OpenCTI
LAST UPDATED: 05/30/2024
Overview
OpenCTI is an open-source platform allowing organizations to structure, store, and organize information about Cyber Threats. OpenCTI enables you to go beyond only technical (TTPs and observables) and non-technical information (suggested attribution, victimology).
D3 SOAR is providing REST operations to function with OpenCTI.
OpenCTI is available for use in:
D3 SOAR | V14.5.56.0+ |
Category | SIEM |
Deployment Options |
ALERT
As of April 2023, the current OpenCTI versions supported by D3 SOAR are limited to 5.5.0 and 5.6.2. The availability of support for future release of the OpenCTI platform will be contingent on the API support offered by OpenCTI. Please contact the D3 support team if you have compatibility issues.
Connection
To connect OpenCTI from D3 SOAR, please follow this part to collect the required information below:
Parameter | Description | Example |
Server URL | The server URL of the OpenCTI instance. | http://192.168.87.91:8080 |
API Key | The API key to authenticate the connection. | 024948c1-****-****-****-6a89d86bed5a |
Permission Requirements
Each endpoint in the OpenCTI API requires a certain permission scope. The following are required scopes for the commands in this integration:
Command | Required Permission |
Add Observable | Access knowledge > Create / Update knowledge |
Create Indicator | Access knowledge > Create / Update knowledge |
Create Observable | Access knowledge > Create / Update knowledge If you need to input Labels, Author, Markings, and External References parameters, Bypass all capabilities is needed. |
Get Indicators | Access knowledge |
List Authors | Bypass all capabilities |
List External References | Access knowledge |
List indicators | Access knowledge |
List Labels | Access knowledge |
List Marking | Access knowledge |
List Observables | Access knowledge |
Test Connection | Bypass all capabilities or Access knowledge |
OpenCTI is using role-based access control (RBAC), and the API Key is generated based on a specific user account and the use case. Therefore, the command permissions are inherited from the user account’s role. The administrator needs to create a connector role with the required capabilities and link that role with a user before obtaining the API key to build the integration connection in D3 SOAR (see Creating a user and assigning roles and Generating an API Key). Users can then configure their user profile from the OpenCTI console for each command in this integration.
Configuring OpenCTI to Work with D3 SOAR
Log in to the server of the OpenCTI platform (http://<Server URL>:8080) with an administrator account.
Creating Roles and adding to group
Navigate to Dashboard > Settings > Security > Roles, and click + located at the bottom right corner to add a new role. The Create a role window will appear.
Input a name and description (optional) for the role, then click Create.
Find the newly created role and click on the corresponding three-dot button. Click Update.
Click CAPABILITIES. Then select and enable the required capabilities for the role (see Permission Requirements).
Reader Note
To run all available commands for this integration in D3 SOAR, only the Bypass all capabilities, Access knowledge and Create/Update knowledge capabilities are required. Please refer to Permission Requirements for the required permissions for specific commands for this integration. Please note that the OpenCTI Connectors Guide recommends enabling all capabilities for all connectors to work properly.
Since roles cannot be directly assigned to a user, we need to create a group and assign the role to the group, then add the user to the group to inherit the role. Navigate to Groups from the right sidebar, click + to add group.
Fill in the information, then click CREATE.
Find the newly created group and click on the corresponding three-dot button. Click Update.
Choose ROLES at the top, then choose the role you just created.
If you want to update the user role, the access permissions will change for the group as well.
Creating a user and assigning roles
Navigate to Settings > Security > Users, and click + located at the bottom right corner to add a new user. The Create a role window will appear.
Input a name, email and password for the new user and click Create. Please note that the user will be created with default roles, please follow the steps below if you wish to update the user's role.
Select the created user. You will be directed to the user configuration page.
Alert
The user cannot be directly assigned a role, the role can only be in a group to assign. The user you created will be default in the Default Groups. The permission will be the default permission. Please update the user with the following steps.
Click on the three-dot menu and select Update. An Update a user window will appear.
Click GROUPS at the top, then select the group you just created.
Generating an API Key
Log in to the server of the OpenCTI platform (http://<Server URL>:8080) with the created account credentials.
Click on the user icon located near the top right corner, then select Profile. You will be directed to the Profile page.
Under API access, you will see the API KEY.
Configuring D3 SOAR to Work with OpenCTI
Log in to D3 SOAR.
Find the OpenCTI integration.
Navigate to Configuration on the top header menu.
Click on the Integration icon on the left sidebar.
