MISP is an open-source software solution for collecting, storing, distributing, and sharing cybersecurity indicators and threats about cybersecurity incidents analysis and malware analysis.
D3 SOAR is providing REST operations to function with MISP.
To connect to MISP from D3 SOAR, please follow this part to collect the required information below:
Parameter
Description
Example
Server URL
The URL of the MISP server.
https://1.1.1.1
API Key
The API key to authenticate the connection.
QW*****1D
Permission Requirements
Each endpoint in the MISP API requires a certain permission scope. The following are required scopes for the commands in this integration:
Command
Permissions (least)
Additional Permissions
Add Event
Manage Organization Events
Auth
Add Object to Events
Manage Organization Events
Auth
Add Tags to Attributes
Manage Organization Events
Tagger + Auth + Sync
Add Tags to Events
Manage Organization Events
Tagger + Auth + Sync
Check File Reputation
ReadOnly
Auth
Check IP Reputation
ReadOnly
Auth
Check URL Reputation
ReadOnly
Auth
Edit Event
Manage Organization Events
Site Admin (*all other permissions will be auto-selected when you choose site admin)
Fetch Event
ReadOnly
Auth
List Attribute Types and Categories
ReadOnly
Auth
List Organizations
ReadOnly
Auth
List Tags
ReadOnly
Auth
Publish Event
Manage Organization Events
Auth
Remove Tags From Attributes
Manage Organization Events
Site Admin (*all other permissions will be auto-selected when you choose site admin)
Remove Tags From Events
Manage Organization Events
Site Admin (*all other permissions will be auto-selected when you choose site admin)
Search Attributes
ReadOnly
Auth
Search Events
ReadOnly
Auth
Search Object Templates
ReadOnly
Auth
Search Tags
ReadOnly
Auth
Test Connection
No Permission required
No Permission required
As MISP is using role-based access control (RBAC), the API key is generated based on a specific user account and the application. Therefore, the command permissions are inherited from the user account’s role. Users need to configure their user profile from the MISP console for each command in this integration.
Reader Note
For each selected permission (i.e., Read Only, Manage My Own Events, Manage Organization Events and Manage & Publish Organization Events), different additional permissions will appear as tick boxes to be enabled.
Configuring MISP to Work with D3 SOAR
Creating Roles
Log in to MISP. Navigate to Administration > Add Roles.
Enter a name for the new role. Select the required permissions for this role, then select the appropriate additional permissions by checking off the tick boxes. If the memory limit field is not entered, the default values of 2048 and 300 for maximum execution time will be displayed. If you need to adjust these values, enter the desired values. Once you have made your selections, click Add to create the new role.
You will see your newly created role under the List Roles section.
Creating Users and Assigning Roles
Log in to MISP. Navigate to Administration > Add User.
Complete the required fields to create the user. Choose your created role for the user from the Role dropdown menu. Once you have made your selections, click Submit to add the new user.
To view the created user, navigate to List Users. The AuthKey for the new user will be used as the API key to establish the integration connection in D3 SOAR.
Login to the new user's account with the configured credentials. Please note that first-time users will be required to reset their password.
Once you are logged in, you can locate the user account's API key by navigating to the Automation tab on the left side navigation menu.
Configuring D3 SOAR to Work with MISP
Log in to D3 SOAR.
Find the MISP integration.
Navigate to Configuration on the top header menu.
Click on the Integration icon on the left sidebar.
Type MISP in the search box to find the integration, then click it to select it.
Click + New Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to MISP.
Connection Name: The desired name for the connection.
Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.
Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
Description (Optional): Add your desired description for the connection.
Configure User Permissions: Defines which users have access to the connection.
Active: Check the tick box to ensure the connection is available for use.
System Reputation Check: Checking one or more reputation check tick boxes will run the corresponding check reputation command(s) under this integration connection to enrich the corresponding artifacts with reputation details. For example, we are configuring an integration connection named “ConnectionA” with the site “Sandbox”. All IP artifacts from the “Sandbox” site will go through a reputation check using the Check IP Reputation command from that integration. The return data output from running the command will then be used to update the risk level of the artifacts which may affect the risk level of incoming events.
System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.
Test the connection.
Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmarkappear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.
Click OK to close the alert window.
Click +Add to create and add the configured connection.
Commands
MISP includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.
