Skip to main content
Skip table of contents

Maltiverse

LAST UPDATED: NOV 1, 2024

Overview

Maltiverse serves as a reliable intermediary for collecting threat intelligence from over a hundred diverse sources including public, private, and community sources. It employs an IOC scoring algorithm to evaluate the IOC data, which results in a qualitative classification. Maltiverse's threat intelligence feed can be queried and integrated with firewalls, SOAR, SIEM, EDR, and other technologies.

D3 SOAR is providing REST operations to function with Maltiverse.

Maltiverse is available for use in:

D3 SOAR

V12.7.94.0+

Category

Threat Intelligence

Deployment Options

Option II, Option IV

Connection

To connect to Maltiverse from D3 SOAR, please follow this part to collect the required information below:

Parameter

Description

Example

Server URL

The server URL of the Maltiverse API.

https://api.maltiverse.com

Authorization Token

The authorization token to authenticate the API connection.

8e******-*fd*-4**a-*4*7-acd*********

Configuring Maltiverse to Work with D3 SOAR

  1. Log in to Maltiverse with your user credentials at https://maltiverse.com/.

  2. On the landing page, click View API Key under API Credit.

  3. Copy and store the API key in a secure location.

Configuring D3 SOAR to Work with Maltiverse

  1. Log in to D3 SOAR.

  2. Find the Maltiverse integration.

    screenshot_1 (1).png

    1. Navigate to Configuration on the top header menu.

    2. Click on the Integration icon on the left sidebar.

    3. Type Maltiverse in the search box to find the integration, then click it to select it.

    4. Click + Connection, on the right side of the Connections section. A new connection window will appear.

  3. Configure the following fields to create a connection to Maltiverse.

    screenshot_2 (1).png

    1. Connection Name: The desired name for the connection.

    2. Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.

    3. Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.

    4. Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.

    5. Description (Optional): Add your desired description for the connection.

    6. Tenant (Optional): When configuring the connection from a master tenant site, you have the option to choose the specific tenant sites you want to share the connection with. Once you enable this setting, you can filter and select the desired tenant sites from the dropdowns to share the connection.

    7. Configure User Permissions: Defines which users have access to the connection.

    8. Active: Check the tick box to ensure the connection is available for use.

    9. System Reputation Check: Checking one or more reputation check tickboxes will run the corresponding check reputation command(s) under this integration connection to enrich the corresponding artifacts with reputation details. 

      For example, we are configuring an integration connection named “ConnectionA” with the site “Sandbox”. All IP artifacts from the “Sandbox” site will go through a reputation check using the Check IP Reputation command from that integration. The return data output from running the command will then be used to update the risk level of the artifacts which may affect the risk level of incoming events.

      Group 1.png

    10. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.

      screenshot_3 (2).png

      1. Input your domain level Server URL. The default value is https://api.maltiverse.com.
      2. Input your API Token. Refer to the step 3 of Configuring Maltiverse to Work with D3 SOAR.

    11. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.

  4. Test the connection.

    screenshot_4 (1).png

    1. Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmark appear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.

    2. Click OK to close the alert window.

    3. Click + Add to create and add the configured connection.

Commands

Maltiverse includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the Maltiverse API, please refer to the Maltiverse API reference.

Check Domain Reputation

Performs a reputation check on the specified domains.

Input

Input Parameter

Required /Optional

Description

Example

Domains

Required

The domains to perform the reputation check.

