Skip to main content
Skip table of contents

Deep Instinct V2

LAST UPDATED: DECEMBER 22, 2025

Overview

Deep Instinct V2 uses the Deep Instinct REST API, version v1. Deep Instinct is an endpoint security platform that prevents, detects, and responds to zero-day malware, ransomware, and other advanced threats before they can compromise endpoints or networks. It provides endpoint detection and response (EDR) capabilities, among other features, for modern security operations.

D3 SOAR is providing REST operations to function with Deep Instinct V2.

Deep Instinct V2 is available for use in:

D3 SOAR

V17.0+

Category

SIEM XDR

Deployment Options

Option II, Option IV

Connection

Gather the following information to connect D3 SOAR to Deep Instinct V2.

Parameter

Description

Example

Server URL

The server URL of the Deep Instinct instance.

https://<Replace_With_Your-deepinstinct-instance>

API Key

The API key used to authenticate the connection.

*****

API Version

The version of the API used for the connection. By default, the value is v1.

v1

Configuring D3 SOAR to Work with Deep Instinct V2

  1. Log in to D3 SOAR.

  2. Find the Deep Instinct V2 integration.

    1. Navigate to Configuration on the top header menu.

    2. Click on the Integration icon on the left sidebar.

    3. Type Deep Instinct V2 in the search box to find the integration, then click it to select it.

    4. Click on the + Connection button on the right side of the Connections section. A new connection window will appear.

  3. Configure the following fields to create a connection to Deep Instinct V2.

    1. Connection Name: The desired name for the connection.

    2. Site: The site on which to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.

    3. Recipient site for events from connections Shared to Internal Sites: This field is displayed when Share to Internal Sites is selected for the Site field, allowing selection of the internal site for deploying the integration connection.

    4. Agent Name (Optional): The proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.

    5. Description (Optional): The description for the connection.

    6. Tenant (Optional): When configuring the connection from a master tenant site, users can choose the specific tenant sites with which to share the connection. Once this setting is enabled, users can filter and select the desired tenant sites from the dropdowns to share the connection.

    7. Configure User Permissions: Defines which users have access to the connection.

    8. Active: The checkbox that enables the connection to be used when selected.

    9. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.

      1. Input the Server URL. The default value is https://<Replace_With_Your-deepinstinct-instance>.

      2. Input the API Key from the Deep Instinct V2 platform.

      3. Input the API Version. The default value is v1.

    10. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Refer to the password vault connection guide if needed.

    11. Connection Health Check: Periodically checks the connection status by scheduling the Test Connection command at the specified interval (in minutes). Available only for active connections, this feature also allows configuring email notifications for failed attempts.

  4. Test the connection.

    1. Click on the Test Connection button to verify credentials and connectivity. A success alert displays Passed with a green checkmark. If the connection fails, review the parameters and retry.

    2. Click OK to close the alert window.

    3. Click + Add to create and add the configured connection.

Commands

Deep Instinct V2 includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command function, users can execute these commands independently for playbook troubleshooting.

Note for Time-related parameters

The input format of time-related parameters may vary based on user account settings, which may cause the sample data in commands to differ from what is displayed. To adjust the time format, follow these steps:

  1. Navigate to Configuration Application Settings. Select Date/Time Format.

  2. Choose the desired date and time format, then click on the Save button.

    The selected time format will now be visible when configuring Date/Time command input parameters.

Edit Hash Allowlist

Adds or removes file hashes in the hash allowlist of a specified policy.

READER NOTE

Policy ID is a required parameter to run this command.

  • Run the List Policies command to obtain the Policy ID. Policy IDs can be found in the raw data at $.Results[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Policy ID

Required

The unique identifier of the policy whose hash allowlist will be updated. Policy IDs can be obtained using the List Policies command.

*****

Action

Optional

The allowlist operation to perform. Valid values are:

  • Add

  • Remove

By default, the value is set to Add.

Add

Items

Required

The file hashes to add to or remove from the hash allowlist.

JSON 
[
  "6ef9*****4d0c"
]

Comment

Optional

An optional comment describing the allowlist change.

Bulk add hashes to the allowlist.

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Edit Hash Allowlist failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Deep Instinct V2 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized.

Error Sample Data

Edit Hash Allowlist failed.

Status Code: 401.

Message: Unauthorized.

Edit Hash Denylist

Adds or removes file hashes in the hash denylist of a specified policy.

READER NOTE

Policy ID is a required parameter to run this command.

