LogPoint Director

LAST UPDATED: 02/14/2024

Overview

LogPoint Director is a platform for managing large deployments. The setup allows different customers of an MSSP or different departments of a large organization to work independent of each other, and still be controlled and monitored via a central entity.

D3 SOAR is providing REST operations to function with LogPoint Director.

LogPoint Director is available for use in:

D3 SOAR	V16.1.0+
Category	SIEM & XDR
Deployment Options	Option II, Option IV

Connection

To connect to LogPoint Director from D3 SOAR, please follow this part to collect the required information below:

Parameter	Description	Example
Server URL	The server URL of the LogPoint instance.	https://sample.logicmonitor.com
Token	The token to authenticate the integration.	c3*****q
Pool UUID	The Pool UUID to authenticate the integration.	***
LogPoint Identifier	The LogPoint Identifier to authenticate the integration.	***

Configuring LogPoint Director to Work with D3 SOAR

How do I obtain a Bearer Token?
1. Bearer tokens can be obtained from the left navigation bar in the Director Console. Navigate to the Profile tab and select the Generate Token option. The token is valid only for 8 hours from the time it is generated. For times when the script runs for an extended period, you can use the Refresh Token API to obtain a new token automatically once the existing token expires.
How do I obtain the Pool UUID of the Fabric-enabled LogPoint?
1. The value of the pool_UUID parameter can be obtained by logging into the Logpoint Search Master (LPSM) and navigating to Settings > Configurations > LogPoint Pool section. A list of LPSM pools will be displayed. The pool_UUID (UUID) can be selected by their Pool Names from the UUID column.
How do I obtain the LogPoint Identifier?
1. The value of the logpoint_identifier parameter can be obtained by logging into Logpoint Search Master (LPSM) and navigating to Settings > Configurations > LogPoint Pool section. The details of all Fabric-enabled LogPoints associated with the pool can be found by clicking on the Details icon under the Actions column. Click on the Details icon and find the name of your LogPoint and its identifier.

Configuring D3 SOAR to Work with LogPoint Director

Log in to D3 SOAR.
Find the LogPoint Director integration.
1. Navigate to Configuration on the top header menu.
2. Click on the Integration icon on the left sidebar.
3. Type LogPoint Director in the search box to find the integration, then click it to select it.
4. Click + New Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to LogPoint Director.
1. Connection Name: The desired name for the connection.
2. Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
3. Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.
4. Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
5. Description (Optional): Add your desired description for the connection.
6. Tenant (Optional): When configuring the connection from a master tenant site, you have the option to choose the specific tenant sites you want to share the connection with. Once you enable this setting, you can filter and select the desired tenant sites from the dropdowns to share the connection.
7. Configure User Permissions: Defines which users have access to the connection.
8. Active: Check the tick box to ensure the connection is available for use.
9. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
  1. Input your domain level Server URL.
  2. Copy the Token from the LogPoint Director platform.
  3. Copy the Pool UUID from the LogPoint Director platform.
  4. Input the LogPoint Identifier.
10. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.
11. Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.
  To set up a connection health check, check the Connection Health Check tickbox. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.
Test the connection.
1. Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmark appear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.
2. Click OK to close the alert window.
3. Click + Add to create and add the configured connection.

Commands

LogPoint Director includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the LogPoint Director API, please refer to the LogPoint Director API reference.

READER NOTE

Certain permissions are required for each command. Please refer to Configuring LogPoint Director to Work with D3 SOAR for details.

Note for Time-related parameters

The input format of time-related parameters may vary based on your account settings. As a result, the sample data provided in our commands is different from what you see. To set your preferred time format, follow these steps:

Navigate to Configuration > Application Settings. Select Date/Time Format.
Choose your desired date and time format.

After that, you will be able to view your preferred time format when configuring the DateTime input parameters for commands.

Fetch Incident

Returns Incident(s) from the LogPoint Director platform based on specified criteria(s).

READER NOTE

Attack Tag, Attack Category and Assigned To Users are required parameters to run this command.

Run the List Users command to obtain Assigned To Users. User IDs can be found from the returned raw data at the path $.results[*].id.
Run the Fetch Mitre Attacks command to obtain the Attack Tag and Attack Category.

