Skip to main content
Skip table of contents

MISP

LAST UPDATED: 05/30/2024

Overview

MISP is an open-source software solution for collecting, storing, distributing, and sharing cybersecurity indicators and threats about cybersecurity incidents analysis and malware analysis.

D3 SOAR is providing REST operations to function with MISP.

MISP is available for use in:

D3 SOAR

V12.7.83.0+

Category

Threat Intelligence

Deployment Options

Option I, Option III

Connection

To connect to MISP from D3 SOAR, please follow this part to collect the required information below:

Parameter

Description

Example

Server URL

The URL of the MISP server.

https://1.1.1.1

API Key

The API key to authenticate the connection.

QW*****1D

Permission Requirements

Each endpoint in the MISP API requires a certain permission scope. The following are required scopes for the commands in this integration:

Command

Permissions (least)

Additional Permissions

Add Event

Manage Organization Events

Auth

Add Object to Events

Manage Organization Events

Auth

Add Tags to Attributes

Manage Organization Events

Tagger + Auth + Sync

Add Tags to Events

Manage Organization Events

Tagger + Auth + Sync

Check File Reputation

ReadOnly

Auth

Check IP Reputation

ReadOnly

Auth

Check URL Reputation

ReadOnly

Auth

Edit Event

Manage Organization Events

Site Admin (*all other permissions will be auto-selected when you choose site admin)

Fetch Event

ReadOnly

Auth

List Attribute Types and Categories

ReadOnly

Auth

List Organizations

ReadOnly

Auth

List Tags

ReadOnly

Auth

Publish Event

Manage Organization Events

Auth

Remove Tags From Attributes

Manage Organization Events

Site Admin (*all other permissions will be auto-selected when you choose site admin)

Remove Tags From Events

Manage Organization Events

Site Admin (*all other permissions will be auto-selected when you choose site admin)

Search Attributes

ReadOnly

Auth

Search Events

ReadOnly

Auth

Search Object Templates

ReadOnly

Auth

Search Tags

ReadOnly

Auth

Test Connection

No Permission required

No Permission required

As MISP is using role-based access control (RBAC), the API key is generated based on a specific user account and the application. Therefore, the command permissions are inherited from the user account’s role. Users need to configure their user profile from the MISP console for each command in this integration.

Reader Note

  • For each selected permission (i.e., Read Only, Manage My Own Events, Manage Organization Events and Manage & Publish Organization Events), different additional permissions will appear as tick boxes to be enabled.

Configuring MISP to Work with D3 SOAR

Creating Roles

  1. Log in to MISP. Navigate to Administration > Add Roles.

  2. Enter a name for the new role. Select the required permissions for this role, then select the appropriate additional permissions by checking off the tick boxes. If the memory limit field is not entered, the default values of 2048 and 300 for maximum execution time will be displayed. If you need to adjust these values, enter the desired values. Once you have made your selections, click Add to create the new role.

  3. You will see your newly created role under the List Roles section.

Creating Users and Assigning Roles

  1. Log in to MISP. Navigate to Administration > Add User.

  2. Complete the required fields to create the user. Choose your created role for the user from the Role dropdown menu. Once you have made your selections, click Submit to add the new user.

  3. To view the created user, navigate to List Users. The AuthKey for the new user will be used as the API key to establish the integration connection in D3 SOAR.

  4. Login to the new user's account with the configured credentials. Please note that first-time users will be required to reset their password.

  5. Once you are logged in, you can locate the user account's API key by navigating to the Automation tab on the left side navigation menu.

Configuring D3 SOAR to Work with MISP

  1. Log in to D3 SOAR.

  2. Find the MISP integration.

    1. Navigate to Configuration on the top header menu.

    2. Click on the Integration icon on the left sidebar.

    3. Type MISP in the search box to find the integration, then click it to select it.

    4. Click + New Connection, on the right side of the Connections section. A new connection window will appear.

  3. Configure the following fields to create a connection to MISP.

    1. Connection Name: The desired name for the connection.

    2. Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.

    3. Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.

    4. Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.

    5. Description (Optional): Add your desired description for the connection.

    6. Configure User Permissions: Defines which users have access to the connection.

    7. Active: Check the tick box to ensure the connection is available for use.

    8. System Reputation Check: Checking one or more reputation check tick boxes will run the corresponding check reputation command(s) under this integration connection to enrich the corresponding artifacts with reputation details. 
      For example, we are configuring an integration connection named “ConnectionA” with the site “Sandbox”. All IP artifacts from the “Sandbox” site will go through a reputation check using the Check IP Reputation command from that integration. The return data output from running the command will then be used to update the risk level of the artifacts which may affect the risk level of incoming events.

    9. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.

      1. Input your domain level Server URL.
      2. Input your API Key. Refer to step 5 of Creating User and Assign Roles.

    10. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.

  4. Test the connection.

    1. Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmark appear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.

    2. Click OK to close the alert window.

    3. Click + Add to create and add the configured connection.

Commands

MISP includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the MISP API, please refer to the following API references:

Reader Note

Certain permissions are required for each command. Please refer to the Permission Requirements and Configuring MISP to Work with D3 SOAR for details.

Note for Time-related parameters

The input format of time-related parameters may vary based on your account settings. As a result, the sample data provided in our commands is different from what you see. To set your preferred time format, follow these steps:

  1. Navigate to Configuration > Application Settings. Select Date/Time Format.

  2. Choose your desired date and time format.

After that, you will be able to view your preferred time format when configuring the DateTime input parameters for commands.

Add Event

Adds a new event into the system.

Reader Note

The parameter Attributes is optional to run this command.

  • The "type" and "category" fields can be obtained using the List Attribute Types and Categories command. You can locate the matching pairs in the returned raw data at the path $.category_type_mappings. If you input incompatible pairs, the event will be created without any attributes.

Input

Input Parameter

Required/Optional

Description

Example

Event Info

Required

The event information.

Test Event0201a

Event Date

Required

The date of the event.

2020-11-14 00:00

Threat Level

Optional

The threat level for the event. The available threat levels are High, Medium, Low, and Undefined. If this parameter is not defined, the default threat level is Undefined.

High

Published

Optional

The option to publish the event when set to True. If this parameter is not defined, the default value is False.

True

Analysis

Optional

The analysis stage of the event. The available analysis stages are Initial, Ongoing and Completed. If this parameter is not defined, the default analysis stage is Initial.

Ongoing

Distribution

Optional

The distribution scope of the event. The available distribution scopes are Your organization only, This community only, Connected communities, and All communities. If this parameter is not defined, the default distribution scope is Your organization only.

All communities

Attributes

Optional

The JSON-formatted array containing the attributes of the event. The "type" and "category" fields can be obtained using the List Attribute Types and Categories command. Note: The inputted values must match. Mismatched pairs will result in an event created with no attributes.

[

{

"type": "domain",

"category": "Network activity",

"to_ids": false,

"distribution": "1",

"comment": "test domain",

"value": "phishing.sample.com"

}

]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "Event": {
        "id": "*****",
        "orgc_id": "1",
        "org_id": "1",
        "date": "2020-11-14",
        "threat_level_id": "1",
        "info": "*****",
        "published": true,
        "uuid": "***-***-***-***-***",
        "attribute_count": "1",
        "analysis": "1",
        "timestamp": "1686094888",
        "distribution": "3",
        "proposal_email_lock": false,
        "locked": false,
        "publish_timestamp": "1686094888",
        "sharing_group_id": "0",
        "disable_correlation": false,
        "extends_uuid": "",
        "event_creator_email": "test@example.test",
        "Org": {
            "id": "1",
            "name": "ORGNAME",
            "uuid": "***-***-***-***-***",
            "local": true
        },
        "Orgc": {
            "id": "1",
            "name": "ORGNAME",
            "uuid": "***-***-***-***-***",
            "local": true
        },
        "Attribute": [
            {
                "id": "*****",
                "type": "domain",
                "category": "Network activity",
                "to_ids": false,
                "uuid": "***-***-***-***-***",
                "event_id": "*****",
                "distribution": "1",
                "timestamp": "1686094888",
                "comment": "test domain",
                "sharing_group_id": "0",
                "deleted": false,
                "disable_correlation": false,
                "object_id": "0",
                "object_relation": null,
                "value": "phishing.sample.com",
                "Galaxy": [],
                "ShadowAttribute": []
            }
        ],
        "ShadowAttribute": [],
        "RelatedEvent": [
            {
                "Event": {
                    "id": "*****",
                    "date": "2023-03-01",
                    "threat_level_id": "3",
                    "info": "test",
                    "published": false,
                    "uuid": "***-***-***-***-***",
                    "analysis": "2",
                    "timestamp": "1679515579",
                    "distribution": "0",
                    "org_id": "1",
                    "orgc_id": "1",
                    "Org": {
                        "id": "1",
                        "name": "ORGNAME",
                        "uuid": "***-***-***-***-***"
                    },
                    "Orgc": {
                        "id": "1",
                        "name": "ORGNAME",
                        "uuid": "***-***-***-***-***"
                    }
                }
            }
        ],
        "Galaxy": [],
        "Object": []
    },
    "D3Errors": []
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "EventID": "\"*****\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

Event

{'id': '*****', 'orgc_id': '1', 'org_id': '1', 'date': '2023-02-01', 'threat_level_id': '1', 'info': 'Test Event0201a', 'published': True, 'uuid': '***-***-***-***-***', 'attribute_count': '1', 'analysis': '1', 'timestamp': '1668102496', 'distribution': '3', 'proposal_email_lock': False, 'locked': False, 'publish_timestamp': '1668102496', 'sharing_group_id': '0', 'disable_correlation': False, 'extends_uuid': '', 'event_creator_email': 'test@example.test', 'Org': {'id': '1', 'name': 'ORGNAME', 'uuid': '***-***-***-***-***', 'local': True}, 'Orgc': {'id': '1', 'name': 'ORGNAME', 'uuid': '***-***-***-***-***', 'local': True}, 'Attribute': [{'id': '*****', 'type': 'domain', 'category': 'Network activity', 'to_ids': False, 'uuid': '***-***-***-***-***', 'event_id': '*****', 'distribution': '1', 'timestamp': '1668102496', 'comment': 'test domain', 'sharing_group_id': '0', 'deleted': False, 'disable_correlation': False, 'object_id': '0', 'object_relation': None, 'value': 'phishing.sample.com', 'Galaxy': [], 'ShadowAttribute': []}], 'ShadowAttribute': [], 'RelatedEvent': [], 'Galaxy': [], 'Object': []}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Add Event failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Received a published event that was empty. Event add process blocked.

Error Sample Data

Add Event failed.

Status Code: 403.

Message: Received a published event that was empty. Event add process blocked.

Add Object To Events

Adds an object to the specified event(s).

Reader Note

Event IDs, Object Template ID and Object are required parameters to run this command.

  • Run the Search Events command to obtain Event IDs. Event IDs can be found in the returned raw data at the path $.response[*].event.id.

  • Run the Search Object Templates command to obtain Object Template ID. Object Template IDs can be found in the returned raw data at the path $.results[*].ObjectTemplate.id.

  • The attributes you need to input for the Object parameter are determined by the value you set for the Object Template ID parameter. Each object template has its own set of required and optional attributes.

    • To find out what these are for a specific template ID, run the Search Object Template command. You will find the attribute requirements under the JSON path $.results[*].ObjectTemplate.requirements. Ensure that the attributes you include match the requirements specified by the Template ID you are using.

Input

Input Parameter

Required/Optional

Description

Example

Event IDs

Required

The ID(s) of event(s) to which the object will be added. Event ID can be obtained using the Search Events command.

[ "***" ]

Object Template ID

Required

The ID of the object template on which the object is based. Object Template ID can be obtained using the Search Object Templates command.

***

Object

Required

Different object templates come with specific sets of required and optional fields. The format for each field is "Name::Type": "Value", identical to its presentation in the user interface.

To find out which fields are necessary for the Template ID you're using, run the Search Object Template command. The field requirements can be located under the JSON path $.results[*].ObjectTemplate.requirements. Ensure you follow these requirements when defining the Object Template ID parameter.