Type OpenCTI in the search box to find the integration, then click it to select it.
Click + New Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to OpenCTI.
Connection Name: The desired name for the connection.
Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.
Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
Description (Optional): Add your desired description for the connection.
Configure User Permissions: Defines which users have access to the connection.
Active: Check the tick box to ensure the connection is available for use.
System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
1. Input your domain level Server URL. Please replace your domain with the <HOST_IP>.2. Input your saved API Key from step 3 of Generating API Key.
Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.
To set up a connection health check, check the Connection Health Check tickbox. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.
Test the connection.
Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmark appear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.
Click OK to close the alert window.
Click + Add to create and add the configured connection.
Commands
OpenCTI includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.
Integration API Note
For more information about the OpenCTI API, please refer to the OpenCTI API reference.
Reader Note
Certain permissions are required for each command. Please refer to the Permission Requirements and Configuring OpenCTI to Work with D3 SOAR for details.
Add Observable
Adds a Stix-Observable object to the specified indicator object.
Reader Note
Indicator ID and Stix Cyber Observable ID are required parameters to run this command.
Run the List Indicators command to obtain Indicator IDs. Indicator IDs can be found from the returned raw data at the path $[*].id.
Run the List Observables command to obtain Stix Cyber Observable IDs. Stix Cyber Observable IDs can be found from the returned raw data at the path $[*].standard_id.
Currently, this command only supports version 5.5.0 and above, please check your platform version if you encounter an error.
Input
Input Parameter | Required/Optional | Description | Example |
Indicator ID | Required | The ID of the indicator to add an observable. Indicator ID can be obtained using the List Indicators command. | 5e*****-*****-******-*****-****** |
Stix Cyber Observable ID | Required | The ID of the Stix-Observable to add to the specified indicator. Stix Cyber Observable ID can be obtained using the List Observables command. | domain-name--*****-*****-******-*****-****** |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Add Observable failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the OpenCTI portal. Refer to the HTTP Status Code Registry for details. | Status Code: 402. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Fail to add a Stix-Cyber-Observable object to Indicator. |
Error Sample Data Add Observable failed. Status Code: 402. Message: Fail to add a Stix-Cyber-Observable object to Indicator. |
Create Indicator
Creates an indicator object. Note: When creating a new indicator, ensure that its pattern value is distinct from that of existing indicators. You cannot create a new indicator with the same pattern value as an existing one.
Reader Note
Pattern Type is a required parameter to run this command. Below are the supported pattern types along with their descriptions:
STIX - Structured Threat Information eXpressions.
PCRE - Perl Compatible Regular Expressions.
SIGMA - A common language used by SIEM platforms and malware researchers for communication.
SNORT - A rule format used by the open-source intrusion prevention system offered by Cisco.
Suricata - A rule format used by the high-performance Network IDS, IPS, and Network Security Monitoring engine.
YARA - Created by VirusTotal, YARA helps malware researchers identify and classify malware samples.
Tanium Signal - Implements a specific language that the Detect service uses for both language syntax and currently supported terms and conditions.
Please note that the input pattern value cannot be used, otherwise an error will be returned.
Input
Input Parameter | Required/Optional | Description | Example |
Indicator Name | Required | The name for the indicator. | A new indicator |
Pattern Type | Required | The type of the observable. The available pattern types are STIX, PCRE, SIGMA, SNORT, Suricata, YARA and Tanium Signal. | STIX |
Pattern | Required | The pattern of the stix indicator. | [ domain-name:value = 'www.*****.info' ] |
Observable Type | Required | The type of the observable. | Artifact |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Create Indicator failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the OpenCTI portal. Refer to the HTTP Status Code Registry for details. | Status Code: 406. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Indicator of type stix is not correctly formatted. |
Error Sample Data Create Indicator failed. Status Code: 406. Message: Indicator of type stix is not correctly formatted. |
Create Observable
Creates a Stix-Observable object.
Reader Note
Labels, Author, Markings and External References are optional parameters to run this command.
Run the List Labels command to obtain Labels. Labels can be obtained from the returned raw data at the path $.entities[*].id.
Run the List Authors command to obtain Author. Authors can be obtained from the returned raw data at the path $.entities[*].id.
Run the List Markings command to obtain Markings. Markings can be obtained from the returned raw data at the path $.entities[*].id.
Run the List External References command to obtain External References. External References can be obtained from the returned raw data at the path $.entities[*].id.
Please note that the Type and Values must match. Otherwise, errors will be returned. Please see Create Observable - Types and Corresponding Fields and Values for more info on Type and Values.