Input

Input Parameter	Required/Optional	Description	Example
Start Time	Optional	The start time of the time range for fetching incidents in UTC Time. If the start time is specified, the end time must also be defined. If this parameter is not defined, the default start time will be 24 hours before now.	2022-06-10 01:00
End Time	Optional	The end time of the time range for fetching incidents in UTC Time. If the end time is specified, the start time must also be defined. If this parameter is not defined, the default end time will be now.	2022-06-11 00:00
Log Source	Optional	The list of log sources to filter.	["log203","log226"]
Type	Optional	The list of types from which the incident is generated. Values such as "alert", "search" and "UEBA" can be used.	["alert"]
Status	Optional	The list of statuses of the incident. Values such as "resolved", "unresolved" and "closed" can be used.	["resolved","unresolved"]
Risk	Optional	The list of risk levels of the incident. Values such as "low", "medium", "high" and "critical" can be used.	["critical", "high"]
Attack Tag	Optional	The list of attack tags. Attack Tags can be obtained using the Fetch Mitre Attacks command.	["Security Account Manager", "LSASS Memory"]
Attack Category	Optional	The list of attack categories. Attack category can be obtained using the Fetch Mitre Attacks command.	["Defense Evasion","Persistence"]
Assigned To Users	Optional	The list of IDs of the users who are assigned the incident. User IDs can be obtained using the List Users command.	["57***2","62***4"]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

{
    "request": {},
    "logpoint_identifier": "f2*****bd",
    "pool_uuid": "d4*****8e",
    "response": {
        "success": true,
        "rows": [
            {
                "type": "Alert",
                "alert_obj_id": "64*****c4",
                "alertrule_id": "b3*****54",
                "incident_id": "4f*****1e",
                "name": "8c_WinSysmon_-_Suspicious WebDav Client Execution",
                "description": "Detects &#34;***.exe&#34; spawning &#34;***.exe&#34; with command arguments like C:\\windows\\****\\***.***,***. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server) or potentially a sign of exploitation of CVE-2023-****\n\n## Static Lists in this rule ##  \n - DEFAULT_SUSPICIOUS_WEBDAV_CLIENT_EXECUTION_COMMAND_EXCLUSIONS  \n - CUSTOM_SUSPICIOUS_WEBDAV_CLIENT_EXECUTION_COMMAND_EXCLUSIONS  \n  \n\n## Rule Metadata ##  \nRule Path: rules\\default\\WinSysmon\\8c_WinSysmon_-_Suspicious_WebDav_Client_Execution.json  \n  \n\nSources/References:  \n - https://twitter.com/aceresponder/status/*****\n - https://www.mdsec.co.uk/2023/03/exploiting-cve-***-microsoft-outlook-elevation-of-privilege-vulnerability/  \n - https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/  \n  \n\nRule Authors:\n - *** (Nextron Systems)  \n - *** (Nextron Systems)  \n - ***  \n  \n\n",
                "username": "5e*****7",
                "user_id": "5e*****7",
                "assigned_to": "5e*****7",
                "detection_timestamp": 1689069632.3803403,
                "loginspect_ip_dns": "10.xx.yy.227",
                "logpoint_name": "achtcom_xx_yy_001",
                "status": "unresolved",
                "comments": [],
                "commentscount": 0,
                "query": "norm_id=&#34;WindowsSysmon&#34; event_id=1 parent_image=&#34;*\\svchost.exe&#34; image=&#34;*\\rundll32.exe&#34; command=&#34;*C:\\windows\\system32\\davclnt.dll,DavSetCookie*&#34; -command in DEFAULT_SUSPICIOUS_WEBDAV_CLIENT_EXECUTION_COMMAND_EXCLUSIONS -command in CUSTOM_SUSPICIOUS_WEBDAV_CLIENT_EXECUTION_COMMAND_EXCLUSIONS -command in [&#34;*://10.*&#34;, &#34;*://192.168.*&#34;, &#34;*://172.16.*&#34;, &#34;*://172.17.*&#34;, &#34;*://172.18.*&#34;, &#34;*://172.19.*&#34;, &#34;*://172.20.*&#34;, &#34;*://172.21.*&#34;, &#34;*://172.22.*&#34;, &#34;*://172.23.*&#34;, &#34;*://172.24.*&#34;, &#34;*://172.25.*&#34;, &#34;*://172.26.*&#34;, &#34;*://172.27.*&#34;, &#34;*://172.28.*&#34;, &#34;*://172.29.*&#34;, &#34;*://172.30.*&#34;, &#34;*://172.31.*&#34;, &#34;*://127.*&#34;, &#34;*://169.254.*&#34; ]",
                "repos": [
                    "100.0.0.1:5504/Windows"
                ],
                "time_range": [
                    1689069240,
                    1689069540
                ],
                "throttle_enabled": false,
                "attack_id": [
                    "*****"
                ],
                "attack_tag": [
                    "Exfiltration Over Unencrypted Non-C2 Protocol"
                ],
                "attack_category": [
                    "Exfiltration"
                ],
                "metadata": [],
                "log_source": [],
                "notifications": [],
                "manageable_by": [],
                "risk": "critical",
                "id": "*****"
            }
        ]
    }
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
  "incidentIDs": ["*****"],
  "Names": ["8c_WinSysmon_-_Suspicious WebDav Client Execution"]
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

