Skip to main content
Skip table of contents

ThreatQuotient

LAST UPDATED: 10/09/2024

Overview

ThreatQuotient is a threat intelligence platform that collects and interprets intelligence data from open sources and manages indicator scoring, types, and attributes with its Datalinq Engine and Threat Library. The platform helps teams prioritize, automate, and collaborate on security incidents to optimize resources and facilitate strategic decision making in a unified workspace.

D3 SOAR is providing REST operations to function with ThreatQuotient.

ThreatQuotient is available for use in:

D3 SOAR

V12.7.0+

Category

Threat Intelligence

Deployment Options

Option I, Option III

Connection

To connect to ThreatQuotient from D3 SOAR, please follow this part to collect the required information below:

Parameter

Description

Example

Server URL

The server URL used to authenticate the connection.

https://192.***.**.**:****

Client ID

The Client ID used to authenticate the connection. Client ID can be obtained from ThreatQ Console > User Management.

*****

Email

The email used to authenticate the connection.

info@example.com

READER NOTE

Users in the Read Only Access or Primary Contributor Access group will need to obtain their Client ID from a user in the Maintenance Account or Administrative Access group.

Permission Requirements

Each endpoint in the ThreatQuotient API requires a certain permission scope. The following are required scopes for the commands in this integration:

Command

Required Permissions

Group (Any checked group will work)

Read Only Access

Primary Contributor Access

Maintenance Account

Administrative Access

Add Attribute

X

Add Object Tags (From None)

X

Add Source

X

Check File Reputation

Check IP Reputation

Check URL Reputation

Check Email Reputation

Check Vulnerability

Create Adversary

X

Create Event

X

Create Indicator

X

Create Object

X

Delete File

X

Download File

Fetch Event

Get Object ID by Value

Link Object

X

List Adversaries

List File

List Indicators

Parse File

X

Search File Content Type

Test Connection

Unlink Object

X

Update Indicator Score

X

Update Indicator Status

X

Update Object Attribute (From None)

X

Upload File

X

As ThreatQuotient is using role-based access control (RBAC), the Client ID is generated based on a specific user account and the application. Therefore, the command permissions are inherited from the user account’s role. Users need to configure their user profile from the ThreatQuotient console for each command in this integration.

READER NOTE

Only users in the Maintenance Account or Administrative Access group will be able to configure user permissions.

Follow these steps to configure user permissions from the ThreatQuotient console:

  1. Click on the settings icon > User Management.

    Group 17.png
  2. Click on the Add User button.

    Group 18.png
  3. Set a display name, username, and password.

    Group 23.png
  4. Select a suitable access group from the group dropdown for the new user.

    Group 19 (1).png
  5. Click on the Add User button.

    Group 20.png

    The new user will be displayed on the User Management page.

Configuring ThreatQuotient to Work with D3 SOAR

  1. Log onto your ThreatQuotient environment at your server URL with your username and password.

    192.168.85.112_login.png
  2. Click on your profile icon in the top right corner.

    Group 13.png
  3. Click on the My Account option.

    Group 14.png
  4. Locate API Credentials - Client ID on the left side of the screen.

  5. Copy your Client ID and paste it into the Client ID field. Refer to step 3j > step 3 of Configuring D3 SOAR to Work with ThreatQuotient.

    Group 15.png

    If you do not see your Client ID, then you need to obtain it from someone in your organization in the Maintenance Account or Administrative Access group. Refer to Permissions Requirements for more information.

Configuring D3 SOAR to Work with ThreatQuotient

  1. Log in to D3 SOAR.

  2. Find the ThreatQuotient integration.

    1. Navigate to Configuration on the top header menu.

    2. Click on the Integration icon on the left sidebar.

    3. Type ThreatQuotient in the search box to find the integration, then click it to select it.

    4. Click on the + Connection button on the right side of the Connections section. A new connection window will appear.

  3. Configure the following fields to create a connection to ThreatQuotient.

    1. Connection Name: The desired name for the connection.

    2. Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.

    3. Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.

    4. Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.

    5. Description (Optional): Add your desired description for the connection.

    6. Tenant (Optional): When configuring the connection from a master tenant site, you have the option to choose the specific tenant sites you want to share the connection with. Once you enable this setting, you can filter and select the desired tenant sites from the dropdowns to share the connection.

    7. Configure User Permissions: Defines which users have access to the connection.

    8. Active: Check the checkbox to ensure the connection is available for use.

    9. System Reputation Check: Checking one or more reputation check tick boxes will run the corresponding check reputation command(s) under this integration connection to enrich the corresponding artifacts with reputation details. 

      For example, we are configuring an integration connection named "ConnectionA" with the site "Sandbox". All IP artifacts from the "Sandbox" site will undergo a reputation check using the Check IP Reputation command from that integration. The return data output from this command will then be used to update the risk level of artifacts, which may affect the risk level of incoming events.

    10. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
      1. Input the Server URL.
      2. Input your Client ID from the ThreatQuotient platform. Refer to step 5 of Configuring ThreatQuotient to Work with D3 SOAR.

      3. Input your ThreatQuotient email address (or username).

      4. Input your ThreatQuotient password.

    11. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.

    12. Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.

      To set up a connection health check, check the Connection Health Check tick box. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.

  4. Test the connection.

    Group 11.png
    1. Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green check mark appear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.

    2. Click OK to close the alert window.

    3. Click + Add to create and add the configured connection.

Commands

ThreatQuotient includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the ThreatQuotient API, refer to the ThreatQuotient API reference. You must log-in to access the ThreatQuotient API reference.

READER NOTE

Certain permissions are required for each command. Refer to the Permission Requirements and Configuring ThreatQuotient to Work with D3 SOAR sections for details.

Note for Time-related parameters

The input format of time-related parameters may vary based on your account settings. As a result, the sample data provided in our commands is different from what you see. To set your preferred time format, follow these steps:

  1. Navigate to Configuration > Application Settings. Select Date/Time Format.

  2. Choose your desired date and time format, then click on the Save button.

After that, you will be able to view your preferred time format when configuring the DateTime input parameters for commands.

Add Attribute

Adds an attribute to an object.

READER NOTE

Object ID is a required parameter to run this command.

  • Run the Get Object ID by Value command to obtain the Object ID. Object IDs can be found in the raw data at the path $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Object Type

Required

The type of object to which an attribute will be added.

indicators

Object ID

Required

The ID of the object to which an attribute will be added. Object IDs can be obtained using the Get Object ID by Value command.

*****

Attribute Name

Required

The name of the attribute that will be added.

Port

Attribute Value

Required

The value of the attribute that will be added.

4000

Attribute Source

Optional

The source name of the attribute that will be added.

TQ User

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "total": 1,
    "data": [
        {
            "attribute_id": *****,
            "value": "4000",
            "indicator_id": *****,
            "id": *****,
            "created_at": "2021-10-21 00:42:10",
            "updated_at": "2021-10-21 00:42:10",
            "touched_at": "2021-11-02 22:06:34",
            "name": "Port",
            "attribute": {
                "id": *****,
                "name": "Port",
                "created_at": "2021-10-20 17:33:33",
                "updated_at": "2021-10-20 17:33:33"
            },
            "sources": [
                {
                    "id": *****,
                    "type": "other_sources",
                    "reference_id": *****,
                    "name": "TQ User",
                    "tlp_id": null,
                    "created_at": "2021-10-21 00:42:10",
                    "updated_at": "2021-10-21 00:42:10",
                    "published_at": null,
                    "pivot": {
                        "indicator_attribute_id": *****,
                        "source_id": *****,
                        "id": *****,
                        "creator_source_id": *****
                    }
                }
            ]
        }
    ]
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
[
    {
        "attribute_id": *****,
        "value": "4000",
        "indicator_id": *****,
        "id": *****,
        "created_at": "2021-10-21 00:42:10",
        "updated_at": "2021-10-21 00:42:10",
        "touched_at": "2021-11-02 22:06:34",
        "name": "Port",
        "attribute": {
            "id": *****,
            "name": "Port",
            "created_at": "2021-10-20 17:33:33",
            "updated_at": "2021-10-20 17:33:33"
        },
        "sources": [
            {
                "id": *****,
                "type": "other_sources",
                "reference_id": *****,
                "name": "TQ User",
                "tlp_id": null,
                "created_at": "2021-10-21 00:42:10",
                "updated_at": "2021-10-21 00:42:10",
                "published_at": null,
                "pivot": {
                    "indicator_attribute_id": *****,
                    "source_id": *****,
                    "id": *****,
                    "creator_source_id": *****
                }
            }
        ]
    }
]
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

attribute_id

*****

value

4000

indicator_id

*****

id

*****

created_at

2021-11-08 21:04:17

updated_at

2021-11-08 21:04:17

touched_at

2024-10-04 1:03:54

name

Port

attribute

{'id': *****, 'name': 'Port', 'created_at': '2021-11-08 21:04:17', 'updated_at': '2021-11-08 21:04:17'}

sources

[{'id': *****, 'type': 'users', 'reference_id': *****, 'name': '*****', 'tlp_id': None, 'created_at': '2021-11-08 21:04:17', 'updated_at': '2021-11-08 22:34:27', 'published_at': None, 'pivot': {'indicator_attribute_id': *****, 'source_id': *****, 'id': *****, 'creator_source_id': *****}}, {'id': *****, 'type': 'other_sources', 'reference_id': *****, 'name': 'TQ User', 'tlp_id': None, 'created_at': '2021-11-10 19:45:01', 'updated_at': '2021-11-10 19:45:01', 'published_at': None, 'pivot': {'indicator_attribute_id': *****, 'source_id': *****, 'id': *****, 'creator_source_id': *****}}, {'id': *****, 'type': 'other_sources', 'reference_id': *****, 'name': '4000', 'tlp_id': None, 'created_at': '2021-11-29 21:15:02', 'updated_at': '2021-11-29 21:15:02', 'published_at': None, 'pivot': {'indicator_attribute_id': *****, 'source_id': *****, 'id': *****, 'creator_source_id': *****}}]

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Add Attribute failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ThreatQuotient portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Not found.

Error Sample Data

Add Attribute failed.

Status Code: 404.

Message: Not found.

Add Object Tags

Adds new tag(s) to an object.

READER NOTE

Object ID is a required parameter to run this command.

  • Run the Get Object ID by Value command to obtain the Object ID. Object IDs can be found in the raw data at the path $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Object Type

Required

The type of object to which an object tag will be added.

indicator

Object ID

Required

The ID of the object to which an object tag will be added. Object IDs can be obtained using the Get Object ID by Value command.

*****

Tag Name

Required

The name(s) of the tag(s) to be added to an object.