Integration API Note
For more information about the MISP API, please refer to the following API references:
The input format of time-related parameters may vary based on your account settings. As a result, the sample data provided in our commands is different from what you see. To set your preferred time format, follow these steps:
Navigate to Configuration > Application Settings. Select Date/Time Format.
Choose your desired date and time format.
After that, you will be able to view your preferred time format when configuring the DateTime input parameters for commands.
Add Event
Adds a new event into the system.
Reader Note
The parameter Attributes is optional to run this command.
The "type" and "category" fields can be obtained using the List Attribute Types and Categories command. You can locate the matching pairs in the returned raw data at the path $.category_type_mappings. If you input incompatible pairs, the event will be created without any attributes.
Input
Input Parameter
Required/Optional
Description
Example
Event Info
Required
The event information.
Test Event0201a
Event Date
Required
The date of the event.
2020-11-14 00:00
Threat Level
Optional
The threat level for the event. The available threat levels are High, Medium, Low, and Undefined. If this parameter is not defined, the default threat level is Undefined.
High
Published
Optional
The option to publish the event when set to True. If this parameter is not defined, the default value is False.
True
Analysis
Optional
The analysis stage of the event. The available analysis stages are Initial, Ongoing and Completed. If this parameter is not defined, the default analysis stage is Initial.
Ongoing
Distribution
Optional
The distribution scope of the event. The available distribution scopes are Your organization only, This community only, Connected communities, and All communities. If this parameter is not defined, the default distribution scope is Your organization only.
All communities
Attributes
Optional
The JSON-formatted array containing the attributes of the event. The "type" and "category" fields can be obtained using the List Attribute Types and Categories command. Note: The inputted values must match. Mismatched pairs will result in an event created with no attributes.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"EventID": "\"*****\""
}
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Add Event failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.
Status Code: 403.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Received a published event that was empty. Event add process blocked.
Error Sample Data
Add Event failed.
Status Code: 403.
Message: Received a published event that was empty. Event add process blocked.
Add Object To Events
Adds an object to the specified event(s).
Reader Note
Event IDs, Object Template ID and Object are required parametersto run this command.
Run the Search Events command to obtain Event IDs. Event IDs can be found in the returned raw data at the path $.response[*].event.id.
Run the Search Object Templates command to obtain Object Template ID. Object Template IDs can be found in the returned raw data at the path $.results[*].ObjectTemplate.id.
The attributes you need to input for the Object parameter are determined by the value you set for the Object Template ID parameter. Each object template has its own set of required and optional attributes.
To find out what these are for a specific template ID, run the Search Object Template command. You will find the attribute requirements under the JSON path $.results[*].ObjectTemplate.requirements. Ensure that the attributes you include match the requirements specified by the Template ID you are using.
Input
Input Parameter
Required/Optional
Description
Example
Event IDs
Required
The ID(s) of event(s) to which the object will be added. Event ID can be obtained using the Search Events command.
[ "***" ]
Object Template ID
Required
The ID of the object template on which the object is based. Object Template ID can be obtained using the Search Object Templates command.
***
Object
Required
Different object templates come with specific sets of required and optional fields. The format for each field is "Name::Type": "Value", identical to its presentation in the user interface.
To find out which fields are necessary for the Template ID you're using, run the Search Object Template command. The field requirements can be located under the JSON path $.results[*].ObjectTemplate.requirements. Ensure you follow these requirements when defining the Object Template ID parameter.
{
"ip::ip-dst": "200.200.200.200",
"domain::domain": "phishing.example.ra",
"last-seen::datetime": "2022-12-31 14:00:00"
}
Output
Raw Data
The primary response data from the API request.
SAMPLE DATA
JSON
{
"results": [
{
"Object": {
"id": "*****",
"name": "domain-ip",
"meta-category": "network",
"description": "A domain and IP address seen as a tuple in a specific time frame.",
"template_uuid": "***-***-***-***-***",
"template_version": "6",
"event_id": "*****",
"uuid": "***-***-***-***-***",
"timestamp": "1686098832",
"distribution": "0",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"Attribute": [
{
"id": "*****",
"event_id": "*****",
"object_id": "*****",
"object_relation": "ip",
"category": "Network activity",
"type": "ip-dst",
"value1": "200.200.200.200",
"value2": "",
"to_ids": true,
"uuid": "***-***-***-***-***",
"timestamp": "1686098832",
"distribution": "5",
"sharing_group_id": "0",
"comment": "",
"deleted": false,
"disable_correlation": false,
"value": "200.200.200.200"
}
]
}
}
],
"D3Errors": []
}
Key Fields
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"ObjectIDs": "\"[ \\\"*****\\\" ]\"",
"ObjectNames": "\"[ \\\"domain-ip\\\" ]\"",
"EventIDs": "\"[ \\\"*****\\\" ]\"",
"Categories": "\"[ \\\"network\\\" ]\"",
"ObjectUUIDs": "\"[ \\\"***-***-***-***-***\\\" ]\"",
"ObjectDescriptions": "\"[ \\\"A domain and IP address seen as a tuple in a specific time frame.\\\" ]\""
}
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Add Object To Events failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.