["google.ca"]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON 
[
    {
        "as_name": "***** Google Inc.",
        "blacklist": [
            {
                "count": 1,
                "description": "DFI",
                "first_seen": "2019-05-18 15:30:05",
                "last_seen": "2019-05-18 15:30:05",
                "source": "Hybrid-Analysis"
            },
            {
                "count": 1,
                "description": "Alexa Top 1 Million",
                "first_seen": "2020-04-20 21:18:34",
                "labels": [
                    "benign"
                ],
                "last_seen": "2020-04-27 18:21:00",
                "source": "Alexa"
            }
        ],
        "classification": "whitelist",
        "creation_time": "2019-05-18 15:30:05",
        "domain": "google.ca",
        "domain_consonants": 4,
        "domain_lenght": 9,
        "entropy": 2.725480556997868,
        "hostname": "google.ca",
        "modification_time": "2020-04-27 18:21:00",
        "resolved_ip": [
            {
                "ip_addr": "1.1.1.1",
                "timestamp": "2019-05-18 15:30:05"
            }
        ],
        "tld": "ca",
        "type": "hostname"
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE 
[
    {
        "as_name": "***** Google Inc.",
        "blacklist": [
            {
                "count": 1,
                "description": "DFI",
                "first_seen": "2019-05-18 15:30:05",
                "last_seen": "2019-05-18 15:30:05",
                "source": "Hybrid-Analysis"
            },
            {
                "count": 1,
                "description": "Alexa Top 1 Million",
                "first_seen": "2020-04-20 21:18:34",
                "labels": [
                    "benign"
                ],
                "last_seen": "2020-04-27 18:21:00",
                "source": "Alexa"
            }
        ],
        "classification": "whitelist",
        "creation_time": "2019-05-18 15:30:05",
        "domain": "google.ca",
        "domain_consonants": 4,
        "domain_lenght": 9,
        "entropy": 2.725480556997868,
        "hostname": "google.ca",
        "modification_time": "2020-04-27 18:21:00",
        "resolved_ip": [
            {
                "ip_addr": "1.1.1.1",
                "timestamp": "2019-05-18 15:30:05"
            }
        ],
        "tld": "ca",
        "type": "hostname"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE 
{
    "Domains": [
        "google.ca"
    ],
    "RiskLevels": [
        "ZeroRisk"
    ],
    "Unsafe": [],
    "Safe": [
        {
            "Domain": "google.ca",
            "Classification": "whitelist",
            "tag": null
        }
    ]
}
Return Data

In check reputation commands, Return Data converts the risk score from the raw data into D3-defined risk levels as a numerical value (1-5). This will be used to enrich artifacts with reputation information.

SAMPLE DATA

CODE 
[
    {
        "domain": "google.ca",
        "riskLevel": "ZeroRisk"
    }
]
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

AS_NAME

BLACKLIST

CLASSIFICATION

CREATION_TIME

DOMAIN

DOMAIN_CONSONANTS

DOMAIN_LENGHT

ENTROPY

HOSTNAME

MODIFICATION_TIME

RESOLVED_IP

TLD

TYPE

RISKLEVEL

***Google Inc.

[
{
"count": 1,
"description": "DFI",
"first_seen": "2019-05-18 15:30:05",
"last_seen": "2019-05-18 15:30:05",
"source": "Hybrid-Analysis"
},
{
"count": 1,
"description": "Alexa Top 1 Million",
"first_seen": "2020-04-20 21:18:34",
"labels": [
"benign"
],
"last_seen": "2020-04-27 18:21:00",
"source": "*****"
}
]

whitelist

2019-05-18 15:30:05

google.ca

4

9

2.72548055699787

google.ca

2020-04-27 18:21:00

[
{
"ip_addr": "1.1.1.1",
"timestamp": "2019-05-18 15:30:05"
}
]

ca

hostname

ZeroRisk

D3-defined Risk Levels

The table below lists the possible output risk levels with the corresponding return Key Fields:

Return Data

Key Fields

1

High

2

Medium

3

Low

4

Default

5

ZeroRisk

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Check Domain Reputation failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Maltiverse portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: One or more errors occurred.

Error Sample Data

Check Domain Reputation failed.

Status Code: 400.

Message: One or more errors occurred.

Check File Reputation

Performs a reputation check on the specified file hashes.

Input

Input Parameter

Required/Optional

Description

Example

File Hashes

Required

The file hashes to perform the reputation check. MD5, SHA1, SHA256 and SHA512 hashes are supported.