JSON
[
  "testtags01",
  "testtags02"
]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "total": 2,
    "data": [
        {
            "id": *****,
            "name": "testtags01",
            "pivot": {
                "object_id": *****,
                "tag_id": *****,
                "created_at": "2024-10-02 21:45:49",
                "updated_at": "2024-10-02 21:45:49"
            }
        },
        {
            "id": *****,
            "name": "testtags02",
            "pivot": {
                "object_id": *****,
                "tag_id": *****,
                "created_at": "2024-10-02 21:46:26",
                "updated_at": "2024-10-02 21:46:26"
            }
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "TagID": [
        *****,
        *****
    ],
    "TagName": [
        "testtags01",
        "testtags02"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id

name

pivot

*****

testtags01

{'object_id': *****, 'tag_id': *****, 'created_at': '2024-10-02 21:45:49', 'updated_at': '2024-10-02 21:45:49'}

*****

testtags02

{'object_id': *****, 'tag_id': *****, 'created_at': '2024-10-02 21:46:26', 'updated_at': '2024-10-02 21:46:26'}

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Add Object Tags failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ThreatQuotient portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: The value for parameter (Tag Name) is invalid.

Error Sample Data

Add Object Tags failed.

Status Code: 400.

Message: The value for parameter (Tag Name) is invalid.

Add Source

Adds a new source to an object.

READER NOTE

Object ID is a required parameter to run this command.

  • Run the Get Object ID by Value command to obtain the Object ID. Object IDs can be found in the raw data at the path $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Object Type

Required

The type of object to which a source will be added.

indicators

Object ID

Required

The ID of the object to which a source will be added. Object IDs can be obtained using the Get Object ID by Value command.

*****

Source Name

Required

The name of the source to be added to the object.

Test Source45

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "total": 1,
    "data": [
        {
            "id": *****,
            "indicator_id": *****,
            "source_id": *****,
            "creator_source_id": *****,
            "tlp_id": null,
            "created_at": "2021-11-02 22:07:05",
            "updated_at": "2021-11-02 22:07:05",
            "published_at": null,
            "deleted_at": null,
            "sync_hash": "*****",
            "existing": 0,
            "name": "Test Source45"
        }
    ]
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
[
    {
        "id": *****,
        "indicator_id": *****,
        "source_id": *****,
        "creator_source_id": *****,
        "tlp_id": null,
        "created_at": "2021-11-02 22:07:05",
        "updated_at": "2021-11-02 22:07:05",
        "published_at": null,
        "deleted_at": null,
        "sync_hash": "*****",
        "existing": 0,
        "name": "Test Source45"
    }
]
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id

*****

indicator_id

*****

source_id

*****

creator_source_id

*****

tlp_id

None

created_at

2024-10-04 17:20:44

updated_at

2024-10-04 17:20:44

published_at

None

deleted_at

None

sync_hash

*****

existing

0

name

Test 34253245

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Add Source failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ThreatQuotient portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: The Object ID is not valid.

Error Sample Data

Add Source failed.

Status Code: 400.

Message: The Object ID is not valid.

Check Email Reputation

Checks the risk level of emails.

Input

Input Parameter

Required/Optional

Description

Example

Email Addresses

Required

The list of email addresses to check.

JSON
["*****@*****.*****"]

Output

Return Data

In check reputation commands, Return Data displays the risk score from the raw data as D3-defined risk levels and risk level names. This will be used to enrich artifacts with reputation information.

SAMPLE DATA

JSON
[
    {
        "email": "*****@*****.*****",
        "riskScore": 0,
        "riskLevel": "5"
    }
]
Raw Data

The primary response data from the API request. For check reputation commands, D3-defined risk levels and risk level names are also included.

SAMPLE DATA

JSON
[
    {
        "total": 1,
        "data": [
            {
                "class": "network",
                "score": 0,
                "value": "tom@phishing.com",
                "expires_calculated_at": "2020-06-22 21:20:03",
                "touched_at": "2020-07-07 00:00:04",
                "id": *****,
                "updated_at": "2020-07-07 00:00:04",
                "published_at": "2020-06-22 21:16:22",
                "created_at": "2020-06-22 21:16:22",
                "status_id": *****,
                "hash": "*****",
                "expired_at": "2020-07-07 00:00:04",
                "type_id": *****,
                "adversaries": [],
                "type": {
                    "name": "Email Address",
                    "id": *****,
                    "class": "network"
                },
                "status": {
                    "name": "Expired",
                    "id": *****,
                    "description": "No longer poses a serious threat."
                },
                "sources": [
                    {
                        "indicator_id": *****,
                        "indicator_status_id": *****,
                        "published_at": "2020-06-22 21:16:22",
                        "source_id": *****,
                        "id": *****,
                        "created_at": "2020-06-22 21:16:22",
                        "source_type": "connectors",
                        "creator_source_id": *****,
                        "indicator_type_id": *****,
                        "reference_id": *****,
                        "updated_at": "2020-06-22 21:16:22",
                        "source_expire_days": "14",
                        "name": "CrowdStrike"
                    }
                ]
            }
        ],
        "limit": 100,
        "offset": 0
    }
]
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
[
    {
        "email": "tom@phishing.com",
        "id": "*****",
        "riskScore": 0,
        "hash": "*****",
        "riskLevel": "ZeroRisk"
    }
]
Key Fields

Common cyber security indicators such as risk levels, risk level names, unique IDs, file hash values, CVE numbers and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "emails": ["tom@phishing.com"],
    "ids": ["*****"],
    "hashes": ["*****"],
    "riskScores": [0],
    "RiskLevels": ["ZeroRisk"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

email

id

riskScore

hash

riskLevel

tom@phishing.com

*****

0

*****

ZeroRisk

D3-defined Risk Levels and Risk Level Names

The table below lists (left to right) the third party's possible output risk levels and their corresponding risk level names, followed by their corresponding risk levels and risk level names as defined by D3: 

ThreatQ Risk Levels

ThreatQ Risk Level Names

D3 Risk Levels

D3 Risk Level Names

9-10

High

1

High

7-8

Medium

2

Medium

1-6

Low

3

Low

n/a

n/a

4

Default

0

Zero

5

ZeroRisk

Error Handling

If your command fails to execute, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Check Email Reputation failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ThreatQuotient portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Access denied.

Error Sample Data

Check Email Reputation failed.

Status Code: 401.

Message: Access denied.

Check File Reputation

Checks the risk level of files using file hashes.

Input

Input Parameter

Required/Optional

Description

Example

File Hashes

Required

The list of file hashes to check.

JSON
["*****"]

Output

Return Data

In check reputation commands, Return Data displays the risk score from the raw data as D3-defined risk levels and risk level names. This will be used to enrich artifacts with reputation information.

SAMPLE DATA

JSON
[
    {
        "filehash": "*****",
        "riskScore": 10,
        "riskLevel": "1"
    }
]
Raw Data

The primary response data from the API request. For check reputation commands, D3-defined risk levels and risk level names are also included.

SAMPLE DATA

JSON
[
    {
        "total": 3,
        "data": [
            {
                "class": "host",
                "score": 0,
                "value": "C.pdf",
                "touched_at": "2021-11-01 22:13:16",
                "id": *****,
                "updated_at": "2021-11-01 22:13:15",
                "published_at": "2021-11-01 22:13:15",
                "created_at": "2021-11-01 22:13:15",
                "status_id": *****,
                "hash": "*****",
                "type_id": *****,
                "adversaries": [],
                "type": {
                    "name": "Filename",
                    "id": *****,
                    "class": "host"
                },
                "status": {
                    "name": "Review",
                    "id": *****,
                    "description": "Requires further analysis."
                },
                "sources": [
                    {
                        "indicator_id": *****,
                        "indicator_status_id": *****,
                        "published_at": "2021-11-01 22:13:15",
                        "source_id": *****,
                        "id": *****,
                        "created_at": "2021-11-01 22:13:15",
                        "source_type": "other_sources",
                        "creator_source_id": *****,
                        "indicator_type_id": *****,
                        "reference_id": *****,
                        "updated_at": "2021-11-01 22:13:15",
                        "name": "2"
                    }
                ]
            },
            {
                "class": "host",
                "score": 0,
                "value": "commander.exe",
                "expires_calculated_at": "2020-06-20 00:15:04",
                "touched_at": "2021-11-01 22:07:35",
                "id": *****,
                "updated_at": "2020-07-05 00:00:03",
                "published_at": "2020-06-20 00:14:13",
                "created_at": "2020-06-20 00:14:13",
                "status_id": *****,
                "hash": "*****",
                "expired_at": "2020-07-05 00:00:03",
                "type_id": *****,
                "adversaries": [],
                "type": {
                    "name": "Filename",
                    "id": *****,
                    "class": "host"
                },
                "status": {
                    "name": "Expired",
                    "id": *****,
                    "description": "No longer poses a serious threat."
                },
                "sources": [
                    {
                        "indicator_id": *****,
                        "indicator_status_id": *****,
                        "published_at": "2020-06-20 00:14:13",
                        "source_id": *****,
                        "id": *****,
                        "created_at": "2020-06-20 00:14:13",
                        "source_type": "connectors",
                        "creator_source_id": *****,
                        "indicator_type_id": *****,
                        "reference_id": *****,
                        "updated_at": "2020-06-20 00:14:13",
                        "source_expire_days": "14",
                        "name": "CrowdStrike"
                    },
                    {
                        "indicator_id": *****,
                        "indicator_status_id": *****,
                        "published_at": "2021-10-30 00:27:49",
                        "source_id": *****,
                        "id": *****,
                        "created_at": "2021-10-30 00:27:49",
                        "source_type": "connectors",
                        "creator_source_id": *****,
                        "indicator_type_id": *****,
                        "reference_id": *****,
                        "updated_at": "2021-10-30 00:27:49",
                        "name": "abuse.ch SSLBL IP Blacklist"
                    },
                    {
                        "indicator_id": *****,
                        "indicator_status_id": *****,
                        "published_at": "2021-10-30 00:41:04",
                        "source_id": *****,
                        "id": *****,
                        "created_at": "2021-10-30 00:41:04",
                        "source_type": "connectors",
                        "creator_source_id": *****,
                        "indicator_type_id": *****,
                        "reference_id": *****,
                        "updated_at": "2021-10-30 00:41:04",
                        "name": "abuse.ch SSLBL Response Policy Zones (RPZ)"
                    }
                ]
            },
            {
                "class": "host",
                "score": 10,
                "value": "*****",
                "expires_calculated_at": "2020-06-20 00:15:04",
                "touched_at": "2021-11-02 18:45:13",
                "id": *****,
                "updated_at": "2021-10-21 01:39:09",
                "published_at": "2020-06-20 00:14:13",
                "created_at": "2020-06-20 00:14:13",
                "status_id": *****,
                "hash": "*****",
                "expired_at": "2020-07-05 00:00:03",
                "type_id": *****,
                "adversaries": [],
                "type": {
                    "name": "File Path",
                    "id": *****,
                    "class": "host"
                },
                "status": {
                    "name": "Expired",
                    "id": *****,
                    "description": "No longer poses a serious threat."
                },
                "attributes": [
                    {
                        "value": "4000",
                        "created_at": "2021-10-21 00:42:10",
                        "indicator_id": *****,
                        "updated_at": "2021-10-21 00:42:10",
                        "attribute_id": *****,
                        "id": *****,
                        "touched_at": "2021-11-02 18:01:17",
                        "name": "Port"
                    }
                ],
                "sources": [
                    {
                        "indicator_id": *****,
                        "indicator_status_id": *****,
                        "published_at": "2021-11-02 00:41:06",
                        "source_id": *****,
                        "id": *****,
                        "created_at": "2021-11-02 00:41:06",
                        "source_type": "plugins",
                        "creator_source_id": *****,
                        "indicator_type_id": *****,
                        "reference_id": *****,
                        "updated_at": "2021-11-02 00:41:06",
                        "name": "VirusTotal"
                    },
                    {
                        "indicator_id": *****,
                        "indicator_status_id": *****,
                        "published_at": "2021-11-02 18:45:13",
                        "source_id": *****,
                        "id": *****,
                        "created_at": "2021-11-02 18:45:13",
                        "source_type": "users",
                        "creator_source_id": *****,
                        "indicator_type_id": *****,
                        "reference_id": *****,
                        "updated_at": "2021-11-02 18:45:13",
                        "name": "*****"
                    },
                    {
                        "indicator_id": *****,
                        "indicator_status_id": *****,
                        "published_at": "2020-06-20 00:14:13",
                        "source_id": *****,
                        "id": *****,
                        "created_at": "2020-06-20 00:14:13",
                        "source_type": "connectors",
                        "creator_source_id": *****,
                        "indicator_type_id": *****,
                        "reference_id": *****,
                        "updated_at": "2020-06-20 00:14:13",
                        "source_expire_days": "14",
                        "name": "CrowdStrike"
                    }
                ]
            }
        ],
        "limit": 100,
        "offset": 0
    }
]
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
[
    {
        "filehash": "*****",
        "id": "*****",
        "riskScore": 10,
        "riskLevel": "High"
    }
]
Key Fields