Status Code: 403.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Could not save the object as a required attribute is not set (message-type).
Error Sample Data
Add Object To Events failed.
Status Code: 403.
Message: Could not save the object as a required attribute is not set (message-type).
Add Tags To Attributes
Adds Tags to the specified attributes. All tags in the tag list will be added to all attributes in the attribute list.
Reader Note
Attribute IDs and Tags are required parameters to run this command.
Run the Search Attributes command to obtain Attribute IDs. Attribute IDs can be found in the returned raw data at the path $.response.Attribute[*].id.
Run the List Tags or Search Tags commands to obtain tags. Tags can be found in the returned raw data at the path $.tag[*].id for both commands.
Input
Input Parameter
Required/Optional
Description
Example
Attribute IDs
Required
The ID(s) of the attribute(s) to which the tag(s) will be added. Attribute ID can be obtained using the Search Attributes command.
[ "*****" ]
Tag IDs
Required
The ID(s) of the tag(s) to be added upon the attribute(s). Tag ID can be obtained using the Search Tags or List Tags command.
[ "*****" ]
Output
Raw Data
The primary response data from the API request.
D3 customizes the returned raw data by adding "attributeID" and "tagID" fields.
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Add Tags To Attributes failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.
Status Code: 405.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Method Not Allowed. You do not have permission to use this functionality.
Error Sample Data
Add Tags To Attributes failed.
Status Code: 405.
Message: Method Not Allowed. You do not have permission to use this functionality.
Add Tags To Events
Adds Tags to the specified events. All tags in the tag list will be added to all events in the event list.
Reader Note
Event IDs and Tags are required parameters to run this command.
Run the Search Events command to obtain Event ID. Event IDs can be found in the returned raw data at the path $.response[*].event.id.
Run the List Tags or Search Tags commands to obtain tags. Tags can be found in the returned raw data at the path $.tag[*].id for both commands.
Input
Input Parameter
Required/Optional
Description
Example
Event IDs
Required
The ID(s) of the event(s) to which the tag(s) will be added. Event ID can be obtained using the Search Events command.
[ "*****" ]
Tag IDs
Required
The ID(s) of the tag(s) to be added upon the event(s). Tag ID can be obtained using the Search Tags or List Tags command.
[ "*****" ]
Output
Raw Data
The primary response data from the API request.
D3 customizes the returned raw data by adding "eventID" and "tagID" fields.
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Add Tags To Events failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.
Status Code: 405.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Method Not Allowed. You do not have permission to use this functionality.
Error Sample Data
Add Tags To Events failed.
Status Code: 405.
Message: Method Not Allowed. You do not have permission to use this functionality.
Check File Reputation
Retrieves reputation information on the specified file hashes.
Input
Input Parameter
Required/Optional
Description
Example
File Hashes
Required
The file hashes to perform the reputation check. MD5, SHA1 and SHA256 hashes are supported.
[ "*****" ]
Output
Raw Data
The primary response data from the API request. For check reputation commands, D3-defined risk levels and risk level names are also included.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
In check reputation commands, Return Data displays the risk score from the raw data as D3-defined risk levels and risk level names. This will be used to enrich artifacts with reputation information.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
D3-defined Risk Levels and Risk Level Names
The table below lists the possible output risk levels and their corresponding risk level names:
Risk Levels
Risk Level Names
1
High
2
Medium
3
Low
4
Default
5
ZeroRisk
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Check File Reputation failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: One or more errors occurred.
Error Sample Data
Check File Reputation failed.
Status Code: 400.
Message: One or more errors occurred.
Check IP Reputation
Retrieves reputation information on the specified IP address(es).