result

{'k1': '43-*****', 'k2': 10, 'k3': True, 'k4': '2021-06-12 12:30:00'}

Incident Field Mapping

For this integration, the default incident fields in D3 SOAR are fixed with no built-in source fields. Users can specify the source fields as needed.

Event and Incident Intake Field Mapping

Please note that incident and event intake commands require both Event Field and Incident Field Mapping. These field mappings are the default event/incident field mappings for D3 system integrations. You can edit the provided mappings or create custom mappings as needed. Please refer to Event and Incident Intake Field Mapping for more details.

Incident Main JSON Path: $.response.rows

Field Name	Source Field
Title	User to define
Description	User to define
Severity	User to define, default is “Low”
Incident Type *	User to define, default is the first Incident form in D3 SOAR system
Incident Creator	User to define
Incident Owner	User to define
Incident Playbook	User to define
Due In Date	User to define
Unique Key	User to define
Tactics	User to define
Techniques	User to define

Event Field Mapping

Main Event JSON Path

$

Field Name	Source Field
Event code	.id
Start Time	.detection_timestamp
Event Type	.type
Event name	.name
Description	.description
Username	.username
Severity	.risk
Status	.status
Techniques	.attack_id
Source vendor product name	.logpoint_name
Source IP address	.loginspect_ip_dns
Alert Rule ID	.alertrule_id
Alert Object ID	.alert_obj_id
Alert Incident ID	.incident_id
Tactics	.attack_category
Attack Tag	.attack_tag
WMI filter query	.query
Repos	.repos

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Fetch Incident failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogPoint Director portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Test Connection failed caused by an unexpected error. Please use test command and check Raw Data for the details.

Error Sample Data

Fetch Incident failed.

Status Code: 400.

Message: Test Connection failed caused by an unexpected error. Please use test command and check Raw Data for the details.

Fetch Mitre Attacks

Lists all existing Mitre Attacks.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE

No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Fetch Mitre Attacks failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogPoint Director portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Test Connection failed caused of an unexpected error. Please use test command and check Raw Data for the details.

Error Sample Data

Fetch Mitre Attacks failed.

Status Code: 400.

Message: Test Connection failed caused of an unexpected error. Please use test command and check Raw Data for the details.

List Devices

Lists all devices in the Fabric-enabled LogPoint.