{

"ip::ip-dst": "200.200.200.200",

"domain::domain": "phishing.example.ra",

"last-seen::datetime": "2022-12-31 14:00:00"

}

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "results": [
        {
            "Object": {
                "id": "*****",
                "name": "domain-ip",
                "meta-category": "network",
                "description": "A domain and IP address seen as a tuple in a specific time frame.",
                "template_uuid": "***-***-***-***-***",
                "template_version": "6",
                "event_id": "*****",
                "uuid": "***-***-***-***-***",
                "timestamp": "1686098832",
                "distribution": "0",
                "sharing_group_id": "0",
                "comment": "",
                "deleted": false,
                "Attribute": [
                    {
                        "id": "*****",
                        "event_id": "*****",
                        "object_id": "*****",
                        "object_relation": "ip",
                        "category": "Network activity",
                        "type": "ip-dst",
                        "value1": "200.200.200.200",
                        "value2": "",
                        "to_ids": true,
                        "uuid": "***-***-***-***-***",
                        "timestamp": "1686098832",
                        "distribution": "5",
                        "sharing_group_id": "0",
                        "comment": "",
                        "deleted": false,
                        "disable_correlation": false,
                        "value": "200.200.200.200"
                    }
                ]
            }
        }
    ],
    "D3Errors": []
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "ObjectIDs": "\"[ \\\"*****\\\" ]\"",
    "ObjectNames": "\"[ \\\"domain-ip\\\" ]\"",
    "EventIDs": "\"[ \\\"*****\\\" ]\"",
    "Categories": "\"[ \\\"network\\\" ]\"",
    "ObjectUUIDs": "\"[ \\\"***-***-***-***-***\\\" ]\"",
    "ObjectDescriptions": "\"[ \\\"A domain and IP address seen as a tuple in a specific time frame.\\\" ]\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

OBJECT

{'id': '*****', 'name': 'domain-ip', 'meta-category': 'network', 'description': 'A domain and IP address seen as a tuple in a specific time frame.', 'template_uuid': '***-***-***-***-***', 'template_version': '6', 'event_id': '*****', 'uuid': '***-***-***-***-***', 'timestamp': '1675470158', 'distribution': '0', 'sharing_group_id': '0', 'comment': '', 'deleted': False, 'Attribute': [{'id': '*****', 'event_id': '****', 'object_id': '*****', 'object_relation': 'ip', 'category': 'Network activity', 'type': 'ip-dst', 'value1': '200.200.200.200', 'value2': '', 'to_ids': True, 'uuid': '***-***-***-***-***, 'timestamp': '1675470158', 'distribution': '5', 'sharing_group_id': '0', 'comment': '', 'deleted': False, 'disable_correlation': False, 'value': '200.200.200.200'}, {'id': '*****', 'event_id': '*****', 'object_id': '*****', 'object_relation': 'domain', 'category': 'Network activity', 'type': 'domain', 'value1': 'phishing.example.ra', 'value2': '', 'to_ids': True, 'uuid': '***-***-***-***-***', 'timestamp': '1675470158', 'distribution': '5', 'sharing_group_id': '0', 'comment': '', 'deleted': False, 'disable_correlation': False, 'value': 'phishing.example.ra'}, {'id': '*****', 'event_id': '*****', 'object_id': '*****', 'object_relation': 'last-seen', 'category': 'Other', 'type': 'datetime', 'value1': '2022-12-31 14:00:00', 'value2': '', 'to_ids': True, 'uuid': '***-***-***-***-***', 'timestamp': '1675470158', 'distribution': '5', 'sharing_group_id': '0', 'comment': '', 'deleted': False, 'disable_correlation': False, 'value': '2022-12-31 14:00:00'}]}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Add Object To Events failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.

Status Code: 403.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Could not save the object as a required attribute is not set (message-type).

Error Sample Data

Add Object To Events failed.

Status Code: 403.

Message: Could not save the object as a required attribute is not set (message-type).

Add Tags To Attributes

Adds Tags to the specified attributes. All tags in the tag list will be added to all attributes in the attribute list.

Reader Note

Attribute IDs and Tags are required parameters to run this command.

  • Run the Search Attributes command to obtain Attribute IDs. Attribute IDs can be found in the returned raw data at the path $.response.Attribute[*].id.

  • Run the List Tags or Search Tags commands to obtain tags. Tags can be found in the returned raw data at the path $.tag[*].id for both commands.

Input

Input Parameter

Required/Optional

Description

Example

Attribute IDs

Required

The ID(s) of the attribute(s) to which the tag(s) will be added. Attribute ID can be obtained using the Search Attributes command.

[ "*****" ]

Tag IDs

Required

The ID(s) of the tag(s) to be added upon the attribute(s). Tag ID can be obtained using the Search Tags or List Tags command.

[ "*****" ]

Output

Raw Data

The primary response data from the API request.

D3 customizes the returned raw data by adding "attributeID" and "tagID" fields.

SAMPLE DATA

JSON
{
    "results": [
        {
            "attributeID": "*****",
            "Tag": [
                {
                    "tagID": "*****",
                    "saved": true,
                    "success": "Tag added.",
                    "check_publish": true
                }
            ]
        }
    ],
    "D3Errors": []
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ATTRIBUTEID

TAG

88

[{'tagID': '*****', 'saved': True, 'success': 'Tag(s) added.', 'check_publish': True}]

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Add Tags To Attributes failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.

Status Code: 405.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Method Not Allowed. You do not have permission to use this functionality.

Error Sample Data

Add Tags To Attributes failed.

Status Code: 405.

Message: Method Not Allowed. You do not have permission to use this functionality.

Add Tags To Events

Adds Tags to the specified events. All tags in the tag list will be added to all events in the event list.

Reader Note

Event IDs and Tags are required parameters to run this command.

  • Run the Search Events command to obtain Event ID. Event IDs can be found in the returned raw data at the path $.response[*].event.id.

  • Run the List Tags or Search Tags commands to obtain tags. Tags can be found in the returned raw data at the path $.tag[*].id for both commands.

Input

Input Parameter

Required/Optional

Description

Example

Event IDs

Required

The ID(s) of the event(s) to which the tag(s) will be added. Event ID can be obtained using the Search Events command.

[ "*****" ]

Tag IDs

Required

The ID(s) of the tag(s) to be added upon the event(s). Tag ID can be obtained using the Search Tags or List Tags command.

[ "*****" ]

Output

Raw Data

The primary response data from the API request.

D3 customizes the returned raw data by adding "eventID" and "tagID" fields.

SAMPLE DATA

JSON
{
    "results": [
        {
            "eventID": "*****",
            "Tag": [
                {
                    "tagID": "*****",
                    "saved": true,
                    "success": "All tags are already present, nothing to add.",
                    "check_publish": true
                }
            ]
        }
    ],
    "D3Errors": []
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

EVENTID

TAG

74

[{'tagID': '*****', 'saved': True, 'success': 'Tag(s) added.', 'check_publish': True}]

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Add Tags To Events failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.

Status Code: 405.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Method Not Allowed. You do not have permission to use this functionality.

Error Sample Data

Add Tags To Events failed.

Status Code: 405.

Message: Method Not Allowed. You do not have permission to use this functionality.

Check File Reputation

Retrieves reputation information on the specified file hashes.

Input

Input Parameter

Required/Optional

Description

Example

File Hashes

Required

The file hashes to perform the reputation check. MD5, SHA1 and SHA256 hashes are supported.

[ "*****" ]

Output

Raw Data

The primary response data from the API request. For check reputation commands, D3-defined risk levels and risk level names are also included.

SAMPLE DATA

JSON
{
    "results": [
        {
            "response": {
                "Attribute": [
                    {
                        "id": "*****",
                        "event_id": "149",
                        "object_id": "0",
                        "object_relation": null,
                        "category": "Artifacts dropped",
                        "type": "filename|md5",
                        "to_ids": true,
                        "uuid": "***-***-***-***-***",
                        "timestamp": "1455835080",
                        "distribution": "5",
                        "sharing_group_id": "0",
                        "comment": "Automatically added (via ***|***)",
                        "deleted": false,
                        "disable_correlation": false,
                        "value": "***|***",
                        "Event": {
                            "org_id": "*****",
                            "distribution": "3",
                            "id": "*****",
                            "orgc_id": "*****",
                            "date": "2014-11-24",
                            "threat_level_id": "*****",
                            "info": "Secret Malware in European Union Attack Linked to U.S. and British Intelligence article by the Intercept",
                            "published": false,
                            "uuid": "***-***-***-***-***",
                            "analysis": "2",
                            "timestamp": "1681171773",
                            "publish_timestamp": "1675292897",
                            "sharing_group_id": "0",
                            "extends_uuid": "",
                            "Orgc": {
                                "id": "3",
                                "uuid": "***-***-***-***-***",
                                "name": "*****.be"
                            },
                            "Tag": [
                                {
                                    "id": "3",
                                    "name": "type:OSINT",
                                    "colour": "#004646",
                                    "numerical_value": null
                                },
                                {
                                    "id": "93",
                                    "name": "tlp:green",
                                    "colour": "#33FF00",
                                    "numerical_value": null
                                }
                            ]
                        }
                    }
                ],
                "fileName": "*****.cgi",
                "fileHash": "*****",
                "riskLevel": 3,
                "riskLevelName": "Low"
            }
        }
    ],
    "D3Errors": [
        {
            "Invalid Hashes List": [
                "Asdasdasdas"
            ],
            "Error": "Some hashes are not valid hashes."
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "File Hashes": "\"[ \\\"*****\\\" ]\"",
    "RiskLevels": "\"[\\\"Medium\\\"]\"",
    "RiskNames": "\"[ \\\"Low\\\" ]\""
}
Return Data

In check reputation commands, Return Data displays the risk score from the raw data as D3-defined risk levels and risk level names. This will be used to enrich artifacts with reputation information.

SAMPLE DATA

CODE
[
    {
        "fileHash": "*****",
        "riskLevel": 3,
        "RawData": {  "results": [
        {
            "response": {
                "Attribute": [
                    {
                        "id": "*****",
                        "event_id": "*****",
                        "object_id": "0",
                        "object_relation": null,
                        "category": "Artifacts dropped",
                        "type": "filename|md5",
                        "to_ids": true,
                        "uuid": "***-***-***-***-***",
                        "timestamp": "1455835080",
                        "distribution": "5",
                        "sharing_group_id": "0",
                        "comment": "Automatically added (via *****|*****)",
                        "deleted": false,
                        "disable_correlation": false,
                        "value": "*****|*****",
                        "Event": {
                            "org_id": "*****",
                            "distribution": "*****",
                            "id": "*****",
                            "orgc_id": "*****",
                            "date": "2014-11-24",
                            "threat_level_id": "1",
                            "info": "Secret Malware in European Union Attack Linked to U.S. and British Intelligence article by the Intercept",
                            "published": false,
                            "uuid": "***-***-***-***-***",
                            "analysis": "2",
                            "timestamp": "1681171773",
                            "publish_timestamp": "1675292897",
                            "sharing_group_id": "0",
                            "extends_uuid": "",
                            "Orgc": {
                                "id": "3",
                                "uuid": "***-***-***-***-***",
                                "name": "*****.be"
                            },
                            "Tag": [
                                {
                                    "id": "3",
                                    "name": "type:OSINT",
                                    "colour": "#004646",
                                    "numerical_value": null
                                },
                                {
                                    "id": "93",
                                    "name": "tlp:green",
                                    "colour": "#33FF00",
                                    "numerical_value": null
                                }
                            ]
                        }
                    }
],
                "fileName": "*****.cgi",
                "fileHash": "*****",
                "riskLevel": 3,
                "riskLevelName": "Low"
            }
        }]},
        "BeautifiedHtml: "TypeIndicatorReputationMalware GroupD3 Risk *****-1Pua.Lyrics.Gen3"
    }
]
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

D3-defined Risk Levels and Risk Level Names

The table below lists the possible output risk levels and their corresponding risk level names:

Risk Levels

Risk Level Names

1

High

2

Medium

3

Low

4

Default

5

ZeroRisk

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Check File Reputation failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: One or more errors occurred.

Error Sample Data

Check File Reputation failed.

Status Code: 400.

Message: One or more errors occurred.

Check IP Reputation

Retrieves reputation information on the specified IP address(es).