Common cyber security indicators such as risk levels, risk level names, unique IDs, file hash values, CVE numbers and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "ids": ["*****"],
    "fileHashes": ["*****"],
    "riskScores": [10],
    "RiskLevels": ["High"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

filehash

id

riskScore

riskLevel

*****

*****

10

High

D3-defined Risk Levels and Risk Level Names

The table below lists (left to right) the third party's possible output risk levels and their corresponding risk level names, followed by their corresponding risk levels and risk level names as defined by D3: 

ThreatQ Risk Levels

ThreatQ Risk Level Names

D3 Risk Levels

D3 Risk Level Names

9-10

High

1

High

7-8

Medium

2

Medium

1-6

Low

3

Low

n/a

n/a

4

Default

0

Zero

5

ZeroRisk

Error Handling

If your command fails to execute, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Check File Reputation failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ThreatQuotient portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Access denied.

Error Sample Data

Check File Reputation failed.

Status Code: 401.

Message: Access denied.

Check IP Reputation

Checks the risk level of IP addresses.

Input

Input Parameter

Required/Optional

Description

Example

IP Addresses

Required

The list of IP addresses to check.

JSON
["***.***.***.***"]

Output

Return Data

In check reputation commands, Return Data displays the risk score from the raw data as D3-defined risk levels and risk level names. This will be used to enrich artifacts with reputation information.

SAMPLE DATA

JSON
[
    {
        "ipAddress": "***.***.***.***",
        "riskScore": 4,
        "riskLevel": "3"
    }
]
Raw Data

The primary response data from the API request. For check reputation commands, D3-defined risk levels and risk level names are also included.

SAMPLE DATA

JSON
[
    {
        "total": 1,
        "data": [
            {
                "class": "network",
                "score": 4,
                "value": "***.***.***.***",
                "expires_calculated_at": "2021-11-02 01:00:04",
                "touched_at": "2021-11-02 01:00:04",
                "id": *****,
                "updated_at": "2021-11-02 01:00:04",
                "published_at": "2020-06-20 00:14:13",
                "created_at": "2020-06-20 00:14:13",
                "status_id": *****,
                "hash": "*****",
                "expires_at": "2021-11-17 00:00:00",
                "type_id": *****,
                "adversaries": [],
                "type": {
                    "name": "IP Address",
                    "id": *****,
                    "class": "network"
                },
                "status": {
                    "name": "Review",
                    "id": *****,
                    "description": "Requires further analysis."
                },
                "sources": [
                    {
                        "indicator_id": *****,
                        "indicator_status_id": *****,
                        "published_at": "2021-11-02 00:41:06",
                        "source_id": *****,
                        "id": *****,
                        "created_at": "2021-11-02 00:41:06",
                        "source_type": "plugins",
                        "creator_source_id": *****,
                        "indicator_type_id": *****,
                        "reference_id": *****,
                        "updated_at": "2021-11-02 00:41:06",
                        "name": "VirusTotal"
                    },
                    {
                        "indicator_id": *****,
                        "indicator_status_id": *****,
                        "published_at": "2020-06-20 00:14:13",
                        "source_id": *****,
                        "id": *****,
                        "created_at": "2020-06-20 00:14:13",
                        "source_type": "connectors",
                        "creator_source_id": *****,
                        "indicator_type_id": *****,
                        "reference_id": *****,
                        "updated_at": "2020-06-20 00:14:13",
                        "source_expire_days": "14",
                        "name": "CrowdStrike"
                    },
                    {
                        "indicator_id": *****,
                        "indicator_status_id": *****,
                        "published_at": "2021-10-25 17:45:14",
                        "source_id": *****,
                        "id": *****,
                        "created_at": "2021-10-25 17:45:14",
                        "source_type": "connectors",
                        "creator_source_id": *****,
                        "indicator_type_id": *****,
                        "reference_id": *****,
                        "updated_at": "2021-10-25 17:45:14",
                        "name": "abuse.ch URLhaus Response Policy Zones"
                    }
                ]
            }
        ],
        "limit": 100,
        "offset": 0
    }
]   
Context Data

Common cyber security indicators such as risk levels, risk level names, unique IDs, file hash values, CVE numbers and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
[
    {
        "ipAddress": "***.***.***.***",
        "id": "*****",
        "riskScore": 4,
        "hash": "*****",
        "riskLevel": "Low"
    }
]
Key Fields

Common cyber security indicators such as risk levels, risk level names, unique IDs, file hash values, CVE numbers and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "ipAddresses": [
        "***.***.***.***"
    ],
    "ids": "*****",
    "hash": [
        "*****"
    ],
    "riskScores": [
        4
    ],
    "riskLevels": [
        "Low"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ipAddress

id

riskScore

hash

riskLevel

***.***.***.***

*****

4

*****

Low

D3-defined Risk Levels and Risk Level Names

The table below lists (left to right) the third party's possible output risk levels and their corresponding risk level names, followed by their corresponding risk levels and risk level names as defined by D3: 

ThreatQ Risk Levels

ThreatQ Risk Level Names

D3 Risk Levels

D3 Risk Level Names

9-10

High

1

High

7-8

Medium

2

Medium

1-6

Low

3

Low

n/a

n/a

4

Default

0

Zero

5

ZeroRisk

Error Handling

If your command fails to execute, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Check IP Reputation failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ThreatQuotient portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Access denied.

Error Sample Data

Check IP Reputation failed.

Status Code: 401.

Message: Access denied.

Check URL Reputation

Checks the risk level of URLs.

Input

Input Parameter

Required/Optional

Description

Example

URLs

Required

The list of URLs to check.

JSON
["*****.com/*****"] 

Output

Return Data

In check reputation commands, Return Data displays the risk score from the raw data as D3-defined risk levels and risk level names. This will be used to enrich artifacts with reputation information.

SAMPLE DATA

JSON
[
    {
        "url": "*****.com/*****",
        "riskScore": 0,
        "riskLevel": "5"
    }
]
Raw Data

The primary response data from the API request. For check reputation commands, D3-defined risk levels and risk level names are also included.

SAMPLE DATA

JSON
[
    {
        "total": 1,
        "data": [
            {
                "class": "network",
                "score": 0,
                "value": "*****.com/*****",
                "expires_calculated_at": "2021-11-01 17:35:15",
                "touched_at": "2021-11-02 17:04:58",
                "id": *****,
                "updated_at": "2021-10-22 18:50:04",
                "published_at": "2021-10-22 18:50:04",
                "created_at": "2021-10-22 18:50:04",
                "status_id": *****,
                "hash": "*****",
                "type_id": *****,
                "adversaries": [],
                "type": {
                    "name": "URL",
                    "id": *****,
                    "class": "network"
                },
                "status": {
                    "name": "Active",
                    "id": *****,
                    "description": "Active"
                },
                "attributes": [
                    {
                        "value": "US",
                        "created_at": "2021-10-22 18:50:10",
                        "indicator_id": *****,
                        "updated_at": "2021-11-02 17:03:58",
                        "attribute_id": *****,
                        "id": *****,
                        "touched_at": "2021-11-02 17:03:58",
                        "name": "Country"
                    },
                    {
                        "value": "Amazon.com",
                        "created_at": "2021-10-22 18:50:10",
                        "indicator_id": *****,
                        "updated_at": "2021-11-02 17:03:58",
                        "attribute_id": *****,
                        "id": *****,
                        "touched_at": "2021-11-02 17:03:58",
                        "name": "Target"
                    },
                    {
                        "value": "arin",
                        "created_at": "2021-10-22 18:50:10",
                        "indicator_id": *****,
                        "updated_at": "2021-11-02 17:03:58",
                        "attribute_id": *****,
                        "id": *****,
                        "touched_at": "2021-11-02 17:03:58",
                        "name": "RIR"
                    },
                    {
                        "value": "ripencc",
                        "created_at": "2021-10-22 18:50:10",
                        "indicator_id": *****,
                        "updated_at": "2021-11-02 17:03:58",
                        "attribute_id": *****,
                        "id": *****,
                        "touched_at": "2021-11-02 17:03:58",
                        "name": "RIR"
                    },
                    {
                        "value": "*****",
                        "created_at": "2021-10-22 18:50:10",
                        "indicator_id": *****,
                        "updated_at": "2021-11-02 17:03:58",
                        "attribute_id": *****,
                        "id": *****,
                        "touched_at": "2021-11-02 17:03:58",
                        "name": "PhishTank URL"
                    },
                    {
                        "value": "34119",
                        "created_at": "2021-10-22 18:50:10",
                        "indicator_id": *****,
                        "updated_at": "2021-11-02 17:03:58",
                        "attribute_id": *****,
                        "id": *****,
                        "touched_at": "2021-11-02 17:03:58",
                        "name": "Announcing Network"
                    },
                    {
                        "value": "GB",
                        "created_at": "2021-10-22 18:50:10",
                        "indicator_id": *****,
                        "updated_at": "2021-11-02 17:03:58",
                        "attribute_id": *****,
                        "id": *****,
                        "touched_at": "2021-11-02 17:03:58",
                        "name": "Country"
                    },
                    {
                        "value": "7142738",
                        "created_at": "2021-10-22 18:50:10",
                        "indicator_id": *****,
                        "updated_at": "2021-11-02 17:03:58",
                        "attribute_id": *****,
                        "id": *****,
                        "touched_at": "2021-11-02 17:03:58",
                        "name": "PhishTank ID"
                    },
                    {
                        "value": "395082",
                        "created_at": "2021-10-22 18:50:10",
                        "indicator_id": *****,
                        "updated_at": "2021-11-02 17:03:58",
                        "attribute_id": *****,
                        "id": *****,
                        "touched_at": "2021-11-02 17:03:58",
                        "name": "Announcing Network"
                    },
                    {
                        "value": "http",
                        "created_at": "2021-10-22 18:50:10",
                        "indicator_id": *****,
                        "updated_at": "2021-11-02 17:03:58",
                        "attribute_id": *****,
                        "id": *****,
                        "touched_at": "2021-11-02 17:03:58",
                        "name": "Scheme"
                    }
                ],
                "sources": [
                    {
                        "indicator_id": *****,
                        "indicator_status_id": *****,
                        "published_at": "2021-10-22 18:50:10",
                        "source_id": *****,
                        "id": *****,
                        "created_at": "2021-10-22 18:50:10",
                        "source_type": "connectors",
                        "creator_source_id": *****,
                        "indicator_type_id": *****,
                        "reference_id": *****,
                        "updated_at": "2021-11-02 17:04:58",
                        "name": "PhishTank"
                    }
                ]
            }
        ],
        "limit": 100,
        "offset": 0
    }
]
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
[
    {
        "url": "*****.com/*****",
        "id": "*****",
        "riskScore": 0,
        "hash": "*****",
        "riskLevel": "ZeroRisk"
    }
]     
Key Fields