Input
Input Parameter | Required/Optional | Description | Example |
Type | Required | The type of observable. | Email Addr |
Values | Required | Input the required fields and values depending on the observable type. Please refer to https://github.com/OpenCTI-Platform/client-python/blob/fecbfc495eb3a2a82a89a49c78698d3aabbb8936/pycti/entities/opencti_stix_cyber_observable.py#L122. Please see the table in Create Observable - Types and Corresponding Fields and Values for more detailed available fields and types. | { "value": "test@example.com", "display_name":"Test" } |
Description | Optional | The description for the observable. | Test description 0529 |
Score | Optional | The score of the observable. | 90 |
Labels | Optional | The labels for the observable. Labels can be obtained using the List Labels command. Inputting a label that does not already exist in the system will create a new label. | ["hardbit"] |
Author | Optional | The author ID of the observable. Author can be obtained using the List Authors command. | *****-*****-******-*****-****** |
Markings | Optional | The ID(s) of marking definition of the observable. You can obtain the marking definition IDs from List Markings command. | ["*****-*****-******-*****-******"] |
External References | Optional | The ID(s) of external references of the observable. External reference IDs can be obtained using the List External References command. | ["*****-*****-******-*****-******"] |
Create Indicator | Optional | The option to create an indicator. The available values are True or False. The default value is False. | True |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Create Observable failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the OpenCTI portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Please make sure to input the required value for specific observable Type ('path',). For more information, please refer to the parameter description of Values. |
Error Sample Data Add Observable failed. Status Code: 400. Message: Please make sure to input the required value for specific observable Type ('path',). For more information, please refer to the parameter description of Values. |
Get Indicators
Retrieves a list of specified indicators.
Reader Note
The input parameter Indicator IDs is required to run this command.
Run the List Indicators command to obtain Indicator IDs.
The difference between this command and the List Indicators command is that the List Indicators command will return all Indicators, while this command can only search for one indicator.
Input
Input Parameter | Required/Optional | Description | Example |
Indicator IDs | Required | The IDs of the indicators to retrieve. Indicator IDs can be obtained using the List Indicators command. | [ "*****-*****-******-*****-******" ] |
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Indicators failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the OpenCTI portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Can not find the indicator XXX. |
Error Sample Data Get Indicators failed. Status Code: 404. Message: Can not find the indicator XXX. |
List Authors
Retrieves all available authors in the OpenCTI instance.
Reader Note
If the name is not specified, then all available authors will be returned. If the input search value for name does not exist, then it will return success with no result.
Input
Input Parameter | Required/Optional | Description | Example |
Names | Optional | The author's name. Author IDs will not be accepted for this parameter. To search by name, ensure your input is the full name. Partial names and keywords are not accepted. | [ "kaspersky" ] |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Authors failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the OpenCTI portal. Refer to the HTTP Status Code Registry for details. | Status Code: 401. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: API Key expired. Please check your API Key. |
Error Sample Data List Authors failed. Status Code: 401. Message: API Key expired. Please check your API Key. |
List Connectors
Retrieves a list of available connectors.
Reader Note
This command can return a maximum of 100 results.
Input
N/A
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Connectors failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the OpenCTI portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Connectors cannot be found. |
Error Sample Data List Connectors failed. Status Code: 404. Message: Connectors cannot be found. |
List External References
Retrieves all external references in the OpenCTI platform. Please note that there is a limit for results, only 5000 will be retrieved. If there are more than 5000 external references, you will need to use Next Page to retrieve the data.
Reader Note
If this command's returned raw data path $.pagination.hasNextPage is true, then the value in $.pagination.endCursor can be used to apply in the Next Page parameter.
This command allows for search keywords that are not limited to exact matches with values. Instead, a string with an approximate match can also be used. When entering multiple keywords, a space between them will indicate an or logic while a dash (-) will indicate an and logic.
For example, if the input keyword is "Stix 2021", the command will return External References that include "Stix" or "2021". Conversely, if the input keyword is "Stix-2021", the command will only return external references with names that match the string "Stix 2021".
If the command returns a success message but no results, it is possible that no related external references are found in the system.
Input
Input Parameter | Required/Optional | Description | Example |
Search | Optional | The keywords to search for the values. | [ "mitre-attack" ] |
Next Page | Optional | When hasNextPage is true in the result (the number of returned external references exceeds the limit of 5000), this parameter sets the cursor to get data from the next page, which can be obtained from the EndCursor of the result. | *****= |
Output
Error Handling
If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List External References failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the OpenCTI portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Can not find the indicator XXX. |
Error Sample Data List External References failed. Status Code: 404. Message: Can not find the indicator XXX. |
List Indicators
Retrieves indicators matching the specified keyword.