Input

Input Parameter

Required/Optional

Description

Example

IP Addresses

Required

The IP addresses to perform the reputation check. Both IPv4 and IPv6 addresses are supported.

[ "1.1.1.1" ]

Output

Raw Data

The primary response data from the API request. For check reputation commands, D3-defined risk levels and risk level names are also included.

SAMPLE DATA

JSON
{
    "results": [
        {
            "response": {
                "Attribute": [
                    {
                        "id": "*****",
                        "event_id": "*****",
                        "object_id": "0",
                        "object_relation": null,
                        "category": "Network activity",
                        "type": "ip-src",
                        "to_ids": false,
                        "uuid": "***-***-***-***-***",
                        "timestamp": "1628007020",
                        "distribution": "0",
                        "sharing_group_id": "0",
                        "comment": "",
                        "deleted": false,
                        "disable_correlation": false,
                        "value": "1.1.1.1",
                        "Event": {
                            "org_id": "1",
                            "distribution": "0",
                            "id": "74",
                            "orgc_id": "1",
                            "date": "2021-07-29",
                            "threat_level_id": "3",
                            "info": "Test",
                            "published": false,
                            "uuid": "***-***-***-***-***",
                            "analysis": "0",
                            "timestamp": "1685752150",
                            "publish_timestamp": "0",
                            "sharing_group_id": "0",
                            "extends_uuid": "",
                            "Orgc": {
                                "id": "1",
                                "uuid": "***-***-***-***-***",
                                "name": "ORGNAME"
                            },
                            "Tag": [
                                {
                                    "id": "*****",
                                    "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Account Discovery - T1087\"",
                                    "colour": "#0088cc",
                                    "numerical_value": null
                                },
                                {
                                    "id": "*****",
                                    "name": "opencti:import",
                                    "colour": "#69dcf5",
                                    "numerical_value": null
                                },
                                {
                                    "id": "505",
                                    "name": " Cobalt Strike Beacon",
                                    "colour": "#3b9989",
                                    "numerical_value": null
                                },
                                {
                                    "id": "*****",
                                    "name": "Cobalt Strike",
                                    "colour": "#0ab4a7",
                                    "numerical_value": null
                                }
                            ]
                        }
                    },
                    {
                        "id": "*****",
                        "event_id": "*****",
                        "object_id": "0",
                        "object_relation": null,
                        "category": "Network activity",
                        "type": "ip-dst",
                        "to_ids": false,
                        "uuid": "***-***-***-***-***",
                        "timestamp": "1478775861",
                        "distribution": "5",
                        "sharing_group_id": "0",
                        "comment": "False Positive?",
                        "deleted": false,
                        "disable_correlation": false,
                        "value": "1.1.1.1",
                        "Event": {
                            "org_id": "*****",
                            "distribution": "*****",
                            "id": "*****",
                            "orgc_id": "*****",
                            "date": "2016-11-10",
                            "threat_level_id": "2",
                            "info": "Blueliv Vawtrak v2",
                            "published": true,
                            "uuid": "***-***-***-***-***",
                            "analysis": "0",
                            "timestamp": "1478776192",
                            "publish_timestamp": "1675296007",
                            "sharing_group_id": "0",
                            "extends_uuid": "",
                            "Orgc": {
                                "id": "4",
                                "uuid": "***-***-***-***-***",
                                "name": "CIRCL"
                            },
                            "Tag": [
                                {
                                    "id": "131",
                                    "name": "osint:source-type=\"technical-report\"",
                                    "colour": "#002b4a",
                                    "numerical_value": null
                                },
                                {
                                    "id": "94",
                                    "name": "tlp:white",
                                    "colour": "#ffffff",
                                    "numerical_value": null
                                }
                            ]
                        }
                    }
                ],
                "ip": "1.1.1.1",
                "riskLevel": 3,
                "riskLevelName": "Low"
            }
        }
    ],
    "D3Errors": [
        {
            "Invalid IPs List": [
                "asda"
            ],
            "Error": "Some IPs are not valid IP"
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "IPs": "\"[ \\\"1.1.1.1\\\" ]\"",
    "RiskLevels": "\"[ 3 ]\"",
    "RiskNames": "\"[ \\\"Low\\\" ]\""
}
Return Data

In check reputation commands, Return Data displays the risk score from the raw data as D3-defined risk levels and risk level names. This will be used to enrich artifacts with reputation information.

SAMPLE DATA

CODE
[
    {
        "ip": "1.1.1.1",
        "riskLevel": 3,
        "RawData": {{
    "results": [
        {
            "response": {
                "Attribute": [
                    {
                        "id": "*****",
                        "event_id": "*****",
                        "object_id": "0",
                        "object_relation": null,
                        "category": "Network activity",
                        "type": "ip-src",
                        "to_ids": false,
                        "uuid": "***-***-***-***-***",
                        "timestamp": "1628007020",
                        "distribution": "0",
                        "sharing_group_id": "0",
                        "comment": "",
                        "deleted": false,
                        "disable_correlation": false,
                        "value": "1.1.1.1",
                        "Event": {
                            "org_id": "1",
                            "distribution": "0",
                            "id": "*****",
                            "orgc_id": "*****",
                            "date": "2021-07-29",
                            "threat_level_id": "******",
                            "info": "Hong",
                            "published": false,
                            "uuid": "***-***-***-***-***",
                            "analysis": "0",
                            "timestamp": "1685752150",
                            "publish_timestamp": "0",
                            "sharing_group_id": "0",
                            "extends_uuid": "",
                            "Orgc": {
                                "id": "*****",
                                "uuid": "***-***-***-***-***",
                                "name": "ORGNAME"
                            },
                            "Tag": [
                                {
                                    "id": "*****",
                                    "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Account Discovery - *****\"",
                                    "colour": "#0088cc",
                                    "numerical_value": null
                                },
                                {
                                    "id": "*****",
                                    "name": "opencti:import",
                                    "colour": "#69dcf5",
                                    "numerical_value": null
                                },
                                {
                                    "id": "*****",
                                    "name": " Cobalt Strike Beacon",
                                    "colour": "#3b9989",
                                    "numerical_value": null
                                },
                                {
                                    "id": "*****",
                                    "name": "Cobalt Strike",
                                    "colour": "#0ab4a7",
                                    "numerical_value": null
                                }
                            ]
                        }
                    },
                    {
                        "id": "******",
                        "event_id": "*****",
                        "object_id": "0",
                        "object_relation": null,
                        "category": "Network activity",
                        "type": "ip-dst",
                        "to_ids": false,
                        "uuid": "***-***-***-***-***",
                        "timestamp": "1478775861",
                        "distribution": "5",
                        "sharing_group_id": "0",
                        "comment": "False Positive?",
                        "deleted": false,
                        "disable_correlation": false,
                        "value": "1.1.1.1",
                        "Event": {
                            "org_id": "*****8",
                            "distribution": "*****",
                            "id": "*****",
                            "orgc_id": "*****",
                            "date": "2016-11-10",
                            "threat_level_id": "2",
                            "info": "Blueliv Vawtrak v2",
                            "published": true,
                            "uuid": "***-***-***-***-***",
                            "analysis": "0",
                            "timestamp": "1478776192",
                            "publish_timestamp": "1675296007",
                            "sharing_group_id": "0",
                            "extends_uuid": "",
                            "Orgc": {
                                "id": "*****",
                                "uuid": "***-***-***-***-***",
                                "name": "CIRCL"
                            },
                            "Tag": [
                                {
                                    "id": "*****",
                                    "name": "osint:source-type=\"technical-report\"",
                                    "colour": "#002b4a",
                                    "numerical_value": null
                                },
                                {
                                    "id": "*****",
                                    "name": "tlp:white",
                                    "colour": "#ffffff",
                                    "numerical_value": null
                                }
                            ]
                        }
                    }
                ],
                "ip": "1.1.1.1",
                "riskLevel": 3,
                "riskLevelName": "Low"
            }
        }
    ]}},
        "BeautifiedHtml: "TypeIndicatorReputationCategory GroupD3 Risk *****-1Pua.Lyrics.Gen3"
    }
]
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

D3-defined Risk Levels and Risk Level Names

The table below lists the possible output risk levels and their corresponding risk level names:

Risk Levels

Risk Level Names

1

High

2

Medium

3

Low

4

Default

5

ZeroRisk

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Check IP Reputation failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: One or more errors occurred.

Error Sample Data

Check IP Reputation failed.

Status Code: 400.

Message: One or more errors occurred.

Check URL Reputation

Retrieves reputation information on the specified URLs.

Input

Input Parameter

Required/Optional

Description

Example

URLs

Required

The URLs to perform the reputation check.

[ "https://tdcanadatrust-scr.com/index.html" ]

Output

Raw Data

The primary response data from the API request. For check reputation commands, D3-defined risk levels and risk level names are also included.

SAMPLE DATA

JSON
{
    "results": [
        {
            "response": {
                "Attribute": [
                    {
                        "id": "*****",
                        "event_id": "*****",
                        "object_id": "0",
                        "object_relation": null,
                        "category": "Network activity",
                        "type": "url",
                        "to_ids": true,
                        "uuid": "***-***-***-***-***",
                        "timestamp": "1675109221",
                        "distribution": "5",
                        "sharing_group_id": "0",
                        "comment": "",
                        "deleted": false,
                        "disable_correlation": false,
                        "value": "https://tdcanadatrust-scr.com/index.html",
                        "Sighting": [],
                        "RelatedAttribute": [],
                        "Event": {
                            "org_id": "*****",
                            "distribution": "0",
                            "id": "*****",
                            "orgc_id": "*****",
                            "date": "2021-07-29",
                            "threat_level_id": "*****",
                            "info": "test",
                            "published": false,
                            "uuid": "***-***-***-***-***",
                            "analysis": "0",
                            "timestamp": "1675109221",
                            "publish_timestamp": "0",
                            "sharing_group_id": "0",
                            "extends_uuid": "",
                            "Orgc": {
                                "id": "*****",
                                "uuid": "***-***-***-***-***",
                                "name": "ORGNAME"
                            },
                            "Tag": []
                        }
                    }
                ]
            }
        }
    ],
    "D3Errors": [
        {
            "Invalid URLs List": [
                "asdsdasas",
                "1231231"
            ],
            "Error": "Some URLs are not valid URL."
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "URLs": "\"[ \\\"https://tdcanadatrust-scr.com/index.html\\\"]\"",
    "RiskLevels": "\"[ 3 ]\"",
    "RiskNames": "\"[ \\\"Low\\\" ]\""
}
Return Data

In check reputation commands, Return Data displays the risk score from the raw data as D3-defined risk levels and risk level names. This will be used to enrich artifacts with reputation information.

SAMPLE DATA

CODE
[
    {
        "url": "https://tdcanadatrust-scr.com/index.html",
        "riskLevel": 1,
        "RawData": {
            "response": {
                "Attribute": [
                    {
                        "id": "*****",
                        "event_id": "*****",
                        "object_id": "0",
                        "object_relation": null,
                        "category": "Network activity",
                        "type": "url",
                        "to_ids": false,
                        "uuid": "***-***-***-***-***",
                        "timestamp": "1668105084",
                        "distribution": "1",
                        "sharing_group_id": "0",
                        "comment": "test url",
                        "deleted": false,
                        "disable_correlation": false,
                        "value": "https://tdcanadatrust-scr.com/index.html",
                        "Event": {
                            "org_id": "*****",
                            "distribution": "*****",
                            "id": "*****",
                            "orgc_id": "1",
                            "date": "2020-11-16",
                            "threat_level_id": "*****",
                            "info": "Test Event0201c",
                            "published": true,
                            "uuid": "***-***-***-***-***",
                            "analysis": "0",
                            "timestamp": "1686012005",
                            "publish_timestamp": "1686012005",
                            "sharing_group_id": "0",
                            "extends_uuid": "",
                            "Orgc": {
                                "id": "*****",
                                "uuid": "***-***-***-***-***",
                                "name": "ORGNAME"
                            },
                            "Tag": []
                        }
                    }
                ]
            }
        },
        "BeautifiedHtml": "  Type  IndicatorReputationCategory GroupD3 Risk *****activity1",
        "reputation": "High"
    }
]
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

D3-defined Risk Levels and Risk Level Names

The table below lists the possible output risk levels and their corresponding risk level names:

Risk Levels

Risk Level Names

1

High

2

Medium

3

Low

4

Default

5

ZeroRisk

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Check URL Reputation failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: One or more errors occurred.

