",
                "user_email": "test@example.com",
                "user_id": "****",
                "user_name": "***",
                "user_type": "mssp_global_admin"
            },
            {
                "role_id": "***",
                "role_name": "***",
                "user_email": "test2@example.com",
                "user_id": "***",
                "user_name": "***",
                "user_type": "programmatic"
            }
        ],
        "countries": [
            "Barbados"
        ],
        "create_time": "2022-10-21 12:04:09",
        "industries": [
            "Finance"
        ],
        "logo": "",
        "name": "orgname",
        "organization_commercial_category": "pov",
        "organization_id": "***"
    }
]

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "OrganizationNames": [
        "orgname"
    ],
    "OrganizationIDs": [
        "***"
    ],
    "OrganizationCategories": [
        "pov"
    ]
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ASSIGNED_USERS	COUNTRIES	CREATE_TIME	INDUSTRIES	LOGO	NAME	ORGANIZATION_COMMERCIAL_CATEGORY	ORGANIZATION_ID
[{'role_id': '*', 'role_name': 'owner', 'user_email': 'test@example.com', 'user_id': '', 'user_name': '**', 'user_type': 'mssp_global_admin'}]	['Barbados']	2022-10-21 12:04:09	['Finance']		orgname	pov	***

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Get Organizations failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybersixgill portal. Refer to the HTTP Status Code Registry for details.	Status Code: 401.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: access_denied.

Error Sample Data

Get Organizations failed.

Status Code: 401.

Message: access_denied.

Update Actionable Alerts

Updates a list of actionable alerts by ID.

READER NOTE

Input parameter Actionable Alert IDs is required to run this command.
- You should already have your desired Actionable Alert IDs on hand to update. If you don’t, you may use the Fetch Event with defined filters (i.e. time range, limit, Organization ID, Threat Level and Threat Type) to retrieve the desired actionable alert IDs. The actionable alert IDs can be found under “IDs” in the returned data.
The Organization ID parameter is only required for MSSP users that require a multi-tenancy API permission. Do not input an organization ID if you are a non-MSSP user and do not require a multi-tenancy API permission.
- Run the Get Organizations command with MSSP connection to obtain the Organization ID. Organization IDs can be found in the returned raw data at the path $.[*].organization_id.

Input

Input Parameter	Required/Optional	Description	Example
Actionable Alert IDs	Required	The ID(s) of the actionable alert(s) to update. Actionable Alert IDs can be obtained using the Fetch Event command.	[ "***" ]
Organization ID	Optional	The ID of the organization to update Actionable Alerts. You can obtain organization IDs using the Get Organizations command. Note: This parameter is required for multi-tenant API connections.	***
Read	Optional	Updates the read status of the specified actionable alerts. The valid options are Read and Unread.	Read
Threat Level	Optional	The updated threat level of the actionable alert(s). The valid threat levels are Imminent and Emerging.	Imminent
Status	Optional	The updated status of the actionable alert(s). The valid statuses are Treatment Required, In Treatment, and Resolved.	In Treatment

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

[
    {
        "items_modified": [
            "***"
        ],
        "items_modified_count": 1,
        "message": "Successfully updated ***",
        "status": 200
    }
]

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
    "ModifiedActionableAlertIDs": [
        "***"
    ],
    "Messages": [
        "Successfully updated ***"
    ]
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ITEMS_MODIFIED	ITEMS_MODIFIED_COUNT	MESSAGE	STATUS
['***']	1	Successfully updated ***	200

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Update Actionable Alerts failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybersixgill portal. Refer to the HTTP Status Code Registry for details.	Status Code: 401.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: access_denied.

Error Sample Data

Update Actionable Alerts failed.

Status Code: 401.

Message: access_denied.

Test Connection

Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the responses from the third-party API calls including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Test Connection failed. Failed to check the connector.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Cybersixgill portal. Refer to the HTTP Status Code Registry for details.	Status Code: 401.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: access_denied.

Error Sample Data

Test Connection failed. Failed to check the connector.

Status Code: 401.

Message: access_denied.

FAQ

Why am I seeing the error message “access_declined” when running some commands?”

The correct connection is required. Refer to Permission Requirements to ensure the required permissions for the API are enabled for the corresponding command.

Use Cases

Get IOCs and Consume IOCs Commands

First, run the Get IOCs command to return a bundle of IOC items from Cybersixgill Darkfeed. After, run the Consume IOCs command to acknowledge that you have consumed that bundle of IOC items, as defined by the Limit value set for the Get IOCs command. This ensures that the next time you run the Get IOCs command, the next bundle of IOC items will return.

Enrich IOC and Enrich SixgillField Commands

First, run the Enrich IOC command to retrieve actor names. Actor names can be used as input values to run the Enrich SixgillField command. This command will return the actor names’ associated IOC patterns, including additional IPs and domains. In addition, the command will return more of the actor name’s corresponding POST IDs, which can be inputted to the Enrich SixgillField command again for more enrichment data.

Fetch Event and Get Actionable Alert Details Commands

First, run the Fetch Event command to return the actionable alerts based on your search condition. If you select Yes for the Get Content Items input parameter, it may cause the Fetch Event command to run slowly due to the large volume of data fetched. It is recommended to select No for the Get Content Items input parameter and retrieve actionable alert details using the Get Actionable Alert Details command instead. Input the Actionable Alert ID(s) under same connection as the Fetch Event command for the Get Actionable Alert Details command. This will avoid the system loading issue.