Input
Input Parameter
Required/Optional
Description
Example
IP Addresses
Required
The IP addresses to perform the reputation check. Both IPv4 and IPv6 addresses are supported.
[ "1.1.1.1" ]
Output
Raw Data
The primary response data from the API request. For check reputation commands, D3-defined risk levels and risk level names are also included.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
In check reputation commands, Return Data displays the risk score from the raw data as D3-defined risk levels and risk level names. This will be used to enrich artifacts with reputation information.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
D3-defined Risk Levels and Risk Level Names
The table below lists the possible output risk levels and their corresponding risk level names:
Risk Levels
Risk Level Names
1
High
2
Medium
3
Low
4
Default
5
ZeroRisk
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Check IP Reputation failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: One or more errors occurred.
Error Sample Data
Check IP Reputation failed.
Status Code: 400.
Message: One or more errors occurred.
Check URL Reputation
Retrieves reputation information on the specified URLs.
Input
Input Parameter
Required/Optional
Description
Example
URLs
Required
The URLs to perform the reputation check.
[ "https://tdcanadatrust-scr.com/index.html" ]
Output
Raw Data
The primary response data from the API request. For check reputation commands, D3-defined risk levels and risk level names are also included.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
In check reputation commands, Return Data displays the risk score from the raw data as D3-defined risk levels and risk level names. This will be used to enrich artifacts with reputation information.
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
D3-defined Risk Levels and Risk Level Names
The table below lists the possible output risk levels and their corresponding risk level names:
Risk Levels
Risk Level Names
1
High
2
Medium
3
Low
4
Default
5
ZeroRisk
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Check URL Reputation failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: One or more errors occurred.
Error Sample Data
Check URL Reputation failed.
Status Code: 400.
Message: One or more errors occurred.
Edit Event
Updates an existing event based on event ID.
Reader Note
Event ID is a required parameter to run this command.
Run the Search Events command to obtain Event ID. Event IDs can be found in the returned raw data at the path $.response[*].event.id.
If you input values for both the 'type' and 'category' fields within the Attributes parameter, they must match. To find compatible pairs, run the List Attribute Types and Categories command. Refer to the $.category_type_mappings JSON path in the returned raw data to verify the correct pairs. Submitting incompatible pairs will update the event without adding any new attributes.
Input
Input Parameter
Required/Optional
Description
Example
Event ID
Required
The ID of the event to edit. Event ID can be obtained using the Search Events command.
1***
Event Info
Optional
The updated event information.
Test Event0201c
Event Date
Optional
The updated date of the event.
2020-11-16 00:00
Threat Level
Optional
The updated threat level for the event. The available threat levels are High, Medium, Low, and Undefined.
High
Published
Optional
The option to publish the event when set to True. If this parameter is not defined, the default value is False.
True
Analysis
Optional
The analysis stage of the event. The available analysis stages are Initial, Ongoing and Completed.
Ongoing
Distribution
Optional
The distribution scope of the event. The available distribution scopes are Your organization only, This community only, Connected communities, and All communities.
All communities
Attributes
Optional
The JSON-formatted array containing the attributes of the event. Note: The newly entered attributes will be appended to the existing attributes, rather than overwriting them. The "type" and "category" fields can be obtained using the List Attribute Types and Categories command.
Note: The input values must match. Mismatched pairs will result in an event updated with no new attributes attached.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"EventID": "\"******\""
}
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Edit Event failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Event ID Not Found.
Error Sample Data
Edit Event failed.
Status Code: 404.
Message: Event ID Not Found.
Fetch Event
Retrieves events from MISP based on the specified criteria.
Reader Note
Organization Names and Tags are optional parameters to run this command.
Run the List Organizations command to obtain Organization Names. Organization Names can be found in the returned raw data at the path $.results[*].Organisation.name.
Run the Search Tags or List Tags commands to obtain Tags. Tags can be found in the returned raw data at the path $.tag[*].id for both commands.
Input
Input Parameter
Required/Optional
Description
Example
Start Time
Optional
The start time of the time range to fetch events in UTC time. The time field used to retrieve events is based on their updated time.
2023-01-10 00:00
End Time
Optional
The end time of the time range to fetch events in UTC time.
2023-01-11 00:00
Number of Event(s) Fetched
Optional
The maximum number of events to fetch. If the value is 0, a negative number, or is not defined, the command will return all events matching the search conditions within the defined time range.