  • Run the List Policies command to obtain the Policy ID. Policy IDs can be found in the raw data at $.Results[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Policy ID

Required

The unique identifier of the policy whose hash denylist will be updated. Policy IDs can be obtained using the List Policies command.

*****

Action

Optional

The denylist operation to perform. Valid values are:

  • Add

  • Remove

By default, the value is set to Add.

Add

Items

Required

The file hashes to add to or remove from the hash denylist.

JSON 
[
  "6ef9*****4d0c"
]

Comment

Optional

An optional comment describing the denylist change.

Bulk add hashes to the denylist.

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Edit Hash Denylist failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Deep Instinct V2 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized.

Error Sample Data

Edit Hash Denylist failed.

Status Code: 401.

Message: Unauthorized.

Edit Malicious Events

Performs batch actions on specified malicious events.

READER NOTE

Malicious Event IDs is a required parameter to run this command.

  • Run the Fetch Event command with Retrieve Event Type set to Malicious Event to obtain the Malicious Event IDs. Malicious Event IDs can be found in the raw data at $.events[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Malicious Event IDs

Required

The unique identifiers of malicious events on which the selected action will be performed. Malicious Event IDs can be obtained using the Fetch Event command with Retrieve Event Type set to Malicious Event.

JSON 
[
  *****,
  *****
]

Action

Required

The action to perform on the specified malicious events. Valid values are:

  • Archive

  • Close

  • Open

  • Unarchive

Close

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Edit Malicious Events failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Deep Instinct V2 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized.

Error Sample Data

Edit Malicious Events failed.

Status Code: 401.

Message: Unauthorized.

Edit Suspicious Events

Performs batch actions on specified suspicious events.

READER NOTE

Suspicious Event IDs is a required parameter to run this command.

  • Run the Fetch Event command with Retrieve Event Type set to Suspicious Event to obtain the Suspicious Event IDs. Suspicious Event IDs can be found in the raw data at $.events[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Suspicious Event IDs

Required

The unique identifiers of suspicious events on which the selected action will be performed. Suspicious Event IDs can be obtained using the Fetch Event command with Retrieve Event Type set to Suspicious Event.

JSON 
[
  *****,
  *****
]

Action

Required

The action to perform on the specified suspicious events. Valid values are:

  • Archive

  • Close

  • Unarchive

Close

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Edit Suspicious Events failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Deep Instinct V2 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized.

Error Sample Data

Edit Suspicious Events failed.

Status Code: 401.

Message: Unauthorized.

Execute Command

Executes a custom request against a specified API endpoint. Endpoint permissions must be configured correctly before the command is executed.

Input

Input Parameter

Required/Optional

Description

Example

API Endpoint

Required

The API request path to invoke.

/health_check

HTTP Request Method

Optional

The HTTP method used for the request. Valid values are:

  • GET

  • POST

  • PUT

  • PATCH

  • DELETE

By default, the value is set to GET.

POST

HTTP Query Parameters

Optional

A JSON object containing query parameters to include in the request.

JSON 
{
  "size": 10  "offset": 1
}

HTTP Request Body

Optional

A JSON object containing the request payload. This parameter is required when the HTTP request method is POST, PUT, PATCH, or DELETE.

By default, the value is an empty object.

JSON 
{
  "items": [
    {
      "comment": "This is my comment",
      "item": "6ef9*****4d0c"
    }
  ]
}

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Execute Command failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Deep Instinct V2 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized.

Error Sample Data

Execute Command failed.

Status Code: 401.

Message: Unauthorized.

Fetch Event

Ingests malicious or suspicious events into the vSOC platform as events.

Input

Input Parameter

Required/Optional

Description

Example

Start Time

Optional

The start of the time range for retrieving events (in UTC). Events generated after this time will be retrieved.

The time range between Start Time and End Time must not exceed four hours for command performance reasons.

01/15/2024 04:00 PM

End Time

Optional

The end of the time range for retrieving events (in UTC). Events generated before this time will be retrieved.

When this parameter has a value and Start Time is not provided, Start Time will be set to four hours before End Time.

By default, the value is the current time (in UTC). The time range between Start Time and End Time must not exceed four hours.

01/15/2024 04:00 PM

Filters For Malicious Events

Optional

A JSON object containing field-value pairs used to filter malicious events. Filter properties are defined by the POST /events/search endpoint.

JSON 
{
  "status": [
    "OPEN",
    "REOPEN"
  ],
  "action": [
    "PREVENTED",
    "DETECTED"
  ],
  "threat_severity": [
    "HIGH",
    "VERY_HIGH"
  ],
  "tenant_name": "My Tenant1",
  "tenant_id": *****
}

Filters For Suspicious Events

Optional

A JSON object containing field-value pairs used to filter suspicious events. Filter properties are defined by the POST /suspicious-events/search endpoint.