Reader Note
This command allows for search keywords that are not limited to exact matches with indicator names. Instead, a string with an approximate match can also be used. When entering multiple keywords, a space between them will indicate an or logic while a dash (-) will indicate an and logic.
For example, if the input keyword is "Stix 2021", the command will return indicators that include "Stix" or "2021". Conversely, if the input keyword is "Stix-2021", the command will only return indicators with names that match the string "Stix 2021".
If the command returns a success message but no results, it is possible that no indicators or related keywords are found in the system.
This command can return a maximum of 100 results.
Input
Input Parameter | Required/Optional | Description | Example |
Keyword | Optional | The keyword to filter the returned indicators. | server |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List indicators failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the OpenCTI portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: OpenCTI API is not reachable. Waiting for OpenCTI API to start or check your configuration. |
Error Sample Data List indicators failed. Status Code: 400. Message: OpenCTI API is not reachable. Waiting for OpenCTI API to start or check your configuration. |
List Labels
Retrieves all labels in the OpenCTI instance.
Reader Note
Please note that the label name must be the full name. Partial names and keywords are not accepted.
Input
Input Parameter | Required/Optional | Description | Example |
Label Names | Optional | The name(s) of the label(s) to retrieve. | [ "hyperv" ] |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Labels failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the OpenCTI portal. Refer to the HTTP Status Code Registry for details. | Status Code: 404. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Not all label names existing. |
Error Sample Data List Labels failed. Status Code: 404. Message: Not all label names existing. |
List Markings
Retrieves all marking definitions in the OpenCTI instance.
Reader Note
This command allows for search keywords that are not limited to exact matches. Instead, a string with an approximate match can also be used. When entering multiple keywords, a space between them will indicate an or logic while a dash (-) will indicate an and logic.
If the command returns a success message but no results, it is possible that no indicators or related keywords are found in the system.
Input
Input Parameter | Required/Optional | Description | Example |
Search | Optional | The keywords to search for the values. | [ "TLP:CLEAR" ] |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Marking failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the OpenCTI portal. Refer to the HTTP Status Code Registry for details. | Status Code: 401. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: API Key expired. Please check your API Key. |
Error Sample Data Get Indicators failed. Status Code: 401. Message: API Key expired. Please check your API Key. |
List Observables
Retrieves observables matching the specified keyword.
Reader Note
This command allows for search keywords that are not limited to exact matches with observable names. Instead, a string with an approximate match can also be used. When entering multiple keywords, a space between them will indicate an or logic while a dash (-) will indicate an and logic.
For example, if the input keyword is "url hostname", the command will return indicators that include "url" or "hostname". Conversely, if the input keyword is "url-hostname", the command will only return indicators with names that match the string "url hostname".
If the command returns a success message but no results, it is possible that no indicators or related keywords are found in the system.
This command can return a maximum of 100 results.
Currently, this command only supports version 5.5.0 and above, please check your platform version if you encounter an error.
Input
Input Parameter | Required/Optional | Description | Example |
Keyword | Optional | The keyword to filter the returned indicators. | www.example.xyz |
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Observables failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the OpenCTI portal. Refer to the HTTP Status Code Registry for details. | Status Code: 401. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: API Key expired. Please check your API Key. |
Error Sample Data List Observables failed. Status Code: 401. Message: API Key expired. Please check your API Key. |
Test Connection
Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.
Input
N/A
Output
Error Handling
If the Return Data is Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Test Connection failed. Failed to check the connector. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the OpenCTI portal. Refer to the HTTP Status Code Registry for details. | Status Code: 401. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: API Key expired. Please check your API Key. |
Error Sample Data Test Connection failed. Failed to check the connector. Status Code: 401. Message: API Key expired. Please check your API Key. |
Create Observable - Types and Corresponding Fields and Values
The below table provides details of the available fields corresponding to each type of observable, and the required/optional values for each.