Input

N/A

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

{
    "total": 1,
    "items": [
        {
            "id": ***,
            "name": "1.1.1.1",
            "displayName": "1.1.1.1",
            "deviceType": 0,
            "relatedDeviceId": -1,
            "currentCollectorId": 3,
            "preferredCollectorId": 3,
            "autoBalancedCollectorGroupId": 0,
            "preferredCollectorGroupId": 3,
            "preferredCollectorGroupName": "*****",
            "description": "",
            "createdOn": 1659025440,
            "updatedOn": 1661804096,
            "disableAlerting": false,
            "autoPropsAssignedOn": 1661723349,
            "autoPropsUpdatedOn": 1661723369,
            "scanConfigId": 0,
            "link": "",
            "enableNetflow": false,
            "netflowCollectorId": 0,
            "netflowCollectorGroupId": 0,
            "netflowCollectorGroupName": null,
            "lastDataTime": 0,
            "lastRawdataTime": 0,
            "hostGroupIds": "*****",
            "sdtStatus": "none-none-none",
            "userPermission": "exec",
            "hostStatus": "normal",
            "alertStatus": "none",
            "alertStatusPriority": 100000,
            "awsState": 1,
            "azureState": 1,
            "gcpState": 1,
            "alertDisableStatus": "none-none-none",
            "alertingDisabledOn": null,
            "collectorDescription": "HWN\\WIN-CQ6QK1U4IGO",
            "netflowCollectorDescription": null,
            "customProperties": [
                {
                    "name": "location",
                    "value": "Coresite"
                },
                {
                    "name": "system.categories",
                    "value": ""
                }
            ],
            "upTimeInSeconds": 0,
            "deletedTimeInMs": 0,
            "toDeleteTimeInMs": 0,
            "hasDisabledSubResource": false,
            "ancestorHasDisabledLogicModule": false,
            "systemProperties": [
                {
                    "name": "system.enablenetflow",
                    "value": "false"
                },
                {
                    "name": "system.collectorplatform",
                    "value": "windows"
                },
                {
                    "name": "system.collectorid",
                    "value": "3"
                },
                {
                    "name": "system.deviceId",
                    "value": "118"
                },
                {
                    "name": "system.prefcollectordesc",
                    "value": "HWN\\WIN-*****"
                },
                {
                    "name": "system.collectordesc",
                    "value": "HWN\\WIN-CQ6*****K1U4IGO"
                },
                {
                    "name": "system.groups",
                    "value": "Devices by Type/Misc,Devices by Type/Minimal Monitoring,HWN_Coresite/All Resources"
                },
                {
                    "name": "system.deviceGroupId",
                    "value": "41,15,37"
                },
                {
                    "name": "system.collector",
                    "value": "false"
                },
                {
                    "name": "system.ips",
                    "value": "1.1.1.1"
                }
            ],
            "autoProperties": [
                {
                    "name": "auto.network.names",
                    "value": "1.1.1.1"
                }
            ],
            "inheritedProperties": [
                {
                    "name": "*****.ssl",
                    "value": "true"
                }
            ]
        }
    ],
    "searchId": null,
    "isMin": false
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
  "DeviceIDs": [*****,*****]
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

DeviceCount	1

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	List Devices failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogPoint Director portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Test Connection failed caused of an unexpected error. Please use test command and check Raw Data for the details.

Error Sample Data

List Devices failed.

Status Code: 400.

Message: Test Connection failed caused of an unexpected error. Please use test command and check Raw Data for the details.

List Remote Repos

Fetches all local and remote Repos.

Input

N/A

Output

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
  "RepoIDs": ["*****"],
  "RepoNames": ["default"]
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE

No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	List Remote Repos failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogPoint Director portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Test Connection failed caused of an unexpected error. Please use test command and check Raw Data for the details.

Error Sample Data

List Remote Repos failed.

Status Code: 400.

Message: Test Connection failed caused of an unexpected error. Please use test command and check Raw Data for the details.

List Users

Lists all existing users.

Input

N/A

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

{
    "results": [
        {
            "active": true,
            "dashboard": "*****",
            "email": "test@example.local",
            "failed_login_count": 0,
            "fields": {
                "automate_query_bar": [],
                "hidden_fields": [],
                "interesting_hidden_fields": [],
                "show_all": true
            },
            "firstname": "Admin",
            "fullname": "Admin Admin",
            "id": "*****",
            "last_login": {
                "login_date": "2020-11-30 04:36:41.983000"
            },
            "lastname": "Admin",
            "ldap_strategy": "",
            "locked": false,
            "locked_time": "2020-07-06 12:47:39.789000",
            "password_change_date": "2018-11-14 08:17:01.251000",
            "plugin_settings": {},
            "preferences": "*****",
            "query": "",
            "tid": "",
            "timezone": "UTC",
            "usergroup": [
                "*****",
                "*****"
            ],
            "username": "admin"
        }
    ]
}

Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE

{
  "UserIDs": ["*****"],
  "Usernames": ["admin"],
  "FullNames": ["Admin Admin"],
  "Emails": ["test@example.local"]
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

results

{'active': True, 'dashboard': '*****', 'email': 'test@example.local', 'failed_login_count': 0, 'fields': {'automate_query_bar': [], 'hidden_fields': [], 'interesting_hidden_fields': [], 'show_all': True}, 'firstname': 'Admin', 'fullname': 'Admin Admin', 'id': '*****', 'last_login': {'login_date': '2020-11-30 04:36:41.983000'}, 'lastname': 'Admin', '*****': '', 'locked': False, 'locked_time': '2020-07-06 12:47:39.789000', 'password_change_date': '2018-11-14 08:17:01.251000', 'plugin_settings': {}, 'preferences': '*****', 'query': '', 'tid': '', 'timezone': 'UTC', 'usergroup': ['*****', '*****'], 'username': 'admin'}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	List Users failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogPoint Director portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Test Connection failed caused of an unexpected error. Please use test command and check Raw Data for the details.