3
Attribute Value
Optional
The attribute value to search. The attribute value can be IP address, URL, domain, file hash, etc.
e*****3a
Type
Optional
The attribute type to search.
domain
Category
Optional
The attribute category to search.
Network activity
Tags
Optional
The ID(s) of the tag(s) on the events or on the event attributes. Please note, when the Search All parameter is defined, this parameter will be omitted. Tags can be obtained using the List Tags or Search Tags commands.
[
"504"
]
Search All
Optional
Retrieves events by matching any tag names, event descriptions, attribute values or attribute comments. Please note, this parameter overrides the Tags and Organization Names parameters.
Cobalt Strike
Organization Names
Optional
The name(s) of the organization(s) from which to fetch events. Please note, when the Search All parameter is defined, this parameter will be omitted. Organization Names can be obtained using the List Organizations command.
[
"ORGNAME",
"CIRCL"
]
Search Conditions
Optional
The option to define other search conditions if the above parameters cannot cover your request. Please refer to MISP OpenAPI spec for more information.
{
"published": false
}
Tolerance Scope
Optional
The tolerance scope (in minutes) for the query to fetch events between the specified start and end time to avoid event loss or fetch failure. The events will be fetched between {Start Time - Tolerance Scope, End Time}. The default value is 0.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Please note that Fetch Event commands require event field mapping. Field mapping plays a key role in the data normalization process part of the event pipeline. Field mapping converts the original data fields from the different providers to the D3 fields which are standardized by the D3 Model. Please refer to Event and Incident Intake Field Mapping for details.
If you require a custom field mapping, click + Add Field to add a custom field mapping. You can also remove built-in field mappings by clicking x. Please note that two underscore characters will automatically prefix the defined Field Name as the System Name for a custom field mapping. Additionally, if an input Field Name contains any spaces, they will automatically be replaced with underscores for the corresponding System Name.
As a system integration, the MISP integration has some pre-configured field mappings for default field mapping.
Default Event Source The Default Event Source is the default set of field mappings that are applied when this fetch event command is executed. For out-of-the-box integrations, you will find a set of field mapping provided by the system. Default event source provides field mappings for common fields from fetched events. The default event source has a “Main Event JSON Path” (i.e., $.response) that is used to extract a batch of events from the response raw data. Click Edit Event Source to view the “Main Event JSON Path”.
Main Event JSON Path: $.response The Main Event JSON Path determines the root path where the system starts parsing raw response data into D3 event data. The JSON path begins with $, representing the root element. The path is formed by appending a sequence of child elements to $, each separated by a dot (.). Square brackets with nested quotation marks ([‘...’]) should be used to separate child elements in JSON arrays. For example, the root node of a JSON Path is response. The child node denoting the Event UUID field would be Event.uuid. Putting it together, the JSON Path expression to extract the Event UUID is $.response.Event.uuid.
Reader Note
The Unique Event Key field mapping is used to prevent duplicate event ingestions. D3 SOAR will check if the value of a selected JSON path matches any Unique Event Key of previously ingested events. If a match is found, the event will be dismissed. If no match is found, an event will be created. However, if no Unique Event Key is mapped, then the hash value from the event pending ingestion will be used to check for any matches with existing events. If no match is found, the event will be created.
Unlike most other D3 SOAR integrations, the MISP integration’s Fetch Event command’s Default Event Source mapping does not include Unique Event Key in order to fetch the same fetched target events with multiple updates.