[ "0*****4" ]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON 
[
    {
        "av_ratio": 16,
        "blacklist": [
            {
                "description": "gozi,isfb,nemucod,papras,ransomware,ursnif",
                "first_seen": "2018-01-16 15:50:12",
                "last_seen": "2018-01-16 15:50:12",
                "source": "Maltiverse"
            }
        ],
        "classification": "malicious",
        "contacted_host": [
            "1.1.1.1",
            "2.2.2.2"
        ],
        "creation_time": "2018-01-16 15:50:12",
        "dns_request": [
            "ifsd.it",
            "srfd.as",
            "www.atdd.zx",
            "www.apapernotion.com",
            "ocsp.int-x3.letsencrypt.org",
            "fxvers.ch",
            "resolver1.opendns.com",
            "isrg.trustid.ocsp.identrust.com",
            "myip.opendns.com"
        ],
        "filename": [
            "*****.jse"
        ],
        "filetype": "ASCII text, with very long lines, with no line terminators",
        "md5": "*****",
        "modification_time": "2018-01-16 15:50:12",
        "score": 10,
        "sha1": "*****",
        "sha256": "****",
        "sha512": "****",
        "size": 39412,
        "tag": [
            "gozi",
            "isfb",
            "nemucod",
            "papras",
            "ransomware",
            "ursnif"
        ],
        "type": "sample",
        "visits": 11
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE 
[
    {
        "av_ratio": *****,
        "blacklist": [
            {
                "description": "gozi,isfb,nemucod,papras,ransomware,ursnif",
                "first_seen": "2018-01-16 15:50:12",
                "last_seen": "2018-01-16 15:50:12",
                "source": "Maltiverse"
            }
        ],
        "classification": "malicious",
        "contacted_host": [
            "1.1.1.1",
            "2.2.2.2"
        ],
        "creation_time": "2018-01-16 15:50:12",
        "dns_request": [
            "ifsd.it",
            "srfd.as",
            "www.atdd.zx",
            "www.apapernotion.com",
            "ocsp.int-x3.letsencrypt.org",
            "fxvers.ch",
            "resolver1.opendns.com",
            "isrg.trustid.ocsp.identrust.com",
            "myip.opendns.com"
        ],
        "filename": [
            "*****.jse"
        ],
        "filetype": "ASCII text, with very long lines, with no line terminators",
        "md5": "*****",
        "modification_time": "2018-01-16 15:50:12",
        "score": 10,
        "sha1": "*****",
        "sha256": "****",
        "sha512": "*****",
        "size": 39412,
        "tag": [
            "gozi",
            "isfb",
            "nemucod",
            "papras",
            "ransomware",
            "ursnif"
        ],
        "type": "sample",
        "visits": 11,
        "fileHash": "*****",
        "riskLevel": "High"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE 
{
    "FileHashes": [
        "*****"
    ],
    "RiskLevels": [
        "High"
    ],
    "Unsafe": [
        {
            "Hash": "*****",
            "Classification": "malicious",
            "tag": null
        }
    ],
    "Safe": []
}
Return Data

In check reputation commands, Return Data converts the risk score from the raw data into D3-defined risk levels as a numerical value (1-5). This will be used to enrich artifacts with reputation information.

SAMPLE DATA

CODE 
[
    {
        "fileHash": "*****",
        "riskLevel": 1
    }
]
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

AV_RATIO

BLACKLIST

CLASSIFICATION

CONTACTED_HOST

CREATION_TIME

DNS_REQUEST

FILENAME

FILETYPE

MD5

MODIFICATION_TIME

SCORE

SHA1

SHA256

SHA512

SIZE

TAG

TYPE

VISITS

FILEHASH

RISKLEVEL

16

[
{
"description": "gozi,isfb,nemucod,papras,ransomware,ursnif",
"first_seen": "2018-01-16 15:50:12",
"last_seen": "2018-01-16 15:50:12",
"source": "Maltiverse"
}
]

malicious

[
"****",
"****",
"*****",
"****",
"*****",
"*****"
]