Common cyber security indicators such as risk levels, risk level names, unique IDs, file hash values, CVE numbers and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "urls": [
        "*****.com/*****"
    ],
    "ids": [
        "*****"
    ],
    "hashes": [
        "*****"
    ],
    "riskScores": [
        0
    ],
    "riskLevels": [
        "ZeroRisk"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

url

id

riskScore

hash

riskLevel

*****.com/*****

*****

0

*****

ZeroRisk

D3-defined Risk Levels and Risk Level Names

The table below lists (left to right) the third party's possible output risk levels and their corresponding risk level names, followed by their corresponding risk levels and risk level names as defined by D3: 

ThreatQ Risk Levels

ThreatQ Risk Level Names

D3 Risk Levels

D3 Risk Level Names

9-10

High

1

High

7-8

Medium

2

Medium

1-6

Low

3

Low

n/a

n/a

4

Default

0

Zero

5

ZeroRisk

Error Handling

If your command fails to execute, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Check URL Reputation failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ThreatQuotient portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Access denied.

Error Sample Data

Check URL Reputation failed.

Status Code: 401.

Message: Access denied.

Check Vulnerability

Checks the risk level of CVEs by their IDs.

Input

Input Parameter

Required/Optional

Description

Example

CVE IDs

Required

The list of CVE IDs for which to check the risk level(s).

JSON
["CVE-1999-0001"]

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request. For check reputation commands, D3-defined risk levels and risk level names are also included.

SAMPLE DATA

JSON
[
    {
        "total": 1,
        "data": [
            {
                "class": "host",
                "score": 0,
                "value": "CVE-1999-0001",
                "touched_at": "2021-11-08 22:47:08",
                "id": *****,
                "updated_at": "2021-11-08 22:47:08",
                "published_at": "2021-11-08 22:47:08",
                "created_at": "2021-11-08 22:47:08",
                "status_id": *****,
                "hash": "*****",
                "type_id": *****,
                "adversaries": [],
                "type": {
                    "name": "CVE",
                    "id": *****,
                    "class": "host"
                },
                "status": {
                    "name": "Active",
                    "id": *****,
                    "description": "Poses a threat and is being exported to detection tools."
                },
                "sources": [
                    {
                        "indicator_id": *****,
                        "indicator_status_id": *****,
                        "published_at": "2021-11-08 22:47:08",
                        "source_id": *****,
                        "id": *****,
                        "created_at": "2021-11-08 22:47:08",
                        "source_type": "other_sources",
                        "creator_source_id": *****,
                        "indicator_type_id": *****,
                        "reference_id": *****,
                        "updated_at": "2021-11-08 22:47:08",
                        "name": "Source"
                    }
                ]
            }
        ],
        "limit": 100,
        "offset": 0
    }
]
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
[
    {
        "class": "host",
        "score": 0,
        "value": "CVE-1999-0001",
        "touched_at": "2021-11-08 22:47:08",
        "id": *****,
        "updated_at": "2021-11-08 22:47:08",
        "published_at": "2021-11-08 22:47:08",
        "created_at": "2021-11-08 22:47:08",
        "status_id": *****,
        "hash": "*****",
        "type_id": *****,
        "adversaries": [],
        "type": {
            "name": "CVE",
            "id": *****,
            "class": "host"
        },
        "status": {
            "name": "Active",
            "id": *****,
            "description": "Poses a threat and is being exported to detection tools."
        },
        "sources": [
            {
                "indicator_id": *****,
                "indicator_status_id": *****,
                "published_at": "2021-11-08 22:47:08",
                "source_id": *****,
                "id": *****,
                "created_at": "2021-11-08 22:47:08",
                "source_type": "other_sources",
                "creator_source_id": *****,
                "indicator_type_id": *****,
                "reference_id": *****,
                "updated_at": "2021-11-08 22:47:08",
                "name": "Source"
            }
        ]
    }
]
Key Fields

Common cyber security indicators such as risk levels, risk level names, unique IDs, file hash values, CVE numbers and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "CVEIDs": [
        "CVE-1999-0001"
    ],
    "riskScores": [
        0
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

class

host

score

0

value

CVE-1999-0001

touched_at

2021-11-08 22:47:08

id

*****

updated_at

2021-11-08 22:47:08

published_at

2021-11-08 22:47:08

created_at

2021-11-08 22:47:08

status_id

*****

hash

*****

type_id

*****

adversaries

[]

type

{'name': 'CVE', 'id': *****, 'class': 'host'}

status

{'name': 'Active', 'id': *****, 'description': 'Poses a threat and is being exported to detection tools.'}

sources

[{'indicator_id': *****, 'indicator_status_id': *****, 'published_at': '2021-11-08 22:47:08', 'source_id': *****, 'id': *****, 'created_at': '2021-11-08 22:47:08', 'source_type': 'other_sources', 'creator_source_id': *****, 'indicator_type_id': *****, 'reference_id': *****, 'updated_at': '2021-11-08 22:47:08', 'name': 'Source'}]

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Check Vulnerability failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ThreatQuotient portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: CVEId CVE-1999-4565 could not be found in the Threat Q database.

Error Sample Data

Check Vulnerability failed.

Status Code: 404.

Message: CVEId CVE-1999-4565 could not be found in the Threat Q database.

Create Adversary

Creates a new adversary in ThreatQ.

Input

Input Parameter

Required/Optional

Description

Example

Adversary Name

Required

The name of the adversary to create.

Adversary Demo

Adversary Source

Optional

The source of the adversary to create.

Adversary source

Adversary Description

Optional

The description for the adversary.

add description

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request. For check reputation commands, D3-defined risk levels and risk level names are also included.

SAMPLE DATA

JSON
{
    "data": {
        "name": "Adversary Demo1",
        "updated_at": "2024-10-04 18:43:40",
        "created_at": "2024-10-04 18:43:40",
        "id": *****,
        "sources": [
            {
                "id": *****,
                "reference_id": *****,
                "type": "other_sources",
                "name": "Adversary source",
                "expire_days": null,
                "expires_needs_calc": "N",
                "score": null,
                "default_tlp_id": null,
                "created_at": "2021-11-08 20:08:35",
                "updated_at": "2021-11-08 20:08:35"
            }
        ]
    }
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
{
    "name": "Adversary Demo1",
    "updated_at": "2024-10-04 18:43:40",
    "created_at": "2024-10-04 18:43:40",
    "id": *****,
    "sources": [
        {
            "id": *****,
            "reference_id": *****,
            "type": "other_sources",
            "name": "Adversary source",
            "expire_days": null,
            "expires_needs_calc": "N",
            "score": null,
            "default_tlp_id": null,
            "created_at": "2021-11-08 20:08:35",
            "updated_at": "2021-11-08 20:08:35"
        }
    ]
}
Key Fields

Common cyber security indicators such as risk levels, risk level names, unique IDs, file hash values, CVE numbers and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "ID": "*****",
    "Name": "Adversary Demo1",
    "Source": [
        "Adversary source"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

name

Adversary Demo1

updated_at

2024-10-04 18:43:40

created_at

2024-10-04 18:43:40

id

34

sources

{'id': *****, 'reference_id': *****, 'type': 'other_sources', 'name': 'Adversary source', 'expire_days': None, 'expires_needs_calc': 'N', 'score': None, 'default_tlp_id': None, 'created_at': '2021-11-08 20:08:35', 'updated_at': '2021-11-08 20:08:35'}

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Adversary failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ThreatQuotient portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: The name has already been taken.

Error Sample Data

Create Adversary failed.

Status Code: 400.

Message: The name has already been taken.

Create Event

Creates a new event in ThreatQ.

Input

Input Parameter

Required/Optional

Description

Example

Event Type

Required

The type of event to create. Possible Values include "Spearphish", "Watering Hole", "SQL Injection Attack", "DoS Attack", "Malware", "Watchlist", "Command and Control", "Anonymization", "Exfiltration", "Host Characteristics", "Compromised PKI Certificate", "Login Compromise", "Incident", "Sighting" and other custom event types.

Watering Hole

Event Source

Optional

The source of the event to be created.

Source

Event Content

Required

The content of the event to be created.

Event_Demo description

Date of Occurence

Required

The occurrence date of the event to be created.

2021-10-21 16:40:00

Title

Required

The title of the event to be created.

Event_Demo

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request. For check reputation commands, D3-defined risk levels and risk level names are also included.