The pre-configured field mappings are detailed below:
Field Name
Source Field
Document ID
.Event.id
Event Type
.Event.distribution
Severity
.Event.threat_level_id
Status
.Event.analysis
Description
.Event.info
Start Time
.Event.date
Updated Time
.Event.timestamp
Published Time
.lastUpdated
Event UUID
.Event.uuid
Event name
.Event.info
Organization Name
.Event.Orgc.name
Owner Organization Name
.Event.Org.name
Published
.Event.published
AttributeCount
.Event.attribute_count
Attribute IDs
.Event.Attribute[*].id
Attribute Types
.Event.Attribute[*].type
Attribute Categories
.Event.Attribute[*].category
Attribute Values
.Event.Attribute[*].value
Attribute UUIDs
.Event.Attribute[*].uuid
Attribute Comments
.Event.Attribute[*].comment
Attribute Timestamp
.Event.Attribute[*].timestamp
Attribute Tags
.Event.Attribute[*].Tag[*].name
Tag
.Event.Tag[*].name
Tag ID
.Event.Tag[*].id
object ID
.Event.Object[*].id
object
.Event.Object[*].name
object category
.Event.Object[*].meta-category
Object Description
.Event.Object[*].description
Object Comment
.Event.Object[*].comment
Cluster ID
.Event.Galaxy[*].id
Cluster UUID
.Event.Galaxy[*].uuid
Cluster Name
.Event.Galaxy[*].name
Cluster Type
.Event.Galaxy[*].type
Cluster Description
.Event.Galaxy[*].description
Related Event ID
.Event.RelatedEvent[*].id
Related Event Name
.Event.RelatedEvent[*].info
Related Event Severity
.Event.RelatedEvent[*].threat_level_id
Related Event Date
.Event.RelatedEvent[*].date
Related Event UUID
.Event.RelatedEvent[*].uuid
Related Event Organization Name
.Event.RelatedEvent[*].Orgc.name
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Fetch Event failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Event type and category mismatched.
Error Sample Data
Fetch Event failed.
Status Code: 400.
Message: Event type and category mismatched.
List Attribute Types and Categories
Retrieves all attribute types and attribute categories. This command currently supports category and type mappings. The returned data contains three sections: types, categories and category_type_mappings. This command can be used to create attributes when adding or editing events.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
List Attribute Types and Categories failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.
Status Code: 443.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
List Organizations failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.
Status Code: 443.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
List Tags failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.
Status Code: 443.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Name or service not known.
Error Sample Data
List Tags failed.
Status Code: 443.
Message: Name or service not known.
Publish Events
Publishes or unpublishes the specified event(s).
Reader Note
The parameter Event IDs is required to run this command.
Run the Search Event command to obtain Event IDs. Event IDs can be found in the returned raw data at the path $.response[*].event.id.
If the Published parameter is not set, it defaults to False. In this case, the events will be unpublished.
Input
Input Parameter
Required/Optional
Description
Example
Event IDs
Required
The IDs of the events to publish or unpublish. Event ID can be obtained using the Search Event command.
[ "1***" ]
Published
Optional
The option to publish the specified event(s) when set to True. Setting this parameter to False will unpublish the specified event(s). The default option is False.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.
The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Publish Events failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.
Status Code: 404.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Event ID Not Found.
Error Sample Data
Publish Events failed.
Status Code: 404.
Message: Event ID Not Found.
Remove Tags From Attributes
Removes Tags from the specified attributes. All tags in the tag list will be removed from all attributes in the event list.
Reader Note
Attribute IDs and Tag IDs are required parameters to run this command.
Run the Search Attributes command to obtain Attribute IDs. Attribute IDs can be found in the returned raw data at the path $.response.Attribute[*].id.
Run the Search Attributes command to obtain Tag IDs. Tag IDs can be found in the returned raw data at the path $.response.Attribute[*].Event.Tag[*].
The tags should already be associated with the attributes in question. When using the Search Attribute command, the tag should be specified under the input attribute object. If the attribute does not contain the tag, an error will return.
Input
Input Parameter
Required/Optional
Description
Example
Attribute IDs
Required
The ID(s) of the attribute(s) from which the tag(s) will be removed. Attribute ID can be obtained using the Search Attributes command.
[ "88" ]
Tag IDs
Required
The ID(s) of the tag(s) to be removed from the attribute(s). Tag IDs that are already tagged on the attribute can be obtained using the Search Attributes command.
[ "598" ]
Output
Raw Data
The primary response data from the API request.
D3 customizes the returned raw data by adding "attributeID" and "tagID" fields.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Remove Tags From Attributes failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Invalid attribute - tag combination.
Error Sample Data
Remove Tags From Attributes failed.
Status Code: 400.
Message: Invalid attribute - tag combination.
Remove Tags From Events
Removes Tags from the specified events. All tags in the tag list will be removed from all events in the event list.
Reader Note
Event IDs and Tag IDs are required parameters to run this command.
Run the Search Events command to obtain Event IDs. Event IDs can be found in the returned raw data at the path $.response[*].event.id.
Run the Search Events command to obtain Tag IDs. Tag IDs can be found in the returned raw data at the path $.response[*].event.Tag[*].
The tags should already be associated with the events in question. When using the Search Attribute command, the tag should be specified under the input event object. If the event does not contain the tag, an error will return.