2018-01-16 15:50:12

[
"ifsd.it",
"srfd.as",
"www.atdd.zx",
"www.apapernotion.com",
"ocsp.int-x3.letsencrypt.org",
"fxvers.ch",
"resolver1.opendns.com",
"isrg.trustid.ocsp.identrust.com",
"myip.opendns.com"
]

[
"*****.jse"
]

ASCII text, with very long lines, with no line terminators

***

2018-01-16 15:50:12

10

***

***

***

39412

[
"gozi",
"isfb",
"nemucod",
"papras",
"ransomware",
"ursnif"
]

sample

11

***

High

D3-defined Risk Levels

The table below lists the possible output risk levels with the corresponding return Key Fields:

Return Data

Key Fields

1

High

2

Medium

3

Low

4

Default

5

ZeroRisk

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Check File Reputation failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Maltiverse portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: File Hashes Not found.

Error Sample Data

Check File Reputation failed.

Status Code: 404.

Message: File Hashes Not found.

Check IP Reputation

Performs a reputation check on the specified IP addresses.

Input

Input Parameter

Required /Optional

Description

Example

IP Addresses

Required

The IP addresses to perform the reputation check.

["4.4.4.4"]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON 
[
    {
        "address": "100 CenturyLink Drive",
        "as_name": "*** Level 3 Communications Inc",
        "asn_cidr": "4.4.4.0/24",
        "asn_country_code": "US",
        "asn_date": "1992-12-01 00:00:00",
        "asn_registry": "arin",
        "blacklist": [
            {
                "count": 1,
                "description": "Anonymizer",
                "first_seen": "2018-06-02 08:31:17",
                "last_seen": "2018-06-02 08:31:17",
                "source": "Maltiverse"
            },
            {
                "count": 1,
                "description": "Gen:Variant.Backdoor.Linux.Gafgyt",
                "first_seen": "2018-09-23 00:30:08",
                "last_seen": "2018-09-23 00:30:21",
                "source": "Hybrid-Analysis"
            },
            {
                "count": 1,
                "description": "Generic.Malware",
                "first_seen": "2019-03-26 15:15:26",
                "last_seen": "2019-03-26 15:15:26",
                "source": "Hybrid-Analysis"
            },
            {
                "count": 1,
                "description": "Covid19 scam",
                "first_seen": "2020-04-26 11:41:42",
                "labels": [
                    "malicious-activity"
                ],
                "last_seen": "2020-04-26 17:41:45",
                "source": "DomainTools"
            }
        ],
        "cidr": [
            "4.0.0.0/8"
        ],
        "city": "Monroe",
        "classification": "malicious",
        "country_code": "US",
        "creation_time": "2018-06-02 08:31:17",
        "email": [
            "test@example.com"
        ],
        "ip_addr": "4.4.4.4",
        "last_updated": "2018-02-20 00:00:00",
        "location": {
            "lat": 40.7111,
            "lon": -73.9469
        },
        "modification_time": "2020-04-26 17:41:45",
        "postal_code": "71203",
        "registrant_name": "Level 3 Parent, LLC",
        "state": "LA",
        "tag": [
            "anonymizer",
            "covid19",
            "coronavirus",
            "scam",
            "phishing"
        ],
        "type": "ip"
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE 
[
    {
        "address": "100 CenturyLink Drive",
        "as_name": "*** Level 3 Communications Inc",
        "asn_cidr": "4.4.4.0/24",
        "asn_country_code": "US",
        "asn_date": "1992-12-01 00:00:00",
        "asn_registry": "arin",
        "blacklist": [
            {
                "count": 1,
                "description": "Anonymizer",
                "first_seen": "2018-06-02 08:31:17",
                "last_seen": "2018-06-02 08:31:17",
                "source": "Maltiverse"
            },
            {
                "count": 1,
                "description": "Gen:Variant.Backdoor.Linux.Gafgyt",
                "first_seen": "2018-09-23 00:30:08",
                "last_seen": "2018-09-23 00:30:21",
                "source": "Hybrid-Analysis"
            },
            {
                "count": 1,
                "description": "Generic.Malware",
                "first_seen": "2019-03-26 15:15:26",
                "last_seen": "2019-03-26 15:15:26",
                "source": "Hybrid-Analysis"
            },
            {
                "count": 1,
                "description": "Covid19 scam",
                "first_seen": "2020-04-26 11:41:42",
                "labels": [
                    "malicious-activity"
                ],
                "last_seen": "2020-04-26 17:41:45",
                "source": "DomainTools"
            },
            {
                "count": 1,
                "description": "Anonymizer",
                "first_seen": "2020-11-21 13:20:10",
                "labels": [
                    "anonymizer"
                ],
                "last_seen": "2020-12-10 20:57:32",
                "source": "Maltiverse Research Team"
            }
        ],
        "cidr": [
            "4.0.0.0/8"
        ],
        "city": "Monroe",
        "classification": "malicious",
        "country_code": "US",
        "creation_time": "2018-06-02 08:31:17",
        "email": [
            "test@example.com"
        ],
        "ip_addr": "4.4.4.4",
        "last_updated": "2018-02-20 00:00:00",
        "location": {
            "lat": 40.7111,
            "lon": -73.9469
        },
        "modification_time": "2020-12-10 20:57:32",
        "postal_code": "*****",
        "registrant_name": "Level 3 Parent, LLC",
        "state": "LA",
        "tag": [
            "anonymizer",
            "covid19",
            "coronavirus",
            "scam",
            "phishing"
        ],
        "type": "ip",
        "ipAddress": "4.4.4.4",
        "riskLevel": "High"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE 
{
    "IPs": [
        "4.4.4.4"
    ],
    "RiskLevels": [
        "High"
    ],
    "Unsafe": [
        {
            "IP": "4.4.4.4",
            "Classification": "malicious",
            "tag": null
        }
    ],
    "Safe": []
}
Return Data