SAMPLE DATA

JSON
{
    "data": {
        "title": "Spearphish Event",
        "type_id": *****,
        "description": "Spearphish content",
        "happened_at": "2021-09-27 00:00:00",
        "hash": "*****",
        "updated_at": "2024-10-04 18:48:37",
        "created_at": "2024-10-04 18:48:37",
        "touched_at": "2024-10-04 18:48:37",
        "id": *****,
        "type": {
            "id": *****,
            "name": "Spearphish",
            "user_editable": "N",
            "created_at": "2020-05-18 17:43:03",
            "updated_at": "2020-05-18 17:43:03"
        },
        "sources": [
            {
                "id": *****,
                "reference_id": *****,
                "type": "other_sources",
                "name": "Spearphish source",
                "expire_days": null,
                "expires_needs_calc": "N",
                "score": null,
                "default_tlp_id": null,
                "created_at": "2024-10-04 18:48:37",
                "updated_at": "2024-10-04 18:48:37"
            }
        ]
    }
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
{
    "title": "Spearphish Event",
    "type_id": *****,
    "description": "Spearphish content",
    "happened_at": "2021-09-27 00:00:00",
    "hash": "*****",
    "updated_at": "2024-10-04 18:48:37",
    "created_at": "2024-10-04 18:48:37",
    "touched_at": "2024-10-04 18:48:37",
    "id": *****,
    "type": {
        "id": *****,
        "name": "Spearphish",
        "user_editable": "N",
        "created_at": "2020-05-18 17:43:03",
        "updated_at": "2020-05-18 17:43:03"
    },
    "sources": [
        {
            "id": *****,
            "reference_id": *****,
            "type": "other_sources",
            "name": "Spearphish source",
            "expire_days": null,
            "expires_needs_calc": "N",
            "score": null,
            "default_tlp_id": null,
            "created_at": "2024-10-04 18:48:37",
            "updated_at": "2024-10-04 18:48:37"
        }
    ]
}
Key Fields

Common cyber security indicators such as risk levels, risk level names, unique IDs, file hash values, CVE numbers and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "ID": "*****",
    "Title": "Spearphish Event",
    "Hash": "*****",
    "Type": "Spearphish",
    "Source": [
        "Spearphish source"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

title

Spearphish Event

type_id

*****

description

Spearphish content

happened_at

2021-09-27 00:00:00

hash

*****

updated_at

2024-10-04 18:48:37

created_at

2024-10-04 18:48:37

touched_at

2024-10-04 18:48:37

id

*****

type

{'id': *****, 'name': 'Spearphish', 'user_editable': 'N', 'created_at': '2020-05-18 17:43:03', 'updated_at': '2020-05-18 17:43:03'}

sources

{'id': *****, 'reference_id': *****, 'type': 'other_sources', 'name': 'Spearphish source', 'expire_days': None, 'expires_needs_calc': 'N', 'score': None, 'default_tlp_id': None, 'created_at': '2024-10-04 18:48:37', 'updated_at': '2024-10-04 18:48:37'}

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Event failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ThreatQuotient portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Access denied.

Error Sample Data

Create Event failed.

Status Code: 401.

Message: Access denied.

Create Indicator

Creates a new indicator in ThreatQ.

Input

Input Parameter

Required/Optional

Description

Example

Indicator Name

Required

The name of the indicator to be created.

*****

Indicator Type

Required

The type of indicator to be created.

IP Address

Indicator Source

Optional

The source of the indicator to be created.

Source

Indicator Status

Required

The status of the indicator to be created. Possible values include: "Active", "Expired", "Indirect", "Review", "Whitelisted", and other custom options.

Active

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request. For check reputation commands, D3-defined risk levels and risk level names are also included.

SAMPLE DATA

JSON
{
    "total": 1,
    "data": [
        {
            "id": *****,
            "type_id": *****,
            "status_id": *****,
            "class": "network",
            "hash": "*****",
            "value": "*****",
            "description": null,
            "last_detected_at": null,
            "expires_at": null,
            "expired_at": null,
            "expires_needs_calc": "Y",
            "expires_calculated_at": null,
            "created_at": "2021-11-08 22:23:21",
            "updated_at": "2024-10-04 18:53:01",
            "touched_at": "2024-10-04 18:53:01",
            "existing": "Y",
            "type": {
                "id": *****,
                "name": "IP Address",
                "class": "network",
                "score": null,
                "wildcard_matching": "N",
                "created_at": "2020-05-18 17:43:04",
                "updated_at": "2020-05-18 17:43:04"
            },
            "status": {
                "id": *****,
                "name": "Active",
                "description": "Poses a threat and is being exported to detection tools.",
                "user_editable": "N",
                "visible": "Y",
                "include_in_export": "Y",
                "protected": "Y",
                "created_at": "2020-05-18 17:44:11",
                "updated_at": "2020-05-18 17:44:11"
            },
            "sources": [
                {
                    "id": *****,
                    "reference_id": *****,
                    "type": "other_sources",
                    "name": "Source",
                    "expire_days": null,
                    "expires_needs_calc": "N",
                    "score": null,
                    "default_tlp_id": null,
                    "created_at": "2021-11-08 20:09:36",
                    "updated_at": "2021-11-08 20:09:36"
                }
            ]
        }
    ]
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
[
    {
        "id": *****,
        "type_id": *****,
        "status_id": *****,
        "class": "network",
        "hash": "*****",
        "value": "*****",
        "description": null,
        "last_detected_at": null,
        "expires_at": null,
        "expired_at": null,
        "expires_needs_calc": "Y",
        "expires_calculated_at": null,
        "created_at": "2021-11-08 22:23:21",
        "updated_at": "2024-10-04 18:53:01",
        "touched_at": "2024-10-04 18:53:01",
        "existing": "Y",
        "type": {
            "id": *****,
            "name": "IP Address",
            "class": "network",
            "score": null,
            "wildcard_matching": "N",
            "created_at": "2020-05-18 17:43:04",
            "updated_at": "2020-05-18 17:43:04"
        },
        "status": {
            "id": *****,
            "name": "Active",
            "description": "Poses a threat and is being exported to detection tools.",
            "user_editable": "N",
            "visible": "Y",
            "include_in_export": "Y",
            "protected": "Y",
            "created_at": "2020-05-18 17:44:11",
            "updated_at": "2020-05-18 17:44:11"
        },
        "sources": [
            {
                "id": *****,
                "reference_id": *****,
                "type": "other_sources",
                "name": "Source",
                "expire_days": null,
                "expires_needs_calc": "N",
                "score": null,
                "default_tlp_id": null,
                "created_at": "2021-11-08 20:09:36",
                "updated_at": "2021-11-08 20:09:36"
            }
        ]
    }
]
Key Fields

Common cyber security indicators such as risk levels, risk level names, unique IDs, file hash values, CVE numbers and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "ID": [
        "*****"
    ],
    "Class": [
        "network"
    ],
    "Hash": [
        "*****"
    ],
    "Value": [
        "*****"
    ],
    "Status": [
        "Active"
    ],
    "Type": [
        "IP Address"
    ],
    "Source": [
        "Source"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id

*****

type_id

*****

status_id

*****

class

network

hash

*****

value

*****

description

None

last_detected_at

None

expires_at

None

expired_at

None

expires_needs_calc

Y

expires_calculated_at

None

created_at

2021-11-08 22:23:21

updated_at

2024-10-04 18:53:01

touched_at

2024-10-04 18:53:01

existing

Y

type

{'id': *****, 'name': 'IP Address', 'class': 'network', 'score': None, 'wildcard_matching': 'N', 'created_at': '2020-05-18 17:43:04', 'updated_at': '2020-05-18 17:43:04'}

status

{'id': *****, 'name': 'Active', 'description': 'Poses a threat and is being exported to detection tools.', 'user_editable': 'N', 'visible': 'Y', 'include_in_export': 'Y', 'protected': 'Y', 'created_at': '2020-05-18 17:44:11', 'updated_at': '2020-05-18 17:44:11'}

sources

[{'id': *****, 'reference_id': *****, 'type': 'other_sources', 'name': 'Source', 'expire_days': None, 'expires_needs_calc': 'N', 'score': None, 'default_tlp_id': None, 'created_at': '2021-11-08 20:09:36', 'updated_at': '2021-11-08 20:09:36'}]

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Indicator failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ThreatQuotient portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: The indicator value and type do not match.

Error Sample Data

Create Indicator failed.

Status Code: 400.

Message: The indicator value and type do not match.

Create Object

Creates a new object in ThreatQ.

Input

Input Parameter

Required/Optional

Description

Example

Object Type

Required

The type of object to be created.

attack_pattern

Object Name

Required

The name of the object to be created.

objectcreationdemo

Object Description

Required

Provide a description for the object to be created.

attack_pattern_objectdemo

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request. For check reputation commands, D3-defined risk levels and risk level names are also included.

SAMPLE DATA

JSON
{
    "data": {
        "value": "123",
        "description": "Attack",
        "updated_at": "2024-10-03 17:43:46",
        "created_at": "2024-10-03 17:43:46",
        "id": *****,
        "object_id": *****,
        "object_code": "attack_pattern",
        "object_name": "Attack Pattern",
        "object_name_plural": "Attack Patterns"
    }
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
{
    "value": "123",
    "description": "Attack",
    "updated_at": "2024-10-03 17:43:46",
    "created_at": "2024-10-03 17:43:46",
    "id": *****,
    "object_id": *****,
    "object_code": "attack_pattern",
    "object_name": "Attack Pattern",
    "object_name_plural": "Attack Patterns"
}
Key Fields

Common cyber security indicators such as risk levels, risk level names, unique IDs, file hash values, CVE numbers and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "ID": "*****"
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

value

123

description

Attack

updated_at

2024-10-03 17:43:46

created_at

2024-10-03 17:43:46

id

*****

object_id

*****

object_code

attack_pattern

object_name

Attack Pattern

object_name_plural

Attack Patterns

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Create Object failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ThreatQuotient portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Access denied

Error Sample Data

Create Object failed.

Status Code: 401.

Message: Access denied

Delete File

Deletes an uploaded file.

READER NOTE

File ID is a required parameter to run this command.

  • Run the Get Object ID by Value command to obtain the File ID. File IDs can be found in the raw data at the path $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

File IDs (Attachment IDs)

Required

The ID of the file to delete. File IDs can be obtained using the Get Object ID by Value command.

JSON
["*****","*****"]

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request. For check reputation commands, D3-defined risk levels and risk level names are also included.

SAMPLE DATA

JSON
{
    "fileIDs": [
        "*****"
    ],
    "actionResult": "Deleted file(s) successfully"
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
{
    "fileIDs": [
        "*****"
    ],
    "actionResult": "Deleted file(s) successfully"
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

fileIDs

*****

actionResult

Deleted file(s) successfully

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Delete File failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ThreatQuotient portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: File ID 23: Not found.

Error Sample Data

Delete File failed.

Status Code: 404.

Message: File ID 23: Not found.

Download File

Downloads the specified file(s) from ThreatQ.

READER NOTE

File ID is a required parameter to run this command.

  • Run the Check File Reputation command to obtain the File ID.

  • Run the List File command to obtain the File ID. File IDs can be found in the raw data at the path $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

File IDs (Attachment IDs)

Required

The ID of File (Attachment) to be downloaded. File IDs can be obtained using the Check File Reputation or List File command.

JSON
["*****"]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request. For check reputation commands, D3-defined risk levels and risk level names are also included.

SAMPLE DATA

JSON
[
    {
        "fileId": "*****",
        "fileName": "IR-*****.pdf.zip",
        "md5": "*****",
        "sha1": "*****",
        "sha256": "*****"
    }
]
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
[
    {
        "fileId": "*****",
        "fileName": "IR-*****.pdf.zip",
        "md5": "*****",
        "sha1": "*****",
        "sha256": "*****"
    }
]
Key Fields

Common cyber security indicators such as risk levels, risk level names, unique IDs, file hash values, CVE numbers and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
    "FileIDs": [
        "*****"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

File Name

MD5 Hash

SHA1 Hash

SHA256 Hash

IR-*****.pdf.zip

*****

*****

*****

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Download File failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ThreatQuotient portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Access denied.