Error Sample Data

Check URL Reputation failed.

Status Code: 400.

Message: One or more errors occurred.

Edit Event

Updates an existing event based on event ID.

Reader Note

  • Event ID is a required parameter to run this command.

    • Run the Search Events command to obtain Event ID. Event IDs can be found in the returned raw data at the path $.response[*].event.id.

  • If you input values for both the 'type' and 'category' fields within the Attributes parameter, they must match. To find compatible pairs, run the List Attribute Types and Categories command. Refer to the $.category_type_mappings JSON path in the returned raw data to verify the correct pairs. Submitting incompatible pairs will update the event without adding any new attributes.

Input

Input Parameter

Required/Optional

Description

Example

Event ID

Required

The ID of the event to edit. Event ID can be obtained using the Search Events command.

1***

Event Info

Optional

The updated event information.

Test Event0201c

Event Date

Optional

The updated date of the event.

2020-11-16 00:00

Threat Level

Optional

The updated threat level for the event. The available threat levels are High, Medium, Low, and Undefined.

High

Published

Optional

The option to publish the event when set to True. If this parameter is not defined, the default value is False.

True

Analysis

Optional

The analysis stage of the event. The available analysis stages are Initial, Ongoing and Completed.

Ongoing

Distribution

Optional

The distribution scope of the event. The available distribution scopes are Your organization only, This community only, Connected communities, and All communities.

All communities

Attributes

Optional

The JSON-formatted array containing the attributes of the event. Note: The newly entered attributes will be appended to the existing attributes, rather than overwriting them. The "type" and "category" fields can be obtained using the List Attribute Types and Categories command.

Note: The input values must match. Mismatched pairs will result in an event updated with no new attributes attached.

[

{

"type": "domain",

"category": "Network activity",

"to_ids": false,

"distribution": "1",

"comment": "test domain",

"value": "phishing.sample.com"

}

]

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "Event": {
        "id": "*****",
        "orgc_id": "*****",
        "org_id": "*****",
        "date": "2023-02-01",
        "threat_level_id": "*****",
        "info": "Test Event0201c",
        "published": true,
        "uuid": "***-***-***-***-***",
        "attribute_count": "4",
        "analysis": "1",
        "timestamp": "1675293572",
        "distribution": "3",
        "proposal_email_lock": false,
        "locked": false,
        "publish_timestamp": "1675293573",
        "sharing_group_id": "0",
        "disable_correlation": false,
        "extends_uuid": "",
        "event_creator_email": "test@example.test",
        "Org": {
            "id": "*****",
            "name": "ORGNAME",
            "uuid": "***-***-***-***-***",
            "local": true
        },
        "Orgc": {
            "id": "*****",
            "name": "ORGNAME",
            "uuid": "***-***-***-***-***",
            "local": true
        },
        "Attribute": [
            {
                "id": "*****",
                "type": "url",
                "category": "Network activity",
                "to_ids": false,
                "uuid": "***-***-***-***-***",
                "event_id": "*****",
                "distribution": "1",
                "timestamp": "1668105084",
                "comment": "test url",
                "sharing_group_id": "0",
                "deleted": false,
                "disable_correlation": false,
                "object_id": "0",
                "object_relation": null,
                "value": "https://tdcanadatrust-scr.com/index.html",
                "Galaxy": [],
                "ShadowAttribute": []
            }
        ],
        "ShadowAttribute": [],
        "RelatedEvent": [
            {
                "Event": {
                    "id": "*****",
                    "date": "2023-02-01",
                    "threat_level_id": "2",
                    "info": "Test Event0201c",
                    "published": true,
                    "uuid": "***-***-***-***-***",
                    "analysis": "1",
                    "timestamp": "1675293107",
                    "distribution": "3",
                    "org_id": "1",
                    "orgc_id": "1",
                    "Org": {
                        "id": "*****",
                        "name": "ORGNAME",
                        "uuid": "***-***-***-***-***"
                    },
                    "Orgc": {
                        "id": "*****",
                        "name": "ORGNAME",
                        "uuid": "***-***-***-***-***"
                    }
                }
            },
            {
                "Event": {
                    "id": "*****",
                    "date": "2023-02-01",
                    "threat_level_id": "*****",
                    "info": "Test Event0201a",
                    "published": true,
                    "uuid": "***-***-***-***-***",
                    "analysis": "1",
                    "timestamp": "1668102496",
                    "distribution": "3",
                    "org_id": "*****",
                    "orgc_id": "*****",
                    "Org": {
                        "id": "*****",
                        "name": "ORGNAME",
                        "uuid": "***-***-***-***-***"
                    },
                    "Orgc": {
                        "id": "*****",
                        "name": "ORGNAME",
                        "uuid": "***-***-***-***-***"
                    }
                }
            }
        ],
        "Galaxy": [],
        "Object": []
    },
    "D3Errors": []
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "EventID": "\"******\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

Event

{'id': '****', 'orgc_id': '*****', 'org_id': '*****', 'date': '2023-02-01', 'threat_level_id': '*****', 'info': 'Test Event0201c', 'published': True, 'uuid': '***-***-***-***-***', 'attribute_count': '4', 'analysis': '1', 'timestamp': '1675293572', 'distribution': '3', 'proposal_email_lock': False, 'locked': False, 'publish_timestamp': '1675293573', 'sharing_group_id': '0', 'disable_correlation': False, 'extends_uuid': '', 'event_creator_email': 'admin@admin.test', 'Org': {'id': '1', 'name': 'ORGNAME', 'uuid': '***-***-***-***-***', 'local': True}, 'Orgc': {'id': '*****', 'name': 'ORGNAME', 'uuid': '***-***-***-***-***', 'local': True}, 'Attribute': [{'id': '*****', 'type': 'url', 'category': 'Network activity', 'to_ids': False, 'uuid': '***-***-***-***-***', 'event_id': '***', 'distribution': '1', 'timestamp': '1668105084', 'comment': 'test url', 'sharing_group_id': '0', 'deleted': False, 'disable_correlation': False, 'object_id': '0', 'object_relation': None, 'value': 'https://tdcanadatrust-scr.com/index.html', 'Galaxy': [], 'ShadowAttribute': []}, {'id': '*****', 'type': 'domain', 'category': 'Network activity', 'to_ids': False, 'uuid': '***-***-***-***-***', 'event_id': '*****', 'distribution': '1', 'timestamp': '1675293201', 'comment': 'test domain', 'sharing_group_id': '0', 'deleted': False, 'disable_correlation': False, 'object_id': '0', 'object_relation': None, 'value': 'tdcanadatrust-scr1.com', 'Galaxy': [], 'ShadowAttribute': []}, {'id': '*****', 'type': 'domain', 'category': 'Network activity', 'to_ids': False, 'uuid': '***-***-***-***-***', 'event_id': '*****', 'distribution': '1', 'timestamp': '1675293228', 'comment': 'test domain', 'sharing_group_id': '0', 'deleted': False, 'disable_correlation': False, 'object_id': '0', 'object_relation': None, 'value': 'tdcanadatrust-scr2.com', 'Galaxy': [], 'ShadowAttribute': []}, {'id': '68506', 'type': 'domain', 'category': 'Network activity', 'to_ids': False, 'uuid': '***-***-***-***-***', 'event_id': '*****', 'distribution': '1', 'timestamp': '1675293572', 'comment': 'test domain', 'sharing_group_id': '0', 'deleted': False, 'disable_correlation': False, 'object_id': '0', 'object_relation': None, 'value': 'phishing.sample.com', 'Galaxy': [], 'ShadowAttribute': []}], 'ShadowAttribute': [], 'RelatedEvent': [{'Event': {'id': '*****', 'date': '2023-02-01', 'threat_level_id': '*****', 'info': 'Test Event0201c', 'published': True, 'uuid': ***-***-***-***-***', 'analysis': '*****', 'timestamp': '1675293107', 'distribution': '*****', 'org_id': '*****', 'orgc_id': '*****', 'Org': {'id': '*****', 'name': 'ORGNAME', 'uuid': '***-***-***-***-***'}, 'Orgc': {'id': '*****', 'name': 'ORGNAME', 'uuid': '***-***-***-***-***'}}}, {'Event': {'id': '*****', 'date': '2023-02-01', 'threat_level_id': '1', 'info': 'Test Event0201a', 'published': True, 'uuid': '***-***-***-***-***', 'analysis': '1', 'timestamp': '1668102496', 'distribution': '3', 'org_id': '*****', 'orgc_id': '*****', 'Org': {'id': '*****', 'name': 'ORGNAME', 'uuid': '***-***-***-***-***'}, 'Orgc': {'id': '*****', 'name': 'ORGNAME', 'uuid': '***-***-***-***-***'}}}], 'Galaxy': [], 'Object': []}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Edit Event failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Event ID Not Found.

Error Sample Data

Edit Event failed.

Status Code: 404.

Message: Event ID Not Found.

Fetch Event

Retrieves events from MISP based on the specified criteria.

Reader Note

  • Organization Names and Tags are optional parameters to run this command.

    • Run the List Organizations command to obtain Organization Names. Organization Names can be found in the returned raw data at the path $.results[*].Organisation.name.

  • Run the Search Tags or List Tags commands to obtain Tags. Tags can be found in the returned raw data at the path $.tag[*].id for both commands.

Input

Input Parameter

Required/Optional

Description

Example

Start Time

Optional

The start time of the time range to fetch events in UTC time. The time field used to retrieve events is based on their updated time.

2023-01-10 00:00

End Time

Optional

The end time of the time range to fetch events in UTC time.

2023-01-11 00:00

Number of Event(s) Fetched

Optional

The maximum number of events to fetch. If the value is 0, a negative number, or is not defined, the command will return all events matching the search conditions within the defined time range.

3

Attribute Value

Optional

The attribute value to search. The attribute value can be IP address, URL, domain, file hash, etc.

e*****3a

Type

Optional

The attribute type to search.

domain

Category

Optional

The attribute category to search.

Network activity

Tags

Optional

The ID(s) of the tag(s) on the events or on the event attributes. Please note, when the Search All parameter is defined, this parameter will be omitted. Tags can be obtained using the List Tags or Search Tags commands.

[

"504"

]

Search All

Optional

Retrieves events by matching any tag names, event descriptions, attribute values or attribute comments. Please note, this parameter overrides the Tags and Organization Names parameters.

Cobalt Strike

Organization Names

Optional

The name(s) of the organization(s) from which to fetch events. Please note, when the Search All parameter is defined, this parameter will be omitted. Organization Names can be obtained using the List Organizations command.

[

"ORGNAME",

"CIRCL"

]

Search Conditions

Optional

The option to define other search conditions if the above parameters cannot cover your request. Please refer to MISP OpenAPI spec for more information.

{

"published": false

}

Tolerance Scope

Optional

The tolerance scope (in minutes) for the query to fetch events between the specified start and end time to avoid event loss or fetch failure. The events will be fetched between {Start Time - Tolerance Scope, End Time}. The default value is 0.