JSON 
{
  "status": [
    "OPEN",
    "REOPEN"
  ],
  "action": [
    "PREVENTED",
    "DETECTED",
    "REMEDIATED"
  ],
  "threat_severity": [
    "HIGH",
    "VERY_HIGH"
  ],
  "tenant_name": "My Tenant1",
  "tenant_id": *****
}

Retrieve Event Type

Optional

The event type to return. Valid options are:

  • Suspicious Event

  • Malicious Event

  • All

When Suspicious Event is selected, Filters for Malicious Events will be ignored. When Malicious Event is selected, Filters for Suspicious Events will be ignored.

By default, the value is set to Suspicious Event.

Malicious Event

Output

To view the sample output data for all commands, refer to this article.

Fetch Event Field Mapping

See Field Mappings.

The Deep Instinct V2 system integration includes pre-configured field mappings for the default event source.

The Default Event Source is the default system-provided set of field mappings applied when the fetch event command is executed. It includes a Main Event JSON Path, which is the JSONPath expression that points to the base array of event objects. The source field path continues from this array to locate the required data.

The Main Event JSON Path can be viewed by clicking on the Edit Event Source button.

Frame 2 (3).png

  • Main Event JSON Path: $.events
    The events array contains the event objects. Within each object, the key type denotes the Event Type field. As such, the full JSONPath expression to extract the Event Type is $.events.type.

The pre-configured field mappings are detailed below:

Field Name

Source Field

Comments

.comment

Device ID

.device_id

Remediation

.remediation

Destination IP address

.destination_ip

Destination port

.destination_port

Device

.device_name

Event Type

.type

File Hash SHA256

.file_sha_256

Filepath

.path

Hostname

.recorded_device_info.hostname

Start Time

.timestamp

Description

.description

New registry path

.new_registry_key

Parent process commandline

.parent_process_command_line

Parent process image path

.parent_process_path

Process command line

.process_command_line

Process ID

.process_id

Registry key name

.old_registry_key

Registry value type

.registry_data_type

Source IP address

.source_ip

Source port

.source_port

Source type

.SourceType

Status

.status

Threat handled

.action

Username

.username

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Fetch Event failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Deep Instinct V2 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized.

Error Sample Data

Fetch Event failed.

Status Code: 401.

Message: Unauthorized.

Get File Details

Retrieves file details for specified file hashes. Archive hashes are supported.

Input

Input Parameter

Required/Optional

Description

Example

File Hashes

Required

The file hashes for which details will be retrieved.

JSON 
[
  "*****",
  "*****"
]

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get File Details failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Deep Instinct V2 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized.

Error Sample Data

Get File Details failed.

Status Code: 401.

Message: Unauthorized.

Get Hash Allowlist Items

Retrieves hash allowlist items for a specified policy.

READER NOTE

Policy ID is a required parameter to run this command.

  • Run the List Policies command to obtain the Policy ID. Policy IDs can be found in the raw data at $.Results[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Policy ID

Required

The unique identifier of the policy for which hash allowlist items will be retrieved. Policy IDs can be obtained using the List Policies command.

*****

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Hash Allowlist Items failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Deep Instinct V2 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized.

Error Sample Data

Get Hash Allowlist Items failed.

Status Code: 401.

Message: Unauthorized.

Get Hash Denylist Items

Retrieves hash denylist items for a specified policy.

READER NOTE

Policy ID is a required parameter to run this command.

  • Run the List Policies command to obtain the Policy ID. Policy IDs can be found in the raw data at $.Results[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Policy ID

Required

The unique identifier of the policy for which hash denylist items will be retrieved. Policy IDs can be obtained using the List Policies command.

*****

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Hash Denylist Items failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Deep Instinct V2 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized.

Error Sample Data

Get Hash Denylist Items failed.

Status Code: 401.

Message: Unauthorized.

Get Malicious Events

Retrieves detailed information for specified malicious events.

READER NOTE

Malicious Event IDs is a required parameter to run this command.

  • Run the Fetch Event command with Retrieve Event Type set to Malicious Event to obtain the Malicious Event IDs. Malicious Event IDs can be found in the raw data at $.events[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Malicious Event IDs

Required

The unique identifiers of malicious events for which details will be retrieved. Malicious Event IDs can be obtained using the Fetch Event command with Retrieve Event Type set to Malicious Event.