In check reputation commands, Return Data converts the risk score from the raw data into D3-defined risk levels as a numerical value (1-5). This will be used to enrich artifacts with reputation information.

SAMPLE DATA

CODE 
[
    {
        "ipAddress": "4.4.4.4",
        "riskLevel": 1
    }
]
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ADDRESS

AS_NAME

ASN_CIDR

ASN_COUNTRY_CODE

ASN_DATE

ASN_REGISTRY

BLACKLIST

CIDR

CITY

CLASSIFICATION

COUNTRY_CODE

CREATION_TIME

EMAIL

IP_ADDR

LAST_UPDATED

LOCATION

MODIFICATION_TIME

POSTAL_CODE

REGISTRANT_NAME

STATE

TAG

TYPE

IPADDRESS

RISKLEVEL

100 CenturyLink Drive

***Level 3 Communications Inc

4.4.4.0/24

US

1992-12-01 00:00:00

arin

[
{
"count": 1,
"description": "Anonymizer",
"first_seen": "2018-06-02 08:31:17",
"last_seen": "2018-06-02 08:31:17",
"source": "Maltiverse"
},
{
"count": 1,
"description": "Gen:Variant.Backdoor.Linux.Gafgyt",
"first_seen": "2018-09-23 00:30:08",
"last_seen": "2018-09-23 00:30:21",
"source": "Hybrid-Analysis"
},
{
"count": 1,
"description": "Generic.Malware",
"first_seen": "2019-03-26 15:15:26",
"last_seen": "2019-03-26 15:15:26",
"source": "Hybrid-Analysis"
},
{
"count": 1,
"description": "Covid19 scam",
"first_seen": "2020-04-26 11:41:42",
"labels": [
"malicious-activity"
],
"last_seen": "2020-04-26 17:41:45",
"source": "DomainTools"
},
{
"count": 1,
"description": "Anonymizer",
"first_seen": "2020-11-21 13:20:10",
"labels": [
"anonymizer"
],
"last_seen": "2020-12-10 20:57:32",
"source": "Maltiverse Research Team"
}
]

[
"4.0.0.0/8"
]

Monroe

malicious

US

2018-06-02 08:31:17

[
"tets@example.com"
]