0

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "response": [
        {
            "Event": {
                "id": "*****",
                "orgc_id": "4",
                "org_id": "1",
                "date": "2023-01-13",
                "threat_level_id": "*****",
                "info": "Analysis of FG-IR-22-398 ? FortiOS - heap-based buffer overflow in SSLVPNd",
                "published": false,
                "uuid": "***-***-***-***-***",
                "attribute_count": "168",
                "analysis": "1",
                "timestamp": "1675379874",
                "distribution": "3",
                "proposal_email_lock": false,
                "locked": false,
                "publish_timestamp": "1675379229",
                "sharing_group_id": "0",
                "disable_correlation": false,
                "extends_uuid": "",
                "Org": {
                    "id": "1",
                    "name": "ORGNAME",
                    "uuid": "***-***-***-***-***",
                    "local": true
                },
                "Orgc": {
                    "id": "4",
                    "name": "CIRCL",
                    "uuid": "***-***-***-***-***",
                    "local": false
                },
                "Attribute": [
                    {
                        "id": "*****",
                        "type": "md5",
                        "category": "Payload delivery",
                        "to_ids": true,
                        "uuid": "***-***-***-***-***",
                        "event_id": "*****",
                        "distribution": "5",
                        "timestamp": "1673600368",
                        "comment": "Hashes of post-exploitation implants",
                        "sharing_group_id": "0",
                        "deleted": false,
                        "disable_correlation": false,
                        "object_id": "0",
                        "object_relation": null,
                        "value": "*****",
                        "Galaxy": [],
                        "ShadowAttribute": []
                    }
                ],
                "ShadowAttribute": [],
                "RelatedEvent": [
                    {
                        "Event": {
                            "id": "*****",
                            "date": "2022-12-13",
                            "threat_level_id": "1",
                            "info": "OSINT - Fortinet says SSL-VPN pre-auth RCE bug is exploited in attacks",
                            "published": true,
                            "uuid": "***-***-***-***-***",
                            "analysis": "1",
                            "timestamp": "1675300342",
                            "distribution": "3",
                            "org_id": "1",
                            "orgc_id": "4",
                            "Org": {
                                "id": "1",
                                "name": "ORGNAME",
                                "uuid": "***-***-***-***-***"
                            },
                            "Orgc": {
                                "id": "4",
                                "name": "CIRCL",
                                "uuid": "***-***-***-***-***"
                            }
                        }
                    }
                ],
                "Galaxy": [],
                "Object": [],
                "Tag": [
                    {
                        "id": "*****",
                        "name": "misp-galaxy:sector=\"Government, Administration\"",
                        "colour": "#0088cc",
                        "exportable": true,
                        "user_id": "0",
                        "hide_tag": false,
                        "numerical_value": null
                    },
                    {
                        "id": "*****",
                        "name": "type:OSINT",
                        "colour": "#004646",
                        "exportable": true,
                        "user_id": "0",
                        "hide_tag": false,
                        "numerical_value": null
                    },
                    {
                        "id": "*****",
                        "name": "osint:lifetime=\"perpetual\"",
                        "colour": "#0071c3",
                        "exportable": true,
                        "user_id": "0",
                        "hide_tag": false,
                        "numerical_value": null
                    },
                    {
                        "id": "*****",
                        "name": "osint:certainty=\"50\"",
                        "colour": "#0087e8",
                        "exportable": true,
                        "user_id": "0",
                        "hide_tag": false,
                        "numerical_value": null
                    },
                    {
                        "id": "*****",
                        "name": "tlp:white",
                        "colour": "#ffffff",
                        "exportable": true,
                        "user_id": "0",
                        "hide_tag": false,
                        "numerical_value": null
                    },
                    {
                        "id": "*****",
                        "name": "tlp:clear",
                        "colour": "#ffffff",
                        "exportable": true,
                        "user_id": "0",
                        "hide_tag": false,
                        "numerical_value": null
                    },
                    {
                        "id": "*****",
                        "name": "misp-galaxy:country=\"russia\"",
                        "colour": "#0088cc",
                        "exportable": true,
                        "user_id": "0",
                        "hide_tag": false,
                        "numerical_value": null
                    }
                ]
            }
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "EventIDs": "\"[ \\\"*****\\\" ]\"",
    "ThreatLevelIDs": "\"[ \\\"*****\\\" ]\"",
    "AttributesCounts": "\"[ \\\"*****\\\" ]\"",
    "PublishTime": "\"[ \\\"2022-11-10T17:48:16Z\\\" ]\"",
    "EventUUIDs": "\"[ \\\"***-***-***-***-***\\\" ]\"",
    "UpdatedTime": "\"[ \\\"2023-02-02T23:17:54Z\\\" ]\"",
    "EventInfo": "\"[ \\\"Analysis of FG-IR-22-398 \\ufffd FortiOS - heap-based buffer overflow in *****\\\" ]\"",
    "Published": "\"[ false ]\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

response

  • {'Event': {'id': '*****', 'orgc_id': '*****', 'org_id': '*****', 'date': '2023-01-13', 'threat_level_id': '*****', 'info': 'Analysis of FG-IR-22-398 ? FortiOS - heap-based buffer overflow in SSLVPNd', 'published': False, 'uuid': '***-***-***-***-***', 'attribute_count': '168', 'analysis': '1', 'timestamp': '1675379874', 'distribution': '3', 'proposal_email_lock': False, 'locked': False, 'publish_timestamp': '1675379229', 'sharing_group_id': '0', 'disable_correlation': False, 'extends_uuid': '', 'Org': {'id': '*****', 'name': 'ORGNAME', 'uuid': '***-***-***-***-***6', 'local': True}, 'Orgc': {'id': '*****', 'name': 'CIRCL', 'uuid': '***-***-***-***-***', 'local': False}, 'Attribute': [{'id': '****', 'type': 'md5', 'category': 'Payload delivery', 'to_ids': True, 'uuid': '***-***-***-***-***', 'event_id': '*****', 'distribution': '5', 'timestamp': '1673600368', 'comment': 'Hashes of post-exploitation implants', 'sharing_group_id': '0', 'deleted': False, 'disable_correlation': False, 'object_id': '0', 'object_relation': None, 'value': '*****', 'Galaxy': [], 'ShadowAttribute': []}], 'ShadowAttribute': [], 'RelatedEvent': [{'Event': {'id': '*****', 'date': '2022-12-13', 'threat_level_id': '*****', 'info': 'OSINT - Fortinet says SSL-VPN pre-auth RCE bug is exploited in attacks', 'published': True, 'uuid': '***-***-***-***-***', 'analysis': '1', 'timestamp': '1675300342', 'distribution': '*****', 'org_id': '*****', 'orgc_id': '*****', 'Org': {'id': '******', 'name': 'ORGNAME', 'uuid': '***-***-***-***-***'}, 'Orgc': {'id': '*****', 'name': 'CIRCL', 'uuid': '***-***-***-***-***'}}}], 'Galaxy': [], 'Object': [], 'Tag': [{'id': '******', 'name': 'misp-galaxy:sector="Government, Administration"', 'colour': '#0088cc', 'exportable': True, 'user_id': '0', 'hide_tag': False, 'numerical_value': None}, {'id': '*****', 'name': 'type:OSINT', 'colour': '#004646', 'exportable': True, 'user_id': '0', 'hide_tag': False, 'numerical_value': None}, {'id': '*****', 'name': 'osint:lifetime="perpetual"', 'colour': '#0071c3', 'exportable': True, 'user_id': '0', 'hide_tag': False, 'numerical_value': None}, {'id': '*****', 'name': 'osint:certainty="50"', 'colour': '#0087e8', 'exportable': True, 'user_id': '0', 'hide_tag': False, 'numerical_value': None}, {'id': '*****', 'name': 'tlp:white', 'colour': '#ffffff', 'exportable': True, 'user_id': '0', 'hide_tag': False, 'numerical_value': None}, {'id': '*****', 'name': 'tlp:clear', 'colour': '#ffffff', 'exportable': True, 'user_id': '0', 'hide_tag': False, 'numerical_value': None}, {'id': '****', 'name': 'misp-galaxy:country="russia"', 'colour': '#0088cc', 'exportable': True, 'user_id': '0', 'hide_tag': False, 'numerical_value': None}]}}

Fetch Event Field Mapping

Please note that Fetch Event commands require event field mapping. Field mapping plays a key role in the data normalization process part of the event pipeline. Field mapping converts the original data fields from the different providers to the D3 fields which are standardized by the D3 Model. Please refer to Event and Incident Intake Field Mapping for details.

If you require a custom field mapping, click + Add Field to add a custom field mapping. You can also remove built-in field mappings by clicking x. Please note that two underscore characters will automatically prefix the defined Field Name as the System Name for a custom field mapping. Additionally, if an input Field Name contains any spaces, they will automatically be replaced with underscores for the corresponding System Name.

As a system integration, the MISP integration has some pre-configured field mappings for default field mapping.

  • Default Event Source
    The Default Event Source is the default set of field mappings that are applied when this fetch event command is executed. For out-of-the-box integrations, you will find a set of field mapping provided by the system. Default event source provides field mappings for common fields from fetched events. The default event source has a “Main Event JSON Path” (i.e., $.response) that is used to extract a batch of events from the response raw data. Click Edit Event Source to view the “Main Event JSON Path”.

    • Main Event JSON Path: $.response
      The Main Event JSON Path determines the root path where the system starts parsing raw response data into D3 event data. The JSON path begins with $, representing the root element. The path is formed by appending a sequence of child elements to $, each separated by a dot (.). Square brackets with nested quotation marks ([‘...’]) should be used to separate child elements in JSON arrays.
      For example, the root node of a JSON Path is response. The child node denoting the Event UUID field would be Event.uuid. Putting it together, the JSON Path expression to extract the Event UUID is $.response.Event.uuid.

Reader Note

The Unique Event Key field mapping is used to prevent duplicate event ingestions. D3 SOAR will check if the value of a selected JSON path matches any Unique Event Key of previously ingested events. If a match is found, the event will be dismissed. If no match is found, an event will be created. However, if no Unique Event Key is mapped, then the hash value from the event pending ingestion will be used to check for any matches with existing events. If no match is found, the event will be created.

Unlike most other D3 SOAR integrations, the MISP integration’s Fetch Event command’s Default Event Source mapping does not include Unique Event Key in order to fetch the same fetched target events with multiple updates.

The pre-configured field mappings are detailed below:

Field Name

Source Field

Document ID

.Event.id

Event Type

.Event.distribution

Severity

.Event.threat_level_id

Status

.Event.analysis

Description

.Event.info

Start Time

.Event.date

Updated Time

.Event.timestamp

Published Time

.lastUpdated

Event UUID

.Event.uuid

Event name

.Event.info

Organization Name

.Event.Orgc.name

Owner Organization Name

.Event.Org.name

Published

.Event.published

AttributeCount

.Event.attribute_count

Attribute IDs

.Event.Attribute[*].id

Attribute Types

.Event.Attribute[*].type

Attribute Categories

.Event.Attribute[*].category

Attribute Values

.Event.Attribute[*].value

Attribute UUIDs

.Event.Attribute[*].uuid

Attribute Comments

.Event.Attribute[*].comment

Attribute Timestamp

.Event.Attribute[*].timestamp

Attribute Tags

.Event.Attribute[*].Tag[*].name

Tag

.Event.Tag[*].name

Tag ID

.Event.Tag[*].id

object ID

.Event.Object[*].id

object

.Event.Object[*].name

object category

.Event.Object[*].meta-category

Object Description

.Event.Object[*].description

Object Comment

.Event.Object[*].comment

Cluster ID

.Event.Galaxy[*].id

Cluster UUID

.Event.Galaxy[*].uuid

Cluster Name

.Event.Galaxy[*].name

Cluster Type

.Event.Galaxy[*].type

Cluster Description

.Event.Galaxy[*].description

Related Event ID

.Event.RelatedEvent[*].id

Related Event Name

.Event.RelatedEvent[*].info

Related Event Severity

.Event.RelatedEvent[*].threat_level_id

Related Event Date

.Event.RelatedEvent[*].date

Related Event UUID

.Event.RelatedEvent[*].uuid

Related Event Organization Name

.Event.RelatedEvent[*].Orgc.name

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Fetch Event failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Event type and category mismatched.

Error Sample Data

Fetch Event failed.

Status Code: 400.

Message: Event type and category mismatched.

List Attribute Types and Categories

Retrieves all attribute types and attribute categories. This command currently supports category and type mappings. The returned data contains three sections: types, categories and category_type_mappings. This command can be used to create attributes when adding or editing events.