Error Sample Data

List Users failed.

Status Code: 400.

Message: Test Connection failed caused of an unexpected error. Please use test command and check Raw Data for the details.

Search Endpoint Logs

Searches endpoint logs.

READER NOTE

User ID is a required parameter to run this command.

Run the List Users command to obtain User ID. User IDs can be found from the returned raw data at the path $.results[*].id.

Input

Input Parameter	Required/Optional	Description	Example
Start Time	Required	The start time of the time range for fetching search logs in UTC Time.	2022-06-10 01:00
End Time	Required	The end time of the time range for fetching search logs in UTC Time.	2022-06-11 00:00
Limit	Optional	The maximum number of rows returned in a single request. The default value of the limit parameter is 100.	10
Query	Required	The valid LogPoint query to filter the response based on the given query.	event_id=4624 user=firstname.lastname
Repos	Optional	The list of repos where the logs are searched.	["100.0.0.1:5504/_logpoint","10.1.1.1:5504/_logpoint"]
User ID	Required	The existing User ID. User IDs can be obtained using the List Users command.	5d8*****41

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

{
    "request": {},
    "logpoint_identifier": "****",
    "pool_uuid": "*****",
    "response": {
        "query_type": "simple",
        "rows": [
            {
                "col_ts": *****,
                "msg": "Dec 21 11:00:27 logpoint9-17 sudo: pam_unix(sudo:session): session closed for user loginspect",
                "_tz": "UTC",
                "log_ts": *****,
                "_identifier": "0",
                "collected_at": "LogPoint",
                "device_ip": "100.0.0.1",
                "_type_str": "msg col_type device_name collected_at device_ip source_name _tz _enrich_policy _fromV550 repo_name logpoint_name",
                "device_name": "localhost",
                "_offset": ****,
                "_fromV550": "t",
                "logpoint_name": "LogPoint",
                "_enrich_policy": "None",
                "_type_num": "col_ts log_ts _offset _identifier",
                "repo_name": "_logpoint",
                "_type_ip": "device_ip",
                "col_type": "filesystem",
                "source_name": "/var/log/auth.log",
                "_labels": []
            },
            {
                "col_ts": ****,
                "msg": "Dec 21 11:00:28 logpoint9-17 CRON[*****]: ****(cron:session): session closed for user root",
                "_tz": "UTC",
                "log_ts": ******,
                "_identifier": "0",
                "collected_at": "LogPoint",
                "device_ip": "100.0.0.1",
                "_type_str": "msg col_type device_name collected_at device_ip source_name _tz _enrich_policy _fromV550 repo_name logpoint_name",
                "device_name": "localhost",
                "_offset": 41352,
                "_fromV550": "t",
                "logpoint_name": "LogPoint",
                "_enrich_policy": "None",
                "_type_num": "col_ts log_ts _offset _identifier",
                "repo_name": "_logpoint",
                "_type_ip": "device_ip",
                "col_type": "filesystem",
                "source_name": "/var/log/auth.log",
                "_labels": []
            }
        ],
        "version": 4,
        "extracted_terms": [
            "device_name:localhost"
        ],
        "time_range": [
            1640082646,
            1640084446
        ],
        "orig_search_id": "***-***-***-***-***",
        "success": true,
        "final": true,
        "totalPages": 1,
        "estim_count": 6784,
        "complete": true,
        "status": {
            "LogPoint": {
                "default": {
                    "@class": "com.logpoint.libcommon.merger.api.SimpleStatus",
                    "estim_count": 0,
                    "final": true
                },
                "_logpoint": {
                    "@class": "com.logpoint.libcommon.merger.api.SimpleStatus",
                    "estim_count": 6784,
                    "final": true
                },
                "_LogPointAlerts": {
                    "@class": "com.logpoint.libcommon.merger.api.SimpleStatus",
                    "estim_count": 0,
                    "final": true
                }
            }
        }
    }
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