Type | Fields (type) (req/opt) format | Sample |
AutonomousSystem | { "number": int, # number is required "rir": "string", "name": "string" } | { "number": 2, "rir": "test rir", "name": "Test Autonomous-System" } |
Directory | { "path": "string", # path is required "path_enc": "string", "ctime": "datetime", #datetime format: yyyy-MM-ddThh:mm:ss.fffz "mtime": "datetime", "atime": "datetime" } | { "path": "www.test.xyz/index.php", "path_enc": "test", "ctime": "2023-06-25T19:51:02.908Z", "mtime": "2023-06-24T19:51:02.908Z", "atime": "2023-06-29T19:51:02.908Z" } |
Domain Name | { "value": "string" # value is required } | { "value": "example.com" } |
Email Addr | { "value": "string", # value is required "display_name": "string" } | { "value": "info@example.com", "display_name": "Sample Name" } |
Email Message | { "body": "string", # body or subject is required "subject": "string", # body or subject is required "is_multipart": boolean, "date": "datetime", #datetime format: yyyy-MM-ddThh:mm:ss.fffz "message_id": "string", "received_lines": "string", "content_type": "string" } | { "body": "test body", "subject": "test subject", "is_multipart": True, "date": "2023-06-25T19:55:20.620Z", "message_id": "samplemessageid", "received_lines": "sample", "content_type": "html" } |
Email Mime Part Type | { "body": "string", "content_type": "string", "content_disposition": "string" } | { "body": "sample body", "content_type": "html", "content_disposition": "test" } |
Artifact | { "url": "string", # url is required "encryption_algorithm": "string", "payload_bin": "string", "decryption_key": "string", "mime_type": "string", "hashes": { "MD5": "string", # MD5 is required "SHA1": "string", "SHA256": "string" } } | { "url": "https://mail.qq.com/", "encryption_algorithm": "test encryption_algorithm", "payload_bin": "qq payload_bin", "decryption_key": "qq decryption_key", "mime_type": "text", "hashes": { "MD5": "87F45408915389547BD0C413A258AE33", "SHA1": "2252B7800C28933CF2CD5FB31C73ECF45936D92C", "SHA256": "0EE350C7874F1BD8A8455464F68D84D95C9F496F0178BB9958B710FFBAEC6B25" } } |
File | { "mime_type": "string", "name": "string", # name is required "ctime": "datetime", "mtime": "datetime", "atime": "datetime", "size": int, "name_enc": "string", "magic_number_hex": "string", "x_opencti_additional_names": "string", "hashes": { "MD5": "string", "SHA1": "string", "SHA256": "string" } } | { "mime_type": "text", "name": "main.txt", "ctime": "2023-06-25T19:51:02.892Z", "mtime": "2023-06-24T19:51:02.892Z", "atime": "2023-06-29T19:51:02.892Z", "size": 1200, "name_enc": "sample", "magic_number_hex": "h3ecef", "x_opencti_additional_names": "main", "content": "testcontent", "hashes": { "MD5": "87F45408915389547BD0C413A258AE33", "SHA1": "2252B7800C28933CF2CD5FB31C73ECF45936D92C", "SHA256": "0EE350C7874F1BD8A8455464F68D84D95C9F496F0178BB9958B710FFBAEC6B25" } } |
X509-Certificate | { "is_self_signed": boolean, "hashes": { "MD5": "string", # MD5, serial_number or subject is required "SHA-1": "string", "SHA-256": "string" }, "version": "string", "serial_number": "string", # MD5, serial_number or subject is required "signature_algorithm": "string", "issuer": "string", "validity_not_before": "datetime", "validity_not_after": "datetime", "subject": "string", # MD5, serial_number or subject is required "subject_public_key_algorithm": "string", "subject_public_key_modulus": "string", "subject_public_key_exponent": int } | { "is_self_signed": True, "hashes": { "MD5": "87f45408915389547bd0c413a258ae33", "SHA-1": "2252b7800c28933cf2cd5fb31c73ecf45936d92c", "SHA-256": "0ee350c7874f1bd8a8455464f68d84d95c9f496f0178bb9958b710ffbaec6b25" }, "version": "1", "serial_number": "test", "signature_algorithm": "sha1", "issuer": "test", "validity_not_before": "2023-07-12T07:00:00.000Z", "validity_not_after": "2023-07-14T07:00:00.000Z", "subject": "test", "subject_public_key_algorithm": "md5", "subject_public_key_modulus": "test", "subject_public_key_exponent": 2 } |
IPv4 Addr | { "value": "string" # value is required } | { "value": "1.1.1.10" } |
IPv6 Addr | { "value": "string" # value is required } | { "value": "2001:db8:3333:4444:5555:6666:7777:8888" } |
Mac Addr | { "value": "string" # value is required } | { "value": "00:00:5e:00:53:af" } |
Mutex | { "name": "string", # name is required } | { "name": "SampleMutex" } |