Error Sample Data

Download File failed.

Status Code: 401.

Message: Access denied.

Fetch Event

Retrieves events from the ThreatQ Library.

Input

Input Parameter

Required/Optional

Description

Example

Start Time

Required

The Start Time of the time range within which events are fetched.

2010-10-16 22:35:00

End Time

Optional

The End Time for the time range within which events are fetched.

2022-10-16 22:35:00

Number of Event(s) Fetched

Optional

The maximum number of recent events to be fetched.

2

Search Condition

Optional

The criteria and filters option for the query, with two types of query syntaxes supported. The first is the simple syntax in the format: "type=Malware source=Crowdstrike." Only type and source are supported in the simple syntax, for which multiple values are allowed using the comma as a delimiter. The second syntax is the ThreatQ SOLR query structure (JSON). Refer to the ThreatQ API documentation for details. Do not use "created_at" in the SOLR query structure as it will be disregarded.

type=Malware,DoS Attack source=Crowdstrike,Source

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request. For check reputation commands, D3-defined risk levels and risk level names are also included.

SAMPLE DATA

JSON
{
    "total": 28,
    "data": [
        {
            "updated_at": "2024-10-04 18:48:37",
            "description": "Spearphish content",
            "title": "Spearphish Event",
            "published_at": "2024-10-04 18:48:37",
            "type_id": *****,
            "happened_at": "2021-09-27 00:00:00",
            "touched_at": "2024-10-04 18:48:37",
            "created_at": "2024-10-04 18:48:37",
            "id": *****,
            "hash": "*****",
            "adversaries": [],
            "type": {
                "name": "Spearphish",
                "id": *****
            },
            "sources": [
                {
                    "updated_at": "2024-10-04 18:48:37",
                    "source_id": *****,
                    "type": "other_sources",
                    "creator_source_id": *****,
                    "event_id": *****,
                    "created_at": "2024-10-04 18:48:37",
                    "id": *****,
                    "reference_id": *****,
                    "published_at": "2024-10-04 18:48:37",
                    "name": "Spearphish source"
                }
            ]
        }
    ],
    "limit": 1,
    "offset": 0
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
[
    {
        "updated_at": "2024-10-04 18:48:37",
        "description": "Spearphish content",
        "title": "Spearphish Event",
        "published_at": "2024-10-04 18:48:37",
        "type_id": *****,
        "happened_at": "2021-09-27 00:00:00",
        "touched_at": "2024-10-04 18:48:37",
        "created_at": "2024-10-04 18:48:37",
        "id": *****,
        "hash": "*****",
        "adversaries": [],
        "type": {
            "name": "Spearphish",
            "id": *****
        },
        "sources": [
            {
                "updated_at": "2024-10-04 18:48:37",
                "source_id": *****,
                "type": "other_sources",
                "creator_source_id": *****,
                "event_id": *****,
                "created_at": "2024-10-04 18:48:37",
                "id": *****,
                "reference_id": *****,
                "published_at": "2024-10-04 18:48:37",
                "name": "Spearphish source"
            }
        ]
    }
]
Key Fields

Common cyber security indicators such as risk levels, risk level names, unique IDs, file hash values, CVE numbers and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "IDs": [
        "*****"
    ],
    "Titles": [
        "Spearphish Event"
    ],
    "Hashes": [
        "*****"
    ],
    "Types": [
        "Spearphish"
    ],
    "Sources": [
        "Spearphish source"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id

*****

type_id

*****

status_id

*****

class

network

hash

*****

value

*****

description

None

last_detected_at

None

expires_at

None

expired_at

None

expires_needs_calc

Y

expires_calculated_at

None

created_at

2021-11-08 22:23:21

updated_at

2024-10-04 18:53:01

touched_at

2024-10-04 18:53:01

existing

Y

type

{'id': *****, 'name': 'IP Address', 'class': 'network', 'score': None, 'wildcard_matching': 'N', 'created_at': '2020-05-18 17:43:04', 'updated_at': '2020-05-18 17:43:04'}

status

{'id': *****, 'name': 'Active', 'description': 'Poses a threat and is being exported to detection tools.', 'user_editable': 'N', 'visible': 'Y', 'include_in_export': 'Y', 'protected': 'Y', 'created_at': '2020-05-18 17:44:11', 'updated_at': '2020-05-18 17:44:11'}

sources

[{'id': *****, 'reference_id': *****, 'type': 'other_sources', 'name': 'Source', 'expire_days': None, 'expires_needs_calc': 'N', 'score': None, 'default_tlp_id': None, 'created_at': '2021-11-08 20:09:36', 'updated_at': '2021-11-08 20:09:36'}]

Fetch Event Field Mapping

Fetch Event commands require event field mapping. Field mapping plays a key role for data normalization within the event pipeline. Field mapping converts the original data fields from the different providers to standardized D3 fields as defined by the D3 Model. Refer to Event and Incident Intake Field Mapping for details.

To customize field mapping, click + Add Field and add the custom field of your choice. You can also remove built-in field mappings by clicking x. Note that two underscore characters will automatically prefix the defined Field Name as the System Name for a custom field mapping. Additionally, if an input Field Name contains any spaces, they will automatically be replaced with underscores for the corresponding System Name.

As a system integration, the ThreatQuotient integration has some pre-configured field mappings for default field mapping.

Default Event Source

  • The Default Event Source is the default set of field mappings that are applied when this fetch event command is executed. For out-of-the-box integrations, you will find a set of field mapping provided by the system. Default event source provides field mappings for common fields from fetched events (e.g. created_at and happened_at). The default event source has a "Main Event JSON Path" (i.e. $.data) that is used to extract a batch of events from the response raw data. Click on Edit Main JSON Path to view the "Main Event JSON Path".

    Group 12.png
  • Main Event JSON Path: $.data

The Main Event JSON Path determines the root path where the system starts parsing raw response data into D3 event data. The JSON path begins with $, representing the root element. The path is formed by appending a sequence of child elements to $, each separated by a dot (.). Square brackets with nested quotation marks ([‘...’]) should be used to separate child elements in JSON arrays.

For example, the root node of a JSON Path is data. The child node denoting the Unique Event Key field would be id. Putting it together, the JSON Path expression to extract the Unique Event Key is $.data.id.

The pre-configured field mappings are detailed below:

Field Name

Source Field

Unique Event Key

.id

Event name

.title

Event Type

.type.name

HappenedTime

.happened_at

Hash

.hash

Start Time

.created_at

Description

.description

Modified Time

.touched_at

Source vendor name

.sources[*].name

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Fetch Event failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ThreatQuotient portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Authentication failed.

Error Sample Data

Fetch Event failed.

Status Code: 401.

Message: Authentication failed.

Get Object ID by Value

Retrieves Object ID(s) by value in ThreatQ.

Input

Input Parameter

Required/Optional

Description

Example

Object Type

Required

The type of object from which to retrieve ID.

vulnerability

Object Value

Required

The value of the object from which to retrieve ID.

CVE

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request. For check reputation commands, D3-defined risk levels and risk level names are also included.

SAMPLE DATA

JSON
{
    "data": [
        {
            "id": *****,
            "object": "indicator",
            "value": "IR-*****.pdf"
        },
        {
            "id": *****,
            "object": "attachment",
            "value": "IR-*****.pdf"
        }
    ]
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
[
    {
        "id": *****,
        "object": "attachment",
        "value": "IR-*****.pdf"
    }
]
Key Fields

Common cyber security indicators such as risk levels, risk level names, unique IDs, file hash values, CVE numbers and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "IDs": [
        "*****"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id

object

value

*****

attachment

IR-*****.pdf

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Object ID by Value failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ThreatQuotient portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Access denied.

Error Sample Data

Get Object ID by Value failed.

Status Code: 401.

Message: Access denied.

Link Object

Links two objects in ThreatQ.

READER NOTE

Object 1 ID and Object 2 ID are required parameters to run this command.

  • Run the Get Object by ID Value command to obtain the Object 1 ID and Object 2 ID. Object 1 IDs and Object 2 IDs can be found in the raw data at the path $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Object 1 Type

Required

The type of the first object to link.

indicators

Object 1 ID

Required

The ID of the first object to link. Object IDs can be obtained using the Get Object ID by Value command.

*****

Object 2 Type

Required

The type of the second object to link.

adversaries

Object 2 ID

Required

The ID of the second object to link. Object IDs can be obtained using the Get Object ID by Value command.

*****

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request. For check reputation commands, D3-defined risk levels and risk level names are also included.

SAMPLE DATA

JSON
{
    "total": 1,
    "data": [
        {
            "id": *****,
            "name": "Adversary Name88899900000",
            "created_at": "2021-11-08 20:08:35",
            "updated_at": "2021-11-08 20:08:35",
            "touched_at": "2022-02-11 19:21:32",
            "pivot": {
                "id": *****,
                "created_at": "2021-11-29 21:49:38",
                "updated_at": "2021-11-29 21:49:38"
            }
        }
    ]
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
[
    {
        "id": *****,
        "name": "Adversary Name88899900000",
        "created_at": "2021-11-08 20:08:35",
        "updated_at": "2021-11-08 20:08:35",
        "touched_at": "2022-02-11 19:21:32",
        "pivot": {
            "id": *****,
            "created_at": "2021-11-29 21:49:38",
            "updated_at": "2021-11-29 21:49:38"
        }
    }
]
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id

*****

name

Adversary Name88899900000

created_at

2021-11-08 20:08:35

updated_at

2021-11-08 20:08:35

touched_at

2022-02-11 19:21:32

pivot

{'id': *****, 'created_at': '2021-11-29 21:49:38', 'updated_at': '2021-11-29 21:49:38'}

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Link Object failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ThreatQuotient portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Bad request.

Error Sample Data

Link Object failed.

Status Code: 400.

Message: Bad request.

List Adversaries

Retrieves a list of all adversaries.

Input

Input Parameter

Required/Optional

Description

Example

Limit

Optional

The maximum number of records to retrieve.

2

Offset

Optional

The record that will appear first in the retrieved list of adversaries.

100

Sort

Optional

The field used to sort the retrieved list. Prepend with a minus sign (-) to reverse the sorting order. The sorting order can be a list of comma-separated values.

-id

With

Optional

A comma-separated list of related objects to include in the response. Options for this endpoint include: "adversaries", "attachments", "attributes", "comments", "description", "events", "indicators", "plugins", "pluginActions", "signatures", "sources", "tags", "valueWeight", "watchlist."

adversaries,attachments,attributes,comments,description,events,indicators,plugins,pluginActions,signatures,sources,tags,valueWeight,watchlist

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request. For check reputation commands, D3-defined risk levels and risk level names are also included.