Input
Input Parameter
Required/Optional
Description
Example
Event IDs
Required
The ID(s) of the event(s) to which the tag(s) will be removed. Event IDs can be obtained using the Search Events command.
[ "*****" ]
Tag IDs
Required
The ID(s) of the tag(s) to be removed from the event(s). Tag IDs that are already tagged on the events can be obtained using the Search Events command.
[ "*****" ]
Output
Raw Data
The primary response data from the API request.
D3 customizes the returned raw data by adding "eventID" and "tagID" fields.t.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Remove Tags From Events failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.
Status Code: 431.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Invalid Tag.
Error Sample Data
Remove Tags From Events failed.
Status Code: 431.
Message: Invalid Tag.
Search Attributes
Searches attributes based on the given conditions.
Reader Note
Please note that if no search criteria has been filled, all attributes will be searched. This could return too large of a dataset, resulting in a command timeout.
If the input search criteria does not exist, this command will run successfully with no result.
If you input both the Type and Category parameters, the values must match. Please see the List Attribute Types and Categories command to obtain the matching pair. Check the path $.category_type_mappings in the returned raw data.
Event ID and Tags are optional parameters to run this command.
Run the List Tags or Search Tags commands to obtain tags. Tags can be found in the returned raw data at the path $.tag[*].id for both commands.
Run the Search Events command to obtain Event ID. Event IDs can be found in the returned raw data at the path $.response[*].event.id.
Input
Input Parameter
Required/Optional
Description
Example
Value
Optional
The attribute value to search.
xmr.pool.minergate.com
Type
Optional
The attribute type to search. Note: If both Type and Category are defined, the input values must match. You can run the List Attribute Types and Categories command to obtain the matching pair.
domain
Category
Optional
The attribute category to search. Note: If both Type and Category are defined, the input values must match. You can run the List Attribute Types and Categories command to obtain the matching pair.
Network activity
To IDS
Optional
The option to only return attributes with the "to_ids" flag. The default option is False.
False
Event IDs
Optional
Filters the returned attributes with event ID(s). Event ID can be obtained using the Search Events command.
[ "*****", "*****" ]
Tags
Optional
Filters the returned attributes with tag IDs. Tag IDs can be obtained using the List Tags or Search Tags command.
[ "*****" ]
Other Search Conditions
Optional
The option to define other search conditions if the above parameters cannot cover your request. Please refer to MISP OpenAPI spec for more information.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Search Attributes failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.
Status Code: 400.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: One or more errors occurred.
Error Sample Data
Search Attributes failed.
Status Code: 400.
Message: One or more errors occurred.
Search Events
Searches events with specified search conditions in MISP.
Reader Note
Please note that if no search criteria has been filled, all events will be searched. This could return too large of a dataset, resulting in a command timeout.
If the input search criteria does not exist, this command will run successfully with no result.
If you input both Type and Category parameters, the values must match. Please see the List Attribute Types and Categories command to obtain the matching pair. Check the path $.category_type_mappings in the returned raw data.
Inputting mismatched data for these parameters will result in the error message "Event type and category mismatched. Please check D3Error object in RawData for more details.". The command will still return the raw data and key fields of the events containing both the selected type and category in their attributes.
Event ID and Tags are optional parameters to run this command.
Run the List Tags or Search Tags commands to obtain tags. Tags can be found in the returned raw data at the path $.tag[*].id for both commands.
Run the Search Events command to obtain Event ID. Event IDs can be found in the returned raw data at the path $.response[*].event.id.
Input
Input Parameter
Required/Optional
Description
Example
Attribute Value
Optional
The attribute value to search. The attribute value can be IP address, URL, domain, file hash, etc.
xmr.pool.minergate.com
Type
Optional
The attribute type to search. Note: If both Type and Category are defined, the input values must match. You can run the List Attribute Types and Categories command to obtain the matching pair.
domain
Category
Optional
The attribute category to search. Note: If both Type and Category are defined, the input values must match. You can run the List Attribute Types and Categories command to obtain the matching pair.
Network activity
Event ID
Optional
The ID of the event. Event ID can be obtained using the Search Events command.
74
Tags
Optional
The ID(s) of the tag(s) on the events or on the event attributes. Tags can be obtained using the List Tags or Search Tags command.
[
"598"
]
Search All
Optional
Retrieves events by matching any tag names, event descriptions, attribute values or attribute comments. Please note, this parameter overrides other parameters.