Network Traffic | { "start": "datetime", # start, end, protocols, dst_port or src_port is required. "end": "datetime", # start, end, protocols, dst_port or src_port is required. "protocols": "string", # start, end, protocols, dst_port or src_port is required. "is_active": boolean, "dst_byte_count": int, "dst_packets": int, "dst_port": int, # start, end, protocols, dst_port or src_port is required. "src_byte_count": int, "src_packets": int, "src_port": int # start, end, protocols, dst_port or src_port is required. } | { "start": "2023-06-22T21:48:15.831Z", "end": "2023-06-23T21:48:15.831Z", "protocols": "test", "is_active": True, "dst_byte_count": 100, "dst_packets": 1, "dst_port": 8000, "src_byte_count": 100, "src_packets": 1, "src_port": 1000 } |
Process | { "command_line": "number-only-string", # command_line is required "is_hidden": boolean, "pid": int, "created_time": "datetime", "cwd": "string", "environment_variables": "string" } | { "command_line": "number-only-string", # command_line is required "is_hidden": boolean, "pid": int, "created_time": "datetime", "cwd": "string", "environment_variables": "string" } |
Software | { "cpe": "string", # cpe is required. "name": "string", # name, swid, vendor or version is required. "swid": "string", # name, swid, vendor or version is required. "vendor": "string", # name, swid, vendor or version is required. "version": "string", # name, swid, vendor or version is required. "languages": "string" } | { "cpe": "sampleCPE", "name": "test", "swid": "test", "vendor": "test", "version": "test", "languages": "test" } |
Url | { "value": "string" # value is required } | { "value": "www.example.com/about/" } |
User-Account | { "account_type": "string", # account_type, user_id or account_login is required; available options for this field: facebook, ldap, nis, openid, radius, skype, tacacs, twitter, unix, windows-domain, windows-local. "user_id": "string", # account_type, user_id or account_login is required "account_login": "string", # account_type, user_id or account_login is required "account_created": "datetime", "account_expires": "datetime", "account_first_login": "datetime", "account_last_login": "datetime", "can_escalate_privs": boolean, "credential": "string", "credential_last_changed": "datetime", "display_name": "string", "is_disabled": boolean, "is_privileged": boolean, "is_service_account": boolean } | { "account_type": "facebook", "user_id": "4356535", "account_login": "nhgvf", "account_created": "2023-06-22T17:46:18.730Z", "account_expires": "2024-06-22T17:46:18.730Z", "account_first_login": "2022-06-22T17:46:18.730Z", "account_last_login": "2023-06-21T17:46:18.730Z", "can_escalate_privs": True, "credential": "test", "credential_last_changed": "2023-03-22T17:46:18.730Z", "display_name": "test", "is_disabled": False, "is_privileged": True, "is_service_account": True } |
Windows-Registry-Key | { "key": "string", # key is required "modified_time": "datetime", "number_of_subkeys": int, } | { "key": "test", "modified_time": "2023-06-22T17:30:55.530Z", "number_of_subkeys": 3, } |
User-Agent | { "value": "string" # value is required } | { "value": "Firefox/42.0" } |
Cryptographic-Key | { "value": "string" # value is required } | { "value": "e75e68046ff9d90dd4777ed24e807490e916ce7c9f66fb5d299559ee73ad5670" } |
Cryptocurrency-Wallet | { "value": "string" # value is required } | { "value": "e75e68046ff9d90dd4777ed24e807490e916ce7c9f66fb5d299559ee73ad5670" } |
Hostname | { "value": "string", # value is required } | { "value": "sample host name" } |
Text | { "value": "string", # value is required } | { "value": "sample text" } |
Bank-Account | { "iban": "string", # iban is required "account_number": "string", "bic": "string" } | { "iban": "test", "account_number": "34567890-9876", "bic": "1234" } |
Phone-Number | { "value": "string", # value is required } | { "value": "123456789" } |
Payment-Card | { "card_number": "string", # card_number is required "cvv": int, "expiration_date": "datetime", "holder_name": "string" } | { "card_number": "test", "cvv": 123, "expiration_date": "2023-06-22T17:22:13.199Z", "holder_name": "test" } |
Media-Content | { "url": "string", # url is required "content": "string", "media_category": "string", "publication_date": "datetime", "title": "string" } | { "url": "test", "content": "test", "media_category": "test", "publication_date": "2023-06-22T17:25:01.234Z", "title": "test" } |