Input

N/A

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "result": {
        "sane_defaults": {
            "md5": {
                "default_category": "Payload delivery",
                "to_ids": 1
            },
            "sha1": {
                "default_category": "Payload delivery",
                "to_ids": 1
            },
            "sha256": {
                "default_category": "Payload delivery",
                "to_ids": 1
            },
            "filename": {
                "default_category": "Payload delivery",
                "to_ids": 1
            }
        },
        "types": [
            "md5",
            "sha1",
            "sha256",
            "filename"
        ],
        "categories": [
            "Internal reference",
            "Targeting data",
            "Antivirus detection",
            "Payload delivery",
            "Artifacts dropped",
            "Payload installation",
            "Persistence mechanism",
            "Network activity",
            "Payload type",
            "Attribution",
            "External analysis",
            "Financial fraud",
            "Support Tool",
            "Social network",
            "Person",
            "Other"
        ],
        "category_type_mappings": {
            "Network activity": [
                "ip-src",
                "ip-dst",
                "ip-dst|port",
                "ip-src|port",
                "port",
                "hostname",
                "domain",
                "domain|ip",
                "mac-address",
                "mac-eui-64",
                "email-dst",
                "url",
                "uri",
                "user-agent",
                "http-method",
                "AS",
                "snort",
                "pattern-in-file",
                "stix2-pattern",
                "pattern-in-traffic",
                "attachment",
                "comment",
                "text",
                "x509-fingerprint-md5",
                "x509-fingerprint-sha1",
                "x509-fingerprint-sha256",
                "ja3-fingerprint-md5",
                "hassh-md5",
                "hasshserver-md5",
                "other",
                "hex",
                "cookie",
                "hostname|port",
                "bro",
                "zeek",
                "anonymised",
                "community-id",
                "email-subject"
            ]
        }
    }
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "Categories": "\"[\\r\\n\\\"Internal reference\\\",\\r\\n\\\"Targeting data\\\",\\r\\n\\\"Antivirus detection\\\",\\r\\n\\\"Payload delivery\\\",\\r\\n\\\"Artifacts dropped\\\",\\r\\n\\\"Payload installation\\\",\\r\\n\\\"Persistence mechanism\\\",\\r\\n\\\"Network activity\\\",\\r\\n\\\"Payload type\\\",\\r\\n\\\"Attribution\\\",\\r\\n\\\"External analysis\\\",\\r\\n\\\"Financial fraud\\\",\\r\\n\\\"Support Tool\\\",\\r\\n\\\"Social network\\\",\\r\\n\\\"Person\\\",\\r\\n\\\"Other\\\"\\r\\n]\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

result

{'sane_defaults': {'md5': {'default_category': 'Payload delivery', 'to_ids': 1}, 'sha1': {'default_category': 'Payload delivery', 'to_ids': 1}, 'sha256': {'default_category': 'Payload delivery', 'to_ids': 1}, 'filename': {'default_category': 'Payload delivery', 'to_ids': 1}}, 'types': ['md5', 'sha1', 'sha256', 'filename'], 'categories': ['Internal reference', 'Targeting data', 'Antivirus detection', 'Payload delivery', 'Artifacts dropped', 'Payload installation', 'Persistence mechanism', 'Network activity', 'Payload type', 'Attribution', 'External analysis', 'Financial fraud', 'Support Tool', 'Social network', 'Person', 'Other'], 'category_type_mappings': {'Network activity': ['ip-src', 'ip-dst', 'ip-dst|port', 'ip-src|port', 'port', 'hostname', 'domain', 'domain|ip', 'mac-address', 'mac-eui-64', 'email-dst', 'url', 'uri', 'user-agent', 'http-method', 'AS', 'snort', 'pattern-in-file', 'stix2-pattern', 'pattern-in-traffic', 'attachment', 'comment', 'text', 'x509-fingerprint-md5', 'x509-fingerprint-sha1', 'x509-fingerprint-sha256', 'ja3-fingerprint-md5', 'hassh-md5', 'hasshserver-md5', 'other', 'hex', 'cookie', 'hostname|port', 'bro', 'zeek', 'anonymised', 'community-id', 'email-subject']}}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Attribute Types and Categories failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.

Status Code: 443.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Name or service not known.

Error Sample Data

List Attribute Types and Categories failed.

Status Code: 443.

Message: Name or service not known.

List Organizations

Retrieves all organizations.

Input

N/A

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "results": [
        {
            "Organisation": {
                "id": "1",
                "name": "ORGNAME",
                "date_created": "2019-10-24 10:52:05",
                "date_modified": "2019-10-24 10:52:05",
                "description": "Automatically generated admin organisation",
                "type": "ADMIN",
                "nationality": "Not specified",
                "sector": null,
                "created_by": "0",
                "uuid": "***-***-***-***-***",
                "contacts": null,
                "local": true,
                "restricted_to_domain": [],
                "landingpage": null,
                "user_count": "5",
                "created_by_email": "Unknown"
            }
        }
    ],
    "D3Errors": []
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "OrganizationNames": "\"[ \\\"ORGNAME\\\" ]\"",
    "OrganizationIDs": "\"[ \\\"1\\\" ]\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ORGANISATION

{'id': '1', 'name': 'ORGNAME', 'date_created': '2019-10-24 10:52:05', 'date_modified': '2019-10-24 10:52:05', 'description': 'Automatically generated admin organisation', 'type': 'ADMIN', 'nationality': 'Not specified', 'sector': None, 'created_by': '0', 'uuid': '***-***-***-***-***', 'contacts': None, 'local': True, 'restricted_to_domain': [], 'landingpage': None, 'user_count': '3', 'created_by_email': 'Unknown'}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Organizations failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.

Status Code: 443.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Name or service not known.

Error Sample Data

List Organizations failed.

Status Code: 443.

Message: Name or service not known.

List Tags

Retrieves all tags.

Input

N/A

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "Tag": [
        {
            "id": "*****",
            "name": "\tmalware_classification:malware-category=\"Botnet\"",
            "colour": "#22681c",
            "exportable": true,
            "org_id": "0",
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "count": 4,
            "attribute_count": 0,
            "favourite": false
        },
        {
            "id": "*****",
            "name": " C2",
            "colour": "#c1e21c",
            "exportable": true,
            "org_id": "0",
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "count": 1,
            "attribute_count": 25,
            "favourite": false
        },
        {
            "id": "*****",
            "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Account Discovery - T1087\"",
            "colour": "#0088cc",
            "exportable": true,
            "org_id": "0",
            "user_id": "0",
            "hide_tag": false,
            "numerical_value": null,
            "count": 1,
            "attribute_count": 0,
            "favourite": false
        }
    ],
    "D3Errors": []
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "TagIDs": "\"[ \\\"*****\\\",\\\"*****\\\", \\\"*****\\\" ]\"",
    "TagNames": "\"[ \\\"\\\\tmalware_classification:malware-category=\\\\\\\"Botnet\\\\\\\"\\\", \\\" C2\\\", \\\"misp-galaxy:mitre-enterprise-attack-attack-pattern=\\\\\\\"Account Discovery - T1087\\\\\\\"\\\" ]\"",
    "TaggedEvents": "\"[ 4, 1, 1 ]\"",
    "TaggedAttributes": "\"[ 0, 25, 0 ]\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ID

NAME

COLOUR

EXPORTABLE

ORG_ID

USER_ID

HIDE_TAG

NUMERICAL_VALUE

COUNT

ATTRIBUTE_COUNT

FAVOURITE

***

malware_classification:malware-category="Botnet"

#22681c

True

0

0

False

None

4

0

False

***

C2

#c1e21c

True

0

0

False

None

1

25

False

***

misp-galaxy:mitre-enterprise-attack-attack-pattern="Account Discovery - T1087"

#0088cc

True

0

0

False

None

1

0

False

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Tags failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.

Status Code: 443.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Name or service not known.

Error Sample Data

List Tags failed.

Status Code: 443.

Message: Name or service not known.

Publish Events

Publishes or unpublishes the specified event(s).

Reader Note

  • The parameter Event IDs is required to run this command.

    • Run the Search Event command to obtain Event IDs. Event IDs can be found in the returned raw data at the path $.response[*].event.id.

  • If the Published parameter is not set, it defaults to False. In this case, the events will be unpublished.

Input

Input Parameter

Required/Optional

Description

Example

Event IDs

Required

The IDs of the events to publish or unpublish. Event ID can be obtained using the Search Event command.

[ "1***" ]

Published

Optional

The option to publish the specified event(s) when set to True. Setting this parameter to False will unpublish the specified event(s). The default option is False.

True

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "results": [
        {
            "Event": {
                "id": "*****",
                "orgc_id": "*****",
                "org_id": "****",
                "date": "2023-02-01",
                "threat_level_id": "*****",
                "info": "Test Event0201c",
                "published": true,
                "uuid": "***-***-***-***-***",
                "attribute_count": "4",
                "analysis": "1",
                "timestamp": "1675294801",
                "distribution": "3",
                "proposal_email_lock": false,
                "locked": false,
                "publish_timestamp": "1675294801",
                "sharing_group_id": "0",
                "disable_correlation": false,
                "extends_uuid": "",
                "event_creator_email": "test@example.test",
                "Org": {
                    "id": "*****",
                    "name": "ORGNAME",
                    "uuid": "***-***-***-***-***",
                    "local": true
                },
                "Orgc": {
                    "id": "*****",
                    "name": "ORGNAME",
                    "uuid": "***-***-***-***-***",
                    "local": true
                },
                "Attribute": [
                    {
                        "id": "*****",
                        "type": "url",
                        "category": "Network activity",
                        "to_ids": false,
                        "uuid": "***-***-***-***-***",
                        "event_id": "120",
                        "distribution": "1",
                        "timestamp": "1668105084",
                        "comment": "test url",
                        "sharing_group_id": "0",
                        "deleted": false,
                        "disable_correlation": false,
                        "object_id": "0",
                        "object_relation": null,
                        "value": "https://tdcanadatrust-scr.com/index.html",
                        "Galaxy": [],
                        "ShadowAttribute": []
                    }
                ],
                "ShadowAttribute": [],
                "RelatedEvent": [
                    {
                        "Event": {
                            "id": "*****",
                            "date": "2023-02-01",
                            "threat_level_id": "*****",
                            "info": "Test Event0201c",
                            "published": true,
                            "uuid": "***-***-***-***-***",
                            "analysis": "1",
                            "timestamp": "1675293107",
                            "distribution": "3",
                            "org_id": "1",
                            "orgc_id": "1",
                            "Org": {
                                "id": "1",
                                "name": "ORGNAME",
                                "uuid": "***-***-***-***-***"
                            },
                            "Orgc": {
                                "id": "1",
                                "name": "ORGNAME",
                                "uuid": "***-***-***-***-***"
                            }
                        }
                    },
                    {
                        "Event": {
                            "id": "*****",
                            "date": "2023-02-01",
                            "threat_level_id": "1",
                            "info": "Test Event0201a",
                            "published": true,
                            "uuid": "***-***-***-***-***",
                            "analysis": "1",
                            "timestamp": "1668102496",
                            "distribution": "3",
                            "org_id": "1",
                            "orgc_id": "1",
                            "Org": {
                                "id": "1",
                                "name": "ORGNAME",
                                "uuid": "***-***-***-***-***"
                            },
                            "Orgc": {
                                "id": "1",
                                "name": "ORGNAME",
                                "uuid": "***-***-***-***-***"
                            }
                        }
                    }
                ],
                "Galaxy": [],
                "Object": []
            }
        }
    ],
    "D3Errors": []
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "EventIDs": "\"[ *****]\"",
    "Published": "\"[ true ]\""
}
Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