request	{}
logpoint_identifier	ea******f8
pool_uuid	a0*****d
response	{'query_type': 'simple', 'rows': [{'col_ts': ***, 'msg': 'Dec 21 11:00:27 logpoint9-17 sudo: pam_unix(sudo:session): session closed for user loginspect', '_tz': 'UTC', 'log_ts': *, '_identifier': '0', 'collected_at': 'LogPoint', 'device_ip': '100.0.0.1', '_type_str': 'msg col_type device_name collected_at device_ip source_name _tz _enrich_policy _fromV550 repo_name logpoint_name', 'device_name': 'localhost', '_offset': *, '_fromV550': 't', 'logpoint_name': 'LogPoint', '_enrich_policy': 'None', '_type_num': 'col_ts log_ts _offset _identifier', 'repo_name': '_logpoint', '_type_ip': 'device_ip', 'col_type': 'filesystem', 'source_name': '/var/log/auth.log', '_labels': []}, {'col_ts': *, 'msg': 'Dec 21 11:00:28 logpoint9-17 CRON[*]: pam_unix(cron:session): session closed for user root', '_tz': 'UTC', 'log_ts': *, '_identifier': '0', 'collected_at': 'LogPoint', 'device_ip': '127.0.0.1', '_type_str': 'msg col_type device_name collected_at device_ip source_name _tz _enrich_policy _fromV550 repo_name logpoint_name', 'device_name': 'localhost', '_offset': *, '_fromV550': 't', 'logpoint_name': 'LogPoint', '_enrich_policy': 'None', '_type_num': 'col_ts log_ts _offset _identifier', 'repo_name': '_logpoint', '_type_ip': 'device_ip', 'col_type': 'filesystem', 'source_name': '/var/log/auth.log', '_labels': []}], 'version': 4, 'extracted_terms': ['device_name:localhost'], 'time_range': [1640082646, 1640084446], 'orig_search_id': '----', 'success': True, 'final': True, 'totalPages': 1, 'estim_count': 6784, 'complete': True, 'status': {'LogPoint': {'default': {'@class': 'com.logpoint.libcommon.merger.api.SimpleStatus', 'estim_count': 0, 'final': True}, '_logpoint': {'@class': 'com.logpoint.libcommon.merger.api.SimpleStatus', 'estim_count': ****, 'final': True}, '_LogPointAlerts': {'@class': 'com.logpoint.libcommon.merger.api.SimpleStatus', 'estim_count': 0, 'final': True}}}}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Search Endpoint Logs failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogPoint Director portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Test Connection failed caused of an unexpected error. Please use test command and check Raw Data for the details.

Error Sample Data

Search Endpoint Logs failed.

Status Code: 400.

Message: Test Connection failed caused of an unexpected error. Please use test command and check Raw Data for the details.

Search Logs With Count

Retrieves the total number of grouped logs in the search result.

READER NOTE

User ID is a required parameter to run this command.

Run the List Users command to obtain User ID. User IDs can be found from the returned raw data at the path $.results[*].id.

Input

Input Parameter	Required/Optional	Description	Example
Start Time	Required	The start time of the time range for fetching search logs in UTC Time.	2022-06-10 01:00
End Time	Required	The end time of the time range for fetching search logs in UTC Time.	2022-06-11 00:00
Limit	Optional	The maximum number of rows returned in a single request. The default value of the limit parameter is 100.	10
Repos	Optional	The list of repos where the logs are searched.	["100.0.0.1:5504/_logpoint","10.1.0.1:5504/_logpoint"]
User ID	Required	The existing User ID. User IDs can be obtained using the List Users command.	5d*****1
Group By	Required	The field that the logs should be grouped by.	device_ip

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE

{
    "request": {},
    "logpoint_identifier": "e*****8",
    "pool_uuid": "a0*****d",
    "response": {
        "query_type": "simple",
        "rows": [
            {
                "col_ts": 16*****8,
                "msg": "Dec 21 11:00:27 logpoint9-17 sudo: pam_unix(sudo:session): session closed for user loginspect",
                "_tz": "UTC",
                "log_ts": 16******8,
                "_identifier": "0",
                "collected_at": "LogPoint",
                "device_ip": "100.0.0.1",
                "_type_str": "msg col_type device_name collected_at device_ip source_name _tz _enrich_policy _fromV550 repo_name logpoint_name",
                "device_name": "localhost",
                "_offset": *****,
                "_fromV550": "t",
                "logpoint_name": "LogPoint",
                "_enrich_policy": "None",
                "_type_num": "col_ts log_ts _offset _identifier",
                "repo_name": "_logpoint",
                "_type_ip": "device_ip",
                "col_type": "filesystem",
                "source_name": "/var/log/auth.log",
                "_labels": []
            }
        ],
        "version": 4,
        "extracted_terms": [
            "device_name:localhost"
        ],
        "time_range": [
            1640082646,
            1640084446
        ],
        "orig_search_id": "***-***-***-***-***",
        "success": true,
        "final": true,
        "totalPages": 1,
        "estim_count": 6784,
        "complete": true,
        "status": {
            "LogPoint": {
                "default": {
                    "@class": "com.logpoint.libcommon.merger.api.SimpleStatus",
                    "estim_count": 0,
                    "final": true
                },
                "_logpoint": {
                    "@class": "com.logpoint.libcommon.merger.api.SimpleStatus",
                    "estim_count": 6784,
                    "final": true
                },
                "_LogPointAlerts": {
                    "@class": "com.logpoint.libcommon.merger.api.SimpleStatus",
                    "estim_count": 0,
                    "final": true
                }
            }
        }
    }
}