Cobalt Strike
Other Search Conditions
Optional
The option to define other search conditions if the above parameters cannot cover your request. Please refer to MISP OpenAPI spec for more information.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Search Events failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.
Status Code: 443.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Name or service not known.
Error Sample Data
Search Events failed.
Status Code: 443.
Message: Name or service not known.
Search Object Templates
Retrieves object templates according to template name or description.
Reader Note
If the keyword parameter is not defined, all object templates will be returned.
If the input keyword does not match any template name, this command will run successfully with no result.
Input
Input Parameter
Required/Optional
Description
Example
Keyword
Optional
The Keyword to search for object templates. The Keyword could be a full or partial template name or template description. If this parameter is not defined, all object templates will be returned.
domain-ip
Output
Raw Data
The primary response data from the API request.
SAMPLE DATA
JSON
{
"results": [
{
"ObjectTemplate": {
"id": "*****",
"user_id": "0",
"org_id": "0",
"uuid": "***-***-***-***-***",
"name": "domain-ip",
"meta-category": "network",
"description": "A domain and IP address seen as a tuple in a specific time frame.",
"version": "6",
"requirements": {
"required": [
"ip",
"domain"
]
},
"fixed": true,
"active": true
},
"Organisation": {
"id": null,
"name": null,
"uuid": null
}
}
],
"D3Errors": []
}
Key Fields
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
SAMPLE DATA
CODE
{
"ObjectTemplateIDs": "\"[ \\\"38\\\" ]\"",
"ObjectTemplateUUIDs": "\"[ \\\"***-***-***-***-***\\\" ]\"",
"ObjectTemplateNames": "\"[ \\\"domain-ip\\\" ]\"",
"ObjectTemplateCategories": "\"[ \\\"network\\\" ]\"",
"ObjectTemplateDescriptions": "\"[ \\\"A domain and IP address seen as a tuple in a specific time frame.\\\" ]\""
}
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
OBJECTTEMPLATE
ORGANISATION
{'id': '*****', 'user_id': '0', 'org_id': '0', 'uuid': '***-***-***-***-***', 'name': 'domain-ip', 'meta-category': 'network', 'description': 'A domain and IP address seen as a tuple in a specific time frame.', 'version': '6', 'requirements': {'required': ['ip', 'domain']}, 'fixed': True, 'active': True}
{'id': None, 'name': None, 'uuid': None}
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Search Object Templates failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.
Status Code: 443.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Name or service not known.
Error Sample Data
Search Object Templates failed.
Status Code: 443.
Message: Name or service not known.
Search Tags
Retrieves tags with the specified search term.
Reader Note
Search Term is a required parameter to run the command.
Run the List Tags command to obtain the Search Team. Search Term is referring to the tag names. It can be found in the returned raw data at the path $.tag[*].name.
The difference between this command and the List Tags command is that this command is searched by tag name and will return more detailed information under the field "GalaxyCluster" based on the provided tag.
Input
Input Parameter
Required/Optional
Description
Example
Search Term
Required
The search term used to filter tags. Both full tag names and partial tag names can be defined. Please note, the search term is case insensitive. You can use the List Tags command to retrieve all tags.
Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields. The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.
SAMPLE DATA
CODE
Successful
Result
Provides a brief summary of outputs in an HTML formatted table.
SAMPLE DATA
CODE
No Sample Data
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The errortab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Search Tags failed.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.
Status Code: 443.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Name or service not known.
Error Sample Data
Search Tags failed.
Status Code: 443.
Message: Name or service not known.
Test Connection
Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.
Input
N/A
Output
Return Data
Indicates one of the possible command execution states: Successful or Failed.
The Failed state can be triggered by any of the following errors:
A connection issue with the integration
The API returned an error message
No response from the API
You can view more details about an error in the Error tab.
SAMPLE DATA
CODE
Successful
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error
Description
Example
Failure Indicator
Indicates the command failure that happened at a specific input and/or API call.
Test Connection failed. Failed to check the connector.
Status Code
The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.
Status Code: 443.
Message
The raw data or captured key error message from the integration API server about the API request failure.
Message: Name or service not known.
Error Sample Data
Test Connection failed. Failed to check the connector.
Status Code: 443.
Message: Name or service not known.
JavaScript errors detected
Please note, these errors can depend on your browser setup.
If this problem persists, please contact our support.