EVENT

{'id': '*****', 'orgc_id': '1', 'org_id': '1', 'date': '2023-02-01', 'threat_level_id': '*****', 'info': 'Test Event0201c', 'published': True, 'uuid': '***-***-***-***-***', 'attribute_count': '4', 'analysis': '1', 'timestamp': '1675294801', 'distribution': '3', 'proposal_email_lock': False, 'locked': False, 'publish_timestamp': '1675294801', 'sharing_group_id': '0', 'disable_correlation': False, 'extends_uuid': '', 'event_creator_email': 'ttest@example.test', 'Org': {'id': '1', 'name': 'ORGNAME', 'uuid': '***-***-***-***-***', 'local': True}, 'Orgc': {'id': '1', 'name': 'ORGNAME', 'uuid': '***-***-***-***-***', 'local': True}, 'Attribute': [{'id': '*****', 'type': 'url', 'category': 'Network activity', 'to_ids': False, 'uuid': '***-***-***-***-***', 'event_id': '*****', 'distribution': '1', 'timestamp': '1668105084', 'comment': 'test url', 'sharing_group_id': '0', 'deleted': False, 'disable_correlation': False, 'object_id': '0', 'object_relation': None, 'value': 'https://tdcanadatrust-scr.com/index.html', 'Galaxy': [], 'ShadowAttribute': []}, {'id': '*****', 'type': 'domain', 'category': 'Network activity', 'to_ids': False, 'uuid': '***-***-***-***-***', 'event_id': '*****', 'distribution': '1', 'timestamp': '1675293201', 'comment': 'test domain', 'sharing_group_id': '0', 'deleted': False, 'disable_correlation': False, 'object_id': '0', 'object_relation': None, 'value': 'tdcanadatrust-scr1.com', 'Galaxy': [], 'ShadowAttribute': []}, {'id': '*****', 'type': 'domain', 'category': 'Network activity', 'to_ids': False, 'uuid': '***-***-***-***-***', 'event_id': '*****', 'distribution': '1', 'timestamp': '1675293228', 'comment': 'test domain', 'sharing_group_id': '0', 'deleted': False, 'disable_correlation': False, 'object_id': '0', 'object_relation': None, 'value': 'tdcanadatrust-scr2.com', 'Galaxy': [], 'ShadowAttribute': []}, {'id': '*****', 'type': 'domain', 'category': 'Network activity', 'to_ids': False, 'uuid': ***-***-***-***-***', 'event_id': '120', 'distribution': '1', 'timestamp': '1675293572', 'comment': 'test domain', 'sharing_group_id': '0', 'deleted': False, 'disable_correlation': False, 'object_id': '0', 'object_relation': None, 'value': 'phishing.sample.com', 'Galaxy': [], 'ShadowAttribute': []}], 'ShadowAttribute': [], 'RelatedEvent': [{'Event': {'id': '*****', 'date': '2023-02-01', 'threat_level_id': '2', 'info': 'Test Event0201c', 'published': True, 'uuid': '***-***-***-***-***', 'analysis': '1', 'timestamp': '1675293107', 'distribution': '3', 'org_id': '1', 'orgc_id': '1', 'Org': {'id': '1', 'name': 'ORGNAME', 'uuid': '***-***-***-***-***'}, 'Orgc': {'id': '1', 'name': 'ORGNAME', 'uuid': '***-***-***-***-***'}}}, {'Event': {'id': '*****', 'date': '2023-02-01', 'threat_level_id': '1', 'info': 'Test Event0201a', 'published': True, 'uuid': '***-***-***-***-***', 'analysis': '1', 'timestamp': '1668102496', 'distribution': '3', 'org_id': '1', 'orgc_id': '1', 'Org': {'id': '1', 'name': 'ORGNAME', 'uuid': '***-***-***-***-***'}, 'Orgc': {'id': '1', 'name': 'ORGNAME', 'uuid': '***-***-***-***-***'}}}], 'Galaxy': [], 'Object': []}

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Publish Events failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Event ID Not Found.

Error Sample Data

Publish Events failed.

Status Code: 404.

Message: Event ID Not Found.

Remove Tags From Attributes

Removes Tags from the specified attributes. All tags in the tag list will be removed from all attributes in the event list.

Reader Note

  • Attribute IDs and Tag IDs are required parameters to run this command.

    • Run the Search Attributes command to obtain Attribute IDs. Attribute IDs can be found in the returned raw data at the path $.response.Attribute[*].id.

    • Run the Search Attributes command to obtain Tag IDs. Tag IDs can be found in the returned raw data at the path $.response.Attribute[*].Event.Tag[*].

    • The tags should already be associated with the attributes in question. When using the Search Attribute command, the tag should be specified under the input attribute object. If the attribute does not contain the tag, an error will return.

Input

Input Parameter

Required/Optional

Description

Example

Attribute IDs

Required

The ID(s) of the attribute(s) from which the tag(s) will be removed. Attribute ID can be obtained using the Search Attributes command.

[ "88" ]

Tag IDs

Required

The ID(s) of the tag(s) to be removed from the attribute(s). Tag IDs that are already tagged on the attribute can be obtained using the Search Attributes command.

[ "598" ]

Output

Raw Data

The primary response data from the API request.

D3 customizes the returned raw data by adding "attributeID" and "tagID" fields.

SAMPLE DATA

JSON
{
    "results": [
        {
            "attributeID": "*****",
            "Tag": [
                {
                    "tagID": "*****",
                    "saved": true,
                    "success": "Tag removed.",
                    "check_publish": true
                }
            ]
        }
    ],
    "D3Errors": []
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ATTRIBUTEID

TAG

***

[{'tagID': '*****', 'saved': True, 'success': 'Tag removed.', 'check_publish': True}]

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Remove Tags From Attributes failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Invalid attribute - tag combination.

Error Sample Data

Remove Tags From Attributes failed.

Status Code: 400.

Message: Invalid attribute - tag combination.

Remove Tags From Events

Removes Tags from the specified events. All tags in the tag list will be removed from all events in the event list.

Reader Note

  • Event IDs and Tag IDs are required parameters to run this command.

    • Run the Search Events command to obtain Event IDs. Event IDs can be found in the returned raw data at the path $.response[*].event.id.

    • Run the Search Events command to obtain Tag IDs. Tag IDs can be found in the returned raw data at the path $.response[*].event.Tag[*].

    • The tags should already be associated with the events in question. When using the Search Attribute command, the tag should be specified under the input event object. If the event does not contain the tag, an error will return.

Input

Input Parameter

Required/Optional

Description

Example

Event IDs

Required

The ID(s) of the event(s) to which the tag(s) will be removed. Event IDs can be obtained using the Search Events command.

[ "*****" ]

Tag IDs

Required

The ID(s) of the tag(s) to be removed from the event(s). Tag IDs that are already tagged on the events can be obtained using the Search Events command.

[ "*****" ]

Output

Raw Data

The primary response data from the API request.

D3 customizes the returned raw data by adding "eventID" and "tagID" fields.t.

SAMPLE DATA

JSON
{
    "results": [
        {
            "eventID": "*****",
            "Tag": [
                {
                    "tagID": "*****",
                    "saved": true,
                    "success": "Tag removed.",
                    "check_publish": true
                }
            ]
        }
    ],
    "D3Errors": []
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

EVENTID

TAG

***

[{'tagID': '*****', 'saved': True, 'success': 'Tag removed.', 'check_publish': True}]

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Remove Tags From Events failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.

Status Code: 431.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Invalid Tag.

Error Sample Data

Remove Tags From Events failed.

Status Code: 431.

Message: Invalid Tag.

Search Attributes

Searches attributes based on the given conditions.

Reader Note

  • Please note that if no search criteria has been filled, all attributes will be searched. This could return too large of a dataset, resulting in a command timeout.

  • If the input search criteria does not exist, this command will run successfully with no result.

  • If you input both the Type and Category parameters, the values must match. Please see the List Attribute Types and Categories command to obtain the matching pair. Check the path $.category_type_mappings in the returned raw data.

  • Event ID and Tags are optional parameters to run this command.

    • Run the List Tags or Search Tags commands to obtain tags. Tags can be found in the returned raw data at the path $.tag[*].id for both commands.

    • Run the Search Events command to obtain Event ID. Event IDs can be found in the returned raw data at the path $.response[*].event.id.

Input

Input Parameter

Required/Optional

Description

Example

Value

Optional

The attribute value to search.

xmr.pool.minergate.com

Type

Optional

The attribute type to search. Note: If both Type and Category are defined, the input values must match. You can run the List Attribute Types and Categories command to obtain the matching pair.

domain

Category

Optional

The attribute category to search. Note: If both Type and Category are defined, the input values must match. You can run the List Attribute Types and Categories command to obtain the matching pair.

Network activity

To IDS

Optional

The option to only return attributes with the "to_ids" flag. The default option is False.

False

Event IDs

Optional

Filters the returned attributes with event ID(s). Event ID can be obtained using the Search Events command.

[ "*****", "*****" ]

Tags

Optional

Filters the returned attributes with tag IDs. Tag IDs can be obtained using the List Tags or Search Tags command.

[ "*****" ]

Other Search Conditions

Optional

The option to define other search conditions if the above parameters cannot cover your request. Please refer to MISP OpenAPI spec for more information.

{

"from": "2021-07-29",

"to": "2021-07-30",

}

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "response": {
        "Attribute": [
            {
                "id": "*****",
                "event_id": "*****",
                "object_id": "0",
                "object_relation": null,
                "category": "Network activity",
                "type": "domain",
                "to_ids": false,
                "uuid": "***-***-***-***-***",
                "timestamp": "1600473871",
                "distribution": "5",
                "sharing_group_id": "0",
                "comment": "",
                "deleted": false,
                "disable_correlation": false,
                "value": "xmr.pool.minergate.com",
                "Sighting": [],
                "RelatedAttribute": [
                    {
                        "id": "*****",
                        "event_id": "*****",
                        "object_id": "0",
                        "object_relation": null,
                        "category": "Network activity",
                        "type": "domain",
                        "uuid": "***-***-***-***-***",
                        "timestamp": "1628081725",
                        "distribution": "0",
                        "sharing_group_id": "0",
                        "to_ids": false,
                        "comment": "",
                        "value": "xmr.pool.minergate.com",
                        "Event": {
                            "id": "*****",
                            "uuid": "***-***-***-***-***",
                            "threat_level_id": "1",
                            "analysis": "0",
                            "info": "Hong",
                            "extends_uuid": "",
                            "distribution": "0",
                            "sharing_group_id": "0",
                            "published": false,
                            "date": "2021-08-03",
                            "orgc_id": "1",
                            "org_id": "1"
                        }
                    },
                    {
                        "id": "*****",
                        "event_id": "78",
                        "object_id": "0",
                        "object_relation": null,
                        "category": "Network activity",
                        "type": "domain",
                        "uuid": "***-***-***-***-***",
                        "timestamp": "1628078356",
                        "distribution": "0",
                        "sharing_group_id": "0",
                        "to_ids": false,
                        "comment": "",
                        "value": "xmr.pool.minergate.com",
                        "Event": {
                            "id": "*****",
                            "uuid": "***-***-***-***-***",
                            "threat_level_id": "1",
                            "analysis": "0",
                            "info": "Hong",
                            "extends_uuid": "",
                            "distribution": "0",
                            "sharing_group_id": "0",
                            "published": false,
                            "date": "2021-08-03",
                            "orgc_id": "1",
                            "org_id": "1"
                        }
                    }
                ],
                "Event": {
                    "org_id": "*****",
                    "distribution": "1",
                    "id": "*****",
                    "orgc_id": "*****",
                    "date": "2020-09-19",
                    "threat_level_id": "*****",
                    "info": "test",
                    "published": false,
                    "uuid": "***-***-***-***-***",
                    "analysis": "0",
                    "timestamp": "1678828367",
                    "publish_timestamp": "1605382649",
                    "sharing_group_id": "0",
                    "extends_uuid": "",
                    "Orgc": {
                        "id": "*****",
                        "uuid": "***-***-***-***-***",
                        "name": "ORGNAME"
                    },
                    "Tag": [
                        {
                            "id": "*****",
                            "name": "opencti:import",
                            "colour": "#69dcf5",
                            "numerical_value": null
                        }
                    ]
                }
            }
        ]
    },
    "D3Errors": []
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "AttributeIds": "\"[ \\\"*****\\\" ]\"",
    "EventIds": "\"[ \\\"*****\\\" ]\"",
    "ObjectIds": "\"[ \\\"0\\\" ]\"",
    "Categories": "\"[ \\\"Network activity\\\" ]\"",
    "Types": "\"[ \\\"Network activity\\\" ]\"",
    "ToIDS": "\"[ false ]\"",
    "AttributeUUIDs": "\"[ \\\"***-***-***-***-***\\\" ]\"",
    "AttributeTimestamps": "\"[ \\\"1600473871\\\" ]\"",
    "Comments": "\"[ \\\"test comment\\\" ]\"",
    "Values": "\"[ \\\"xmr.pool.minergate.com\\\" ]\"",
    "EventThreatLevelIds": "\"[ \\\"4\\\" ]\"",
    "EventUUIDs": "\"[ \\\"***-***-***-***-***\\\" ]\"",
    "EventAnalyses": "\"[ \\\"0\\\" ]\"",
    "EventTimestamps": "\"[ \\\"1627571491\\\" ]\"",
    "EventThreatLevels": "\"[ \\\"Undefined\\\" ]\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Search Attributes failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: One or more errors occurred.