JSON 
[
  *****,
  *****
]

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Malicious Events failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Deep Instinct V2 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized.

Error Sample Data

Get Malicious Events failed.

Status Code: 401.

Message: Unauthorized.

Get Policy Details

Retrieves detailed information for specified policies.

READER NOTE

Policy IDs is a required parameter to run this command.

  • Run the List Policies command to obtain the Policy IDs. Policy IDs can be found in the raw data at $.Results[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Policy IDs

Required

The unique identifiers of policies for which details will be retrieved. Policy IDs can be obtained using the List Policies command.

JSON 
[
  *****,
  *****
]

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Policy Details failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Deep Instinct V2 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized.

Error Sample Data

Get Policy Details failed.

Status Code: 401.

Message: Unauthorized.

Get Suspicious Events

Retrieves detailed information for specified suspicious events.

READER NOTE

Suspicious Event IDs is a required parameter to run this command.

  • Run the Fetch Event command with Retrieve Event Type set to Suspicious Event to obtain the Suspicious Event IDs. Suspicious Event IDs can be found in the raw data at $.events[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Suspicious Event IDs

Required

The unique identifiers of suspicious events for which details will be retrieved. Suspicious Event IDs can be obtained using the Fetch Event command with Retrieve Event Type set to Suspicious Event.

JSON 
[
  *****,
  *****
]

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Suspicious Events failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Deep Instinct V2 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized.

Error Sample Data

Get Suspicious Events failed.

Status Code: 401.

Message: Unauthorized.

List Devices

Retrieves devices based on the specified filters. When no input parameters are provided, all devices will be returned.

Input

Input Parameter

Required/Optional

Description

Example

Hostname

Optional

Filters devices by hostname.

WINDOWS-SERVER-01

IP Address

Optional

Filters devices by IP address.

111.123.145.241

Filters For Devices

Optional

A JSON object containing device property field-value pairs used to filter results.

JSON 
{
  "os": [
    "WINDOWS"
  ],
  "domain": "acme.local",
  "comment": "My comment",
  "license_status": [
    "ACTIVATED"
  ],
  "group_name": "Windows Default Group",
  "tenant_name": "Tenant 1"
}

Last Device ID

Optional

The identifier of the last device returned in the previous request. This parameter is used for pagination. A maximum of 50 devices will be returned per request.

*****

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Devices failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Deep Instinct V2 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized.

Error Sample Data

List Devices failed.

Status Code: 401.

Message: Unauthorized.

List Policies

Retrieve the original version of the specified artifact.

Input

N/A

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Policies failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Deep Instinct V2 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized.

Error Sample Data

List Policies failed.

Status Code: 401.

Message: Unauthorized.

List Users

Retrieves users based on the specified filters. When no input parameters are provided, all users will be returned.

Input

Input Parameter

Required/Optional

Description

Example

User IDs

Optional

The unique identifiers of users for which details will be retrieved. When provided, Record Size and Offset are ignored.

JSON 
[
  *****,
  *****
]

Record Size

Optional

The maximum number of users to return per request. By default, the value is 500.

50

Offset

Optional

The number of users to skip before returning results. By default, the value is 0.

50

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Users failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Deep Instinct V2 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized.

Error Sample Data

List Users failed.

Status Code: 401.

Message: Unauthorized.

Take Action On Devices

Performs a remediation action on specified devices.

READER NOTE

Device IDs is a required parameter to run this command.

  • Run the List Devices command to obtain the Device IDs. Device IDs can be found in the raw data at $.Results[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Device IDs

Required

The unique identifiers of devices on which the selected action will be performed. Device IDs can be obtained using the List Devices command.

JSON 
[
  *****,
  *****,
  *****
]

Remediation Action

Required

The action to perform on the specified devices. Valid values are:

  • Isolate From Network

  • Release From Isolation

  • Terminate Remote Process

Isolate From Network

Output

To view the sample output data for all commands, refer to this article.

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Take Action On Devices failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Deep Instinct V2 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized.

Error Sample Data

Take Action On Devices failed.

Status Code: 401.

Message: Unauthorized.

Test Connection

Allows users to perform a health check on an integration connection. Users can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.

Input

N/A

Output

Output Type

Description

Return Data Type

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

More details about an error can be viewed in the Error tab.

String

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Test Connection failed. Failed to check the connector.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Deep Instinct V2 portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Unauthorized.

Error Sample Data

Test Connection failed. Failed to check the connector.

Status Code: 401.

Message: Unauthorized.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close