SAMPLE DATA

JSON
{
    "total": 34,
    "data": [
        {
            "id": *****,
            "name": "Adversary Demo1",
            "created_at": "2024-10-04 18:43:40",
            "updated_at": "2024-10-04 18:43:40",
            "touched_at": "2024-10-04 18:43:41",
            "adversaries": [],
            "attachments": [],
            "attributes": [],
            "comments": [],
            "description": {
                "id": *****,
                "adversary_id": *****,
                "value_id": *****,
                "created_at": "2024-10-04 18:43:41"
            },
            "events": [],
            "indicators": [],
            "plugins": [],
            "plugin_actions": [],
            "signatures": [],
            "sources": [
                {
                    "id": *****,
                    "type": "other_sources",
                    "reference_id": *****,
                    "name": "Adversary source",
                    "tlp_id": null,
                    "created_at": "2024-10-04 18:43:40",
                    "updated_at": "2024-10-04 18:43:40",
                    "published_at": null,
                    "pivot": {
                        "adversary_id": *****,
                        "source_id": *****,
                        "id": *****,
                        "creator_source_id": *****
                    }
                }
            ],
            "tags": [],
            "value_weight": null,
            "watchlist": []
        },
        {
            "id": *****,
            "name": "Adversary Demo",
            "created_at": "2024-10-02 22:28:33",
            "updated_at": "2024-10-02 22:28:33",
            "touched_at": "2024-10-02 22:28:34",
            "adversaries": [],
            "attachments": [],
            "attributes": [],
            "comments": [],
            "description": null,
            "events": [],
            "indicators": [],
            "plugins": [],
            "plugin_actions": [],
            "signatures": [],
            "sources": [
                {
                    "id": *****,
                    "type": "other_sources",
                    "reference_id": *****,
                    "name": "Adversary source",
                    "tlp_id": null,
                    "created_at": "2024-10-02 22:28:33",
                    "updated_at": "2024-10-02 22:28:33",
                    "published_at": null,
                    "pivot": {
                        "adversary_id": *****,
                        "source_id": *****,
                        "id": *****,
                        "creator_source_id": *****
                    }
                }
            ],
            "tags": [],
            "value_weight": null,
            "watchlist": []
        }
    ]
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
[
    {
        "id": *****,
        "name": "Adversary Demo1",
        "created_at": "2024-10-04 18:43:40",
        "updated_at": "2024-10-04 18:43:40",
        "touched_at": "2024-10-04 18:43:41",
        "adversaries": [],
        "attachments": [],
        "attributes": [],
        "comments": [],
        "description": {
            "id": *****,
            "adversary_id": *****,
            "value_id": *****,
            "created_at": "2024-10-04 18:43:41"
        },
        "events": [],
        "indicators": [],
        "plugins": [],
        "plugin_actions": [],
        "signatures": [],
        "sources": [
            {
                "id": *****,
                "type": "other_sources",
                "reference_id": *****,
                "name": "Adversary source",
                "tlp_id": null,
                "created_at": "2024-10-04 18:43:40",
                "updated_at": "2024-10-04 18:43:40",
                "published_at": null,
                "pivot": {
                    "adversary_id": *****,
                    "source_id": *****,
                    "id": *****,
                    "creator_source_id": *****
                }
            }
        ],
        "tags": [],
        "value_weight": null,
        "watchlist": []
    },
    {
        "id": *****,
        "name": "Adversary Demo",
        "created_at": "2024-10-02 22:28:33",
        "updated_at": "2024-10-02 22:28:33",
        "touched_at": "2024-10-02 22:28:34",
        "adversaries": [],
        "attachments": [],
        "attributes": [],
        "comments": [],
        "description": null,
        "events": [],
        "indicators": [],
        "plugins": [],
        "plugin_actions": [],
        "signatures": [],
        "sources": [
            {
                "id": *****,
                "type": "other_sources",
                "reference_id": *****,
                "name": "Adversary source",
                "tlp_id": null,
                "created_at": "2024-10-02 22:28:33",
                "updated_at": "2024-10-02 22:28:33",
                "published_at": null,
                "pivot": {
                    "adversary_id": *****,
                    "source_id": *****,
                    "id": *****,
                    "creator_source_id": *****
                }
            }
        ],
        "tags": [],
        "value_weight": null,
        "watchlist": []
    }
]
Key Fields

Common cyber security indicators such as risk levels, risk level names, unique IDs, file hash values, CVE numbers and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "Names": [
        "Adversary Demo1",
        "Adversary Demo"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id

*****

*****

name

Adversary Demo1

Adversary Demo

created_at

2024-10-04 18:43:40

2024-10-02 22:28:33

updated_at

2024-10-04 18:43:40

2024-10-02 22:28:33

touched_at

2024-10-04 18:43:41

2024-10-02 22:28:34

adversaries

[]

[]

attachments

[]

[]

attributes

[]

[]

comments

[]

[]

description

{'id': *****, 'adversary_id': *****, 'value_id': *****, 'created_at': '2024-10-04 18:43:41'}

None

events

[]

[]

indicators

[]

[]

plugins

[]

[]

plugin_actions

[]

[]

signatures

[]

[]

sources

[{'id': *****, 'type': 'other_sources', 'reference_id': *****, 'name': 'Adversary source', 'tlp_id': None, 'created_at': '2024-10-04 18:43:40', 'updated_at': '2024-10-04 18:43:40', 'published_at': None, 'pivot': {'adversary_id': *****, 'source_id': *****, 'id': *****, 'creator_source_id': *****}}]

[{'id': *****, 'type': 'other_sources', 'reference_id': *****, 'name': 'Adversary source', 'tlp_id': None, 'created_at': '2024-10-02 22:28:33', 'updated_at': '2024-10-02 22:28:33', 'published_at': None, 'pivot': {'adversary_id': *****, 'source_id': *****, 'id': *****, 'creator_source_id': *****}}]

tags

[]

[]

value_weight

None

None

watchlist

[]

[]

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Adversaries failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ThreatQuotient portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Access denied.

Error Sample Data

List Adversaries failed.

Status Code: 401.

Message: Access denied.

List Attachment Types

Retrieves the list of all attachment (file) types.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "total": 2,
    "data": [
        {
            "id": *****,
            "name": "Cuckoo",
            "is_parsable": "Y",
            "parser_class": "Cuckoo",
            "created_at": "2021-12-10 20:52:22",
            "updated_at": "2021-12-10 20:52:22"
        },
        {
            "id": *****,
            "name": "CrowdStrike Intelligence",
            "is_parsable": "N",
            "parser_class": "",
            "created_at": "2021-12-10 20:52:22",
            "updated_at": "2021-12-10 20:52:22"
        }
    ]
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
  "FileCategoryIDs": [ *****, ***** ],
  "FileCategoryNames": [ "Cuckoo", "CrowdStrike Intelligence" ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

File Categories Count

2

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Attachment Type failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ThreatQuotient portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Invalid URL 'demoURL/api/token': No scheme supplied.

Error Sample Data

List Adversaries failed.

Status Code: 400.

Message: Invalid URL 'demoURL/api/token': No scheme supplied.

List File

Lists all Files (Attachments).

Input

Input Parameter

Required/Optional

Description

Example

Limit

Optional

The maximum number of records to retrieve.

2

Offset

Optional

The record that will appear first in the retrieved list.

10

Sort

Optional

The field used to sort the retrieved list. Prepend with a minus sign (-) to reverse the sorting order. The sorting order can be a list of comma-separated values.

-id

With

Optional

A comma-separated list of related objects to include in the response. Options for this endpoint are: "adversaries", "attachments", "attributes", "comments", "contentType", "events", "indicators", "signatures", "sources", "tags", "type", "watchlist."

adversaries,attachments,attributes,comments,contentType,events,indicators,signatures,sources,tags,type,watchlist

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request. For check reputation commands, D3-defined risk levels and risk level names are also included.