Error Sample Data

Search Attributes failed.

Status Code: 400.

Message: One or more errors occurred.

Search Events

Searches events with specified search conditions in MISP.

Reader Note

  • Please note that if no search criteria has been filled, all events will be searched. This could return too large of a dataset, resulting in a command timeout.

  • If the input search criteria does not exist, this command will run successfully with no result.

  • If you input both Type and Category parameters, the values must match. Please see the List Attribute Types and Categories command to obtain the matching pair. Check the path $.category_type_mappings in the returned raw data.

    • Inputting mismatched data for these parameters will result in the error message "Event type and category mismatched. Please check D3Error object in RawData for more details.". The command will still return the raw data and key fields of the events containing both the selected type and category in their attributes.

  • Event ID and Tags are optional parameters to run this command.

    • Run the List Tags or Search Tags commands to obtain tags. Tags can be found in the returned raw data at the path $.tag[*].id for both commands.

    • Run the Search Events command to obtain Event ID. Event IDs can be found in the returned raw data at the path $.response[*].event.id.

Input

Input Parameter

Required/Optional

Description

Example

Attribute Value

Optional

The attribute value to search. The attribute value can be IP address, URL, domain, file hash, etc.

xmr.pool.minergate.com

Type

Optional

The attribute type to search. Note: If both Type and Category are defined, the input values must match. You can run the List Attribute Types and Categories command to obtain the matching pair.

domain

Category

Optional

The attribute category to search. Note: If both Type and Category are defined, the input values must match. You can run the List Attribute Types and Categories command to obtain the matching pair.

Network activity

Event ID

Optional

The ID of the event. Event ID can be obtained using the Search Events command.

74

Tags

Optional

The ID(s) of the tag(s) on the events or on the event attributes. Tags can be obtained using the List Tags or Search Tags command.

[

"598"

]

Search All

Optional

Retrieves events by matching any tag names, event descriptions, attribute values or attribute comments. Please note, this parameter overrides other parameters.

Cobalt Strike

Other Search Conditions

Optional

The option to define other search conditions if the above parameters cannot cover your request. Please refer to MISP OpenAPI spec for more information.

{

"from": "2023-02-01",

"to": "2023-02-02"

}

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "response": [
        {
            "Event": {
                "id": "*****",
                "orgc_id": "*****",
                "org_id": "*****",
                "date": "2023-02-01",
                "threat_level_id": "*****",
                "info": "Test Event0201a",
                "published": true,
                "uuid": "***-***-***-***-***",
                "attribute_count": "1",
                "analysis": "1",
                "timestamp": "1668102496",
                "distribution": "3",
                "proposal_email_lock": false,
                "locked": false,
                "publish_timestamp": "1668102496",
                "sharing_group_id": "0",
                "disable_correlation": false,
                "extends_uuid": "",
                "event_creator_email": "test@example.test",
                "Org": {
                    "id": "1",
                    "name": "ORGNAME",
                    "uuid": "***-***-***-***-***",
                    "local": true
                },
                "Orgc": {
                    "id": "1",
                    "name": "ORGNAME",
                    "uuid": "***-***-***-***-***",
                    "local": true
                },
                "Attribute": [
                    {
                        "id": "*****",
                        "type": "domain",
                        "category": "Network activity",
                        "to_ids": false,
                        "uuid": "***-***-***-***-***",
                        "event_id": "*****",
                        "distribution": "1",
                        "timestamp": "1668102496",
                        "comment": "test domain",
                        "sharing_group_id": "0",
                        "deleted": false,
                        "disable_correlation": false,
                        "object_id": "0",
                        "object_relation": null,
                        "value": "phishing.sample.com",
                        "Galaxy": [],
                        "ShadowAttribute": []
                    }
                ],
                "ShadowAttribute": [],
                "RelatedEvent": [
                    {
                        "Event": {
                            "id": "*****",
                            "date": "2023-02-01",
                            "threat_level_id": "*****",
                            "info": "Test Event0201c",
                            "published": true,
                            "uuid": "***-***-***-***-***",
                            "analysis": "1",
                            "timestamp": "1675294801",
                            "distribution": "3",
                            "org_id": "1",
                            "orgc_id": "1",
                            "Org": {
                                "id": "*****",
                                "name": "ORGNAME",
                                "uuid": "***-***-***-***-***"
                            },
                            "Orgc": {
                                "id": "*****",
                                "name": "ORGNAME",
                                "uuid": "***-***-***-***-***"
                            }
                        }
                    }
                ],
                "Galaxy": [],
                "Object": []
            }
        }
    ],
    "D3Errors": []
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "EventIDs": "\"[ \\\"*****\\\" ]\"",
    "ThreatLevelIDs": "\"[ \\\"1\\\" ]\"",
    "AttributesCounts": "\"[ \\\"1\\\" ]\"",
    "PublishTime": "\"[ \\\"2022-11-10T17:48:16Z\\\" ]\"",
    "EventUUIDs": "\"[ \\\"***-***-***-***-***\\\" ]\"",
    "EventInfo": "\"[ \\\"Test Event0201a\\\" ]\"",
    "Published": "\"[ true ]\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

response

  • {'Event': {'id': '*****', 'orgc_id': '1', 'org_id': '1', 'date': '2023-02-01', 'threat_level_id': '1', 'info': 'Test Event0201a', 'published': True, 'uuid': '***-***-***-***-***', 'attribute_count': '1', 'analysis': '1', 'timestamp': '1668102496', 'distribution': '3', 'proposal_email_lock': False, 'locked': False, 'publish_timestamp': '1668102496', 'sharing_group_id': '0', 'disable_correlation': False, 'extends_uuid': '', 'event_creator_email': 'test@example.test', 'Org': {'id': '1', 'name': 'ORGNAME', 'uuid': ***-***-***-***-***', 'local': True}, 'Orgc': {'id': '1', 'name': 'ORGNAME', 'uuid': '***-***-***-***-***', 'local': True}, 'Attribute': [{'id': '*****', 'type': 'domain', 'category': 'Network activity', 'to_ids': False, 'uuid': '***-***-***-***-***', 'event_id': '*****', 'distribution': '1', 'timestamp': '1668102496', 'comment': 'test domain', 'sharing_group_id': '0', 'deleted': False, 'disable_correlation': False, 'object_id': '0', 'object_relation': None, 'value': 'phishing.sample.com', 'Galaxy': [], 'ShadowAttribute': []}], 'ShadowAttribute': [], 'RelatedEvent': [{'Event': {'id': '*****', 'date': '2023-02-01', 'threat_level_id': '2', 'info': 'Test Event0201c', 'published': True, 'uuid': '***-***-***-***-***', 'analysis': '1', 'timestamp': '1675294801', 'distribution': '3', 'org_id': '1', 'orgc_id': '1', 'Org': {'id': '1', 'name': 'ORGNAME', 'uuid': '***-***-***-***-***'}, 'Orgc': {'id': '1', 'name': 'ORGNAME', 'uuid': '***-***-***-***-***'}}}], 'Galaxy': [], 'Object': []}}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Search Events failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.

Status Code: 443.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Name or service not known.

Error Sample Data

Search Events failed.

Status Code: 443.

Message: Name or service not known.

Search Object Templates

Retrieves object templates according to template name or description.

Reader Note

  • If the keyword parameter is not defined, all object templates will be returned.

  • If the input keyword does not match any template name, this command will run successfully with no result.

Input

Input Parameter

Required/Optional

Description

Example

Keyword

Optional

The Keyword to search for object templates. The Keyword could be a full or partial template name or template description. If this parameter is not defined, all object templates will be returned.

domain-ip

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "results": [
        {
            "ObjectTemplate": {
                "id": "*****",
                "user_id": "0",
                "org_id": "0",
                "uuid": "***-***-***-***-***",
                "name": "domain-ip",
                "meta-category": "network",
                "description": "A domain and IP address seen as a tuple in a specific time frame.",
                "version": "6",
                "requirements": {
                    "required": [
                        "ip",
                        "domain"
                    ]
                },
                "fixed": true,
                "active": true
            },
            "Organisation": {
                "id": null,
                "name": null,
                "uuid": null
            }
        }
    ],
    "D3Errors": []
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "ObjectTemplateIDs": "\"[ \\\"38\\\" ]\"",
    "ObjectTemplateUUIDs": "\"[ \\\"***-***-***-***-***\\\" ]\"",
    "ObjectTemplateNames": "\"[ \\\"domain-ip\\\" ]\"",
    "ObjectTemplateCategories": "\"[ \\\"network\\\" ]\"",
    "ObjectTemplateDescriptions": "\"[ \\\"A domain and IP address seen as a tuple in a specific time frame.\\\" ]\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

OBJECTTEMPLATE

ORGANISATION

{'id': '*****', 'user_id': '0', 'org_id': '0', 'uuid': '***-***-***-***-***', 'name': 'domain-ip', 'meta-category': 'network', 'description': 'A domain and IP address seen as a tuple in a specific time frame.', 'version': '6', 'requirements': {'required': ['ip', 'domain']}, 'fixed': True, 'active': True}

{'id': None, 'name': None, 'uuid': None}

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Search Object Templates failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.

Status Code: 443.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Name or service not known.

Error Sample Data

Search Object Templates failed.

Status Code: 443.

Message: Name or service not known.

Search Tags

Retrieves tags with the specified search term.

Reader Note

  • Search Term is a required parameter to run the command.

    • Run the List Tags command to obtain the Search Team. Search Term is referring to the tag names. It can be found in the returned raw data at the path $.tag[*].name.

  • The difference between this command and the List Tags command is that this command is searched by tag name and will return more detailed information under the field "GalaxyCluster" based on the provided tag.

Input

Input Parameter

Required/Optional

Description

Example

Search Term

Required

The search term used to filter tags. Both full tag names and partial tag names can be defined. Please note, the search term is case insensitive. You can use the List Tags command to retrieve all tags.

Account Discovery - *****

Output

Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "results": [
        {
            "Tag": {
                "id": "*****",
                "name": "misp-galaxy:mitre-enterprise-attack-attack-pattern=\"Account Discovery - *****\"",
                "colour": "#0088cc",
                "exportable": true,
                "org_id": "0",
                "user_id": "0",
                "hide_tag": false,
                "numerical_value": null
            },
            "GalaxyCluster": {
                "id": "*****",
                "uuid": "***-***-***-***-***",
                "collection_uuid": "***-***-***-***-***",
                "type": "mitre-enterprise-attack-attack-pattern",
                "value": "Account Discovery - T1087",
                "tag_name": "",
                "description": "",
                "galaxy_id": "*****",
                "source": "https://github.com/mitre/cti",
                "authors": [
                    "MITRE"
                ],
                "version": "4",
                "Galaxy": {
                    "id": "*****",
                    "uuid": "***-***-***-***-***",
                    "name": "Enterprise Attack - Attack Pattern",
                    "type": "mitre-enterprise-attack-attack-pattern",
                    "description": "ATT&CK Tactic",
                    "version": "5",
                    "icon": "map",
                    "namespace": "deprecated"
                },
                "tag_id": "598",
                "meta": {
                    "external_id": [
                        "*****"
                    ],
                    "kill_chain": [
                        "mitre-attack:enterprise-attack:discovery"
                    ],
                    "mitre_data_sources": [
                        "API monitoring",
                        "Process command-line parameters",
                        "Process monitoring"
                    ],
                    "mitre_platforms": [
                        "Linux",
                        "macOS",
                        "Windows"
                    ],
                    "refs": [
                        "https://attack.mitre.org/wiki/Technique/T1087"
                    ]
                }
            }
        }
    ],
    "D3Errors": []
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.
The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "TagIDs": "\"[ \\\"*****\\\" ]\"",
    "TagNames": "\"[ \\\"*****\\\" ]\""
}
Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Search Tags failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.

Status Code: 443.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Name or service not known.

Error Sample Data

Search Tags failed.

Status Code: 443.

Message: Name or service not known.

Test Connection

Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

SAMPLE DATA

CODE
Successful

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Test Connection failed. Failed to check the connector.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the MISP portal. Refer to the HTTP Status Code Registry for details.

Status Code: 443.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Name or service not known.

Error Sample Data

Test Connection failed. Failed to check the connector.

Status Code: 443.

Message: Name or service not known.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.