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

request	{}
logpoint_identifier	ea*****8
pool_uuid	a*****d
response	{'query_type': 'simple', 'rows': [{'col_ts': ***, 'msg': 'Dec 21 11:00:27 logpoint9-17 sudo: pam_unix(sudo:session): session closed for user loginspect', '_tz': 'UTC', 'log_ts': 1640084438, '_identifier': '0', 'collected_at': 'LogPoint', 'device_ip': '100.0.0.1', '_type_str': 'msg col_type device_name collected_at device_ip source_name _tz _enrich_policy _fromV550 repo_name logpoint_name', 'device_name': 'localhost', '_offset': *, '_fromV550': 't', 'logpoint_name': 'LogPoint', '_enrich_policy': 'None', '_type_num': 'col_ts log_ts _offset _identifier', 'repo_name': '_logpoint', '_type_ip': 'device_ip', 'col_type': 'filesystem', 'source_name': '/var/log/auth.log', '_labels': []}, {'col_ts': *, 'msg': 'Dec 21 11:00:28 logpoint9-17 CRON[*]: pam_unix(cron:session): session closed for user root', '_tz': 'UTC', 'log_ts': *, '_identifier': '0', 'collected_at': 'LogPoint', 'device_ip': '100.0.0.1', '_type_str': 'msg col_type device_name collected_at device_ip source_name _tz _enrich_policy _fromV550 repo_name logpoint_name', 'device_name': 'localhost', '_offset': *, '_fromV550': 't', 'logpoint_name': 'LogPoint', '_enrich_policy': 'None', '_type_num': 'col_ts log_ts _offset _identifier', 'repo_name': '_logpoint', '_type_ip': 'device_ip', 'col_type': 'filesystem', 'source_name': '/var/log/auth.log', '_labels': []}], 'version': 4, 'extracted_terms': ['device_name:localhost'], 'time_range': [1640082646, 1640084446], 'orig_search_id': '----*e', 'success': True, 'final': True, 'totalPages': 1, 'estim_count': 6784, 'complete': True, 'status': {'LogPoint': {'default': {'@class': 'com.logpoint.libcommon.merger.api.SimpleStatus', 'estim_count': 0, 'final': True}, '_logpoint': {'@class': 'com.logpoint.libcommon.merger.api.SimpleStatus', 'estim_count': 6784, 'final': True}, '_LogPointAlerts': {'@class': 'com.logpoint.libcommon.merger.api.SimpleStatus', 'estim_count': 0, 'final': True}}}}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Search Logs With Count failed.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogPoint Director portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Test Connection failed caused of an unexpected error. Please use test command and check Raw Data for the details.

Error Sample Data

Search Logs With Count failed.

Status Code: 400.

Message: Test Connection failed because of an unexpected error. Please use test command and check Raw Data for the details.

Test Connection

Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

A connection issue with the integration
The API returned an error message
No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE

Successful

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error	Description	Example
Failure Indicator	Indicates the command failure that happened at a specific input and/or API call.	Test Connection failed. Failed to check the connector.
Status Code	The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the LogPoint Director portal. Refer to the HTTP Status Code Registry for details.	Status Code: 400.
Message	The raw data or captured key error message from the integration API server about the API request failure.	Message: Test Connection failed caused of an unexpected error. Please use test command and check Raw Data for the details.

Error Sample Data

Test Connection failed. Failed to check the connector.

Status Code: 400.

Message: Test Connection failed caused of an unexpected error. Please use test command and check Raw Data for the details.