4.4.4.4

2018-02-20 00:00:00

{
"lat": 40.7111,
"lon": -73.9469
}

2020-12-10 20:57:32

71203

Level 3 Parent, LLC

LA

[
"anonymizer",
"covid19",
"coronavirus",
"scam",
"phishing"
]

ip

4.4.4.4

High

D3-defined Risk Levels

The table below lists the possible output risk levels with the corresponding return Key Fields:

Return Data

Key Fields

1

High

2

Medium

3

Low

4

Default

5

ZeroRisk

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Check IP Reputation failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Maltiverse portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: IP Not Found.

Error Sample Data

Check IP Reputation failed.

Status Code: 404.

Message: IP Not Found.

Check URL Reputation

Performs a reputation check on the specified URLs.

Input

Input Parameter

Required /Optional

Description

Example

URLs

Required

The URLs to perform the reputation check.

[ "http://1.1.1.1:42785/bin.sh" ]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON 
[
    {
        "blacklist": [
            {
                "description": "Phishing Google",
                "first_seen": "2018-04-15 16:45:47",
                "last_seen": "2018-04-15 16:45:47",
                "source": "Phishtank"
            }
        ],
        "classification": "malicious",
        "creation_time": "2018-04-15 16:45:47",
        "domain": "google.com",
        "hostname": "docs.google.com",
        "modification_time": "2018-04-15 16:45:47",
        "tag": [
            "phishing"
        ],
        "tld": "com",
        "type": "url",
        "url": "https://docs.google.com/forms/d/e/*****-*****/viewform",
        "urlchecksum": "*****"
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE 
[
    {
        "blacklist": [
            {
                "description": "Phishing Google",
                "first_seen": "2018-04-15 16:45:47",
                "last_seen": "2018-04-15 16:45:47",
                "source": "Phishtank"
            }
        ],
        "classification": "malicious",
        "creation_time": "2018-04-15 16:45:47",
        "domain": "google.com",
        "hostname": "docs.google.com",
        "modification_time": "2018-04-15 16:45:47",
        "tag": [
            "phishing"
        ],
        "tld": "com",
        "type": "url",
        "url": "https://docs.google.com/forms/d/e/*****-*****/viewform",
        "urlchecksum": "*****"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE 
{
    "URLs": [
        "https://docs.google.com/forms/d/e/*****-*****/viewform"
    ],
    "RiskLevels": [
        "High"
    ],
    "Unsafe": [
        {
            "URL": "https://docs.google.com/forms/d/e/*****-*****/viewform",
            "Classification": "malicious",
            "tag": null
        }
    ],
    "Safe": []
}
Return Data

In check reputation commands, Return Data converts the risk score from the raw data into D3-defined risk levels as a numerical value (1-5). This will be used to enrich artifacts with reputation information.

SAMPLE DATA

CODE 
[
    {
        "url": "https://docs.google.com/forms/d/e/*****-*****/viewform",
        "riskLevel": 1
    }
]
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

BLACKLIST

CLASSIFICATION

CREATION_TIME

DOMAIN

HOSTNAME

MODIFICATION_TIME

TAG

TLD

TYPE

URL

URLCHECKSUM

RISKLEVEL

[
{
"description": "Phishing Google",
"first_seen": "2018-04-15 16:45:47",
"last_seen": "2018-04-15 16:45:47",
"source": "Phishtank"
}
]

malicious

2018-04-15 16:45:47

google.com

docs.google.com

2018-04-15 16:45:47

[
"phishing"
]

com

url

https://docs.google.com/forms/d/e/*****-*****/viewform

***

High

D3-defined Risk Levels

The table below lists the possible output risk levels with the corresponding return Key Fields:

Return Data

Key Fields

1

High

2

Medium

3

Low

4

Default

5

ZeroRisk

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Check URL Reputation failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Maltiverse portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: URL Not Found.

Error Sample Data

Check URL Reputation failed.

Status Code: 404.

Message: URL Not Found.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close