SAMPLE DATA

JSON
{
    "total": 56,
    "data": [
        {
            "id": *****,
            "type_id": *****,
            "title": "*****.pdf",
            "name": "*****.pdf",
            "hash": "*****",
            "content_type_id": *****,
            "file_size": 7291,
            "malware_locked": 0,
            "placeholder": 0,
            "description": "parse indicator",
            "created_at": "2021-10-29 22:48:58",
            "updated_at": "2021-10-29 22:48:58",
            "touched_at": "2021-10-29 22:48:58",
            "adversaries": [],
            "attachments": [],
            "attributes": [],
            "comments": [],
            "content_type": {
                "id": *****,
                "name": "application/pdf",
                "is_parsable": 0,
                "created_at": "2020-06-23 20:57:04",
                "updated_at": "2020-06-23 20:57:04"
            },
            "events": [],
            "indicators": [
                {
                    "id": *****,
                    "type_id": *****,
                    "status_id": *****,
                    "class": "host",
                    "hash": "*****",
                    "value": "*****.pdf",
                    "description": null,
                    "last_detected_at": null,
                    "expires_at": "2021-11-16 00:00:00",
                    "expired_at": null,
                    "expires_needs_calc": "N",
                    "expires_calculated_at": "2021-11-01 21:45:27",
                    "created_at": "2021-10-29 22:48:58",
                    "updated_at": "2021-11-01 21:45:27",
                    "touched_at": "2021-11-01 21:45:27",
                    "pivot": {
                        "id": *****,
                        "created_at": "2021-10-29 22:48:58",
                        "updated_at": "2021-10-29 22:48:58"
                    }
                },
                {
                    "id": *****,
                    "type_id": *****,
                    "status_id": *****,
                    "class": "host",
                    "hash": "*****",
                    "value": "parse indicator test",
                    "description": null,
                    "last_detected_at": null,
                    "expires_at": "2021-11-13 00:00:00",
                    "expired_at": null,
                    "expires_needs_calc": "N",
                    "expires_calculated_at": "2021-10-29 22:50:23",
                    "created_at": "2021-10-29 22:48:58",
                    "updated_at": "2021-10-29 22:50:23",
                    "touched_at": "2021-10-29 22:50:23",
                    "pivot": {
                        "id": *****,
                        "created_at": "2021-10-29 22:48:58",
                        "updated_at": "2021-10-29 22:48:58"
                    }
                }
            ],
            "signatures": [],
            "sources": [
                {
                    "id": *****,
                    "type": "users",
                    "reference_id": *****,
                    "name": "*****@*****.com",
                    "tlp_id": null,
                    "created_at": "2021-10-29 22:48:58",
                    "updated_at": "2021-10-29 22:48:58",
                    "published_at": null,
                    "pivot": {
                        "attachment_id": *****,
                        "source_id": *****,
                        "id": *****,
                        "creator_source_id": *****
                    }
                }
            ],
            "tags": [],
            "type": {
                "id": *****,
                "name": "Malware Sample",
                "is_parsable": "N",
                "parser_class": "",
                "created_at": "2020-05-18 17:44:11",
                "updated_at": "2020-05-18 17:44:11"
            },
            "watchlist": []
        },
        {
            "id": *****,
            "type_id": *****,
            "title": "*****",
            "name": "*****",
            "hash": "*****",
            "content_type_id": *****,
            "file_size": 975512,
            "malware_locked": 0,
            "placeholder": 0,
            "description": null,
            "created_at": "2021-10-29 22:36:01",
            "updated_at": "2021-10-29 22:36:01",
            "touched_at": "2021-10-29 22:36:01",
            "adversaries": [],
            "attachments": [],
            "attributes": [],
            "comments": [],
            "content_type": {
                "id": *****,
                "name": "application/pdf",
                "is_parsable": 0,
                "created_at": "2020-06-23 20:57:04",
                "updated_at": "2020-06-23 20:57:04"
            },
            "events": [],
            "indicators": [],
            "signatures": [],
            "sources": [
                {
                    "id": *****,
                    "type": "users",
                    "reference_id": *****,
                    "name": "*****@*****.com",
                    "tlp_id": null,
                    "created_at": "2021-10-29 22:36:01",
                    "updated_at": "2021-10-29 22:36:01",
                    "published_at": null,
                    "pivot": {
                        "attachment_id": *****,
                        "source_id": *****,
                        "id": *****,
                        "creator_source_id": *****
                    }
                }
            ],
            "tags": [],
            "type": {
                "id": *****,
                "name": "*****",
                "is_parsable": "N",
                "parser_class": "",
                "created_at": "2021-10-19 22:07:37",
                "updated_at": "2021-10-19 22:07:37"
            },
            "watchlist": []
        }
    ]
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
[
    {
        "id": *****,
        "type_id": *****,
        "title": "134_2021_10_05_104324.pdf",
        "name": "134_2021_10_05_104324.pdf",
        "hash": "*****",
        "content_type_id": *****,
        "file_size": 7291,
        "malware_locked": 0,
        "placeholder": 0,
        "description": "parse indicator",
        "created_at": "2021-10-29 22:48:58",
        "updated_at": "2021-10-29 22:48:58",
        "touched_at": "2021-10-29 22:48:58",
        "adversaries": [],
        "attachments": [],
        "attributes": [],
        "comments": [],
        "content_type": {
            "id": *****,
            "name": "application/pdf",
            "is_parsable": 0,
            "created_at": "2020-06-23 20:57:04",
            "updated_at": "2020-06-23 20:57:04"
        },
        "events": [],
        "indicators": [
            {
                "id": 327297,
                "type_id": *****,
                "status_id": *****,
                "class": "host",
                "hash": "*****",
                "value": "*****.pdf",
                "description": null,
                "last_detected_at": null,
                "expires_at": "2021-11-16 00:00:00",
                "expired_at": null,
                "expires_needs_calc": "N",
                "expires_calculated_at": "2021-11-01 21:45:27",
                "created_at": "2021-10-29 22:48:58",
                "updated_at": "2021-11-01 21:45:27",
                "touched_at": "2021-11-01 21:45:27",
                "pivot": {
                    "id": *****,
                    "created_at": "2021-10-29 22:48:58",
                    "updated_at": "2021-10-29 22:48:58"
                }
            },
            {
                "id": *****,
                "type_id": *****,
                "status_id": *****,
                "class": "host",
                "hash": "*****",
                "value": "parse indicator test",
                "description": null,
                "last_detected_at": null,
                "expires_at": "2021-11-13 00:00:00",
                "expired_at": null,
                "expires_needs_calc": "N",
                "expires_calculated_at": "2021-10-29 22:50:23",
                "created_at": "2021-10-29 22:48:58",
                "updated_at": "2021-10-29 22:50:23",
                "touched_at": "2021-10-29 22:50:23",
                "pivot": {
                    "id": *****,
                    "created_at": "2021-10-29 22:48:58",
                    "updated_at": "2021-10-29 22:48:58"
                }
            }
        ],
        "signatures": [],
        "sources": [
            {
                "id": *****,
                "type": "users",
                "reference_id": *****,
                "name": "*****@*****.com",
                "tlp_id": null,
                "created_at": "2021-10-29 22:48:58",
                "updated_at": "2021-10-29 22:48:58",
                "published_at": null,
                "pivot": {
                    "attachment_id": *****,
                    "source_id": *****,
                    "id": *****,
                    "creator_source_id": *****
                }
            }
        ],
        "tags": [],
        "type": {
            "id": *****,
            "name": "Malware Sample",
            "is_parsable": "N",
            "parser_class": "",
            "created_at": "2020-05-18 17:44:11",
            "updated_at": "2020-05-18 17:44:11"
        },
        "watchlist": []
    },
    {
        "id": *****,
        "type_id": *****,
        "title": "*****",
        "name": "*****",
        "hash": "*****",
        "content_type_id": *****,
        "file_size": 975512,
        "malware_locked": 0,
        "placeholder": 0,
        "description": null,
        "created_at": "2021-10-29 22:36:01",
        "updated_at": "2021-10-29 22:36:01",
        "touched_at": "2021-10-29 22:36:01",
        "adversaries": [],
        "attachments": [],
        "attributes": [],
        "comments": [],
        "content_type": {
            "id": *****,
            "name": "application/pdf",
            "is_parsable": 0,
            "created_at": "2020-06-23 20:57:04",
            "updated_at": "2020-06-23 20:57:04"
        },
        "events": [],
        "indicators": [],
        "signatures": [],
        "sources": [
            {
                "id": *****,
                "type": "users",
                "reference_id": *****,
                "name": "*****@*****.com",
                "tlp_id": null,
                "created_at": "2021-10-29 22:36:01",
                "updated_at": "2021-10-29 22:36:01",
                "published_at": null,
                "pivot": {
                    "attachment_id": *****,
                    "source_id": *****,
                    "id": *****,
                    "creator_source_id": *****
                }
            }
        ],
        "tags": [],
        "type": {
            "id": *****,
            "name": "20210310100708.txt",
            "is_parsable": "N",
            "parser_class": "",
            "created_at": "2021-10-19 22:07:37",
            "updated_at": "2021-10-19 22:07:37"
        },
        "watchlist": []
    }
]
Key Fields

Common cyber security indicators such as risk levels, risk level names, unique IDs, file hash values, CVE numbers and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "IDs": [
        "*****",
        "*****"
    ],
    "Titles": [
        "*****",
        "*****"
    ],
    "Names": [
        "*****",
        "*****"
    ],
    "Hashes": [
        "*****",
        "*****"
    ],
    "FileSizes": [
        7291,
        975512
    ],
    "Types": [
        "Malware Sample",
        "20210310100708.txt"
    ],
    "ContentTypes": [
        "application/pdf",
        "application/pdf"
    ],
    "Sources": [
        "*****",
        "*****"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id

*****

*****

type_id

*****

*****

title

*****

*****

name

*****

*****

hash

*****

*****

content_type_id

*****

*****

file_size

7291

975512

malware_locked

0

0

placeholder

0

0

description

parse indicator

None

created_at

2021-10-29 22:48:58

2021-10-29 22:36:01

updated_at

2021-10-29 22:48:58

2021-10-29 22:36:01

touched_at

2021-10-29 22:48:58

2021-10-29 22:36:01

adversaries

[]

[]

attachments

[]

[]

attributes

[]

[]

comments

[]

[]

content_type

{'id': *****, 'name': 'application/pdf', 'is_parsable': 0, 'created_at': '2020-06-23 20:57:04', 'updated_at': '2020-06-23 20:57:04'}

{'id': *****, 'name': 'application/pdf', 'is_parsable': 0, 'created_at': '2020-06-23 20:57:04', 'updated_at': '2020-06-23 20:57:04'}

events

[]

[]

indicators

[{'id': *****, 'type_id': *****, 'status_id': *****, 'class': 'host', 'hash': '*****', 'value': '*****', 'description': None, 'last_detected_at': None, 'expires_at': '2021-11-16 00:00:00', 'expired_at': None, 'expires_needs_calc': 'N', 'expires_calculated_at': '2021-11-01 21:45:27', 'created_at': '2021-10-29 22:48:58', 'updated_at': '2021-11-01 21:45:27', 'touched_at': '2021-11-01 21:45:27', 'pivot': {'id': *****, 'created_at': '2021-10-29 22:48:58', 'updated_at': '2021-10-29 22:48:58'}}, {'id': *****, 'type_id': *****, 'status_id': *****, 'class': 'host', 'hash': '*****', 'value': 'parse indicator test', 'description': None, 'last_detected_at': None, 'expires_at': '2021-11-13 00:00:00', 'expired_at': None, 'expires_needs_calc': 'N', 'expires_calculated_at': '2021-10-29 22:50:23', 'created_at': '2021-10-29 22:48:58', 'updated_at': '2021-10-29 22:50:23', 'touched_at': '2021-10-29 22:50:23', 'pivot': {'id': *****, 'created_at': '2021-10-29 22:48:58', 'updated_at': '2021-10-29 22:48:58'}}]

[]

signatures

[]

[]

sources

[{'id': *****, 'type': 'users', 'reference_id': *****, 'name': '*****@*****.com', 'tlp_id': None, 'created_at': '2021-10-29 22:48:58', 'updated_at': '2021-10-29 22:48:58', 'published_at': None, 'pivot': {'attachment_id': *****, 'source_id': *****, 'id': *****, 'creator_source_id': *****}}]

[{'id': *****, 'type': 'users', 'reference_id': *****, 'name': '*****@*****.com', 'tlp_id': None, 'created_at': '2021-10-29 22:36:01', 'updated_at': '2021-10-29 22:36:01', 'published_at': None, 'pivot': {'attachment_id': *****, 'source_id': *****, 'id': *****, 'creator_source_id': *****}}]

tags

[]

[]

type

{'id': *****, 'name': 'Malware Sample', 'is_parsable': 'N', 'parser_class': '', 'created_at': '2020-05-18 17:44:11', 'updated_at': '2020-05-18 17:44:11'}

{'id': *****, 'name': '20210310100708.txt', 'is_parsable': 'N', 'parser_class': '', 'created_at': '2021-10-19 22:07:37', 'updated_at': '2021-10-19 22:07:37'}

watchlist

[]

[]

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List File failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ThreatQuotient portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Access denied.

Error Sample Data

List File failed.

Status Code: 401.

Message: Access denied.

List Indicators

Lists all indicators.

Input

Input Parameter

Required/Optional

Description

Example

Limit

Optional

The maximum number of records to retrieve.

2

Offset

Optional

The record that will appear first in the retrieved list.

100

Sort

Optional

The field used to sort the retrieved list. Prepend with a minus sign (-) to reverse the sorting order. The sorting order can be a list of comma-separated values.

-id

With

Optional

A comma-separated list of related objects to include in the response. Options for this endpoint are: "adversaries", "attachments", "attributes", "comments", "events", "indicators", "score", "signatures", "sources", "status", "tags", "type", "watchlist."

status,type,adversaries,attachments,attributes,comments,events,indicators,score,signatures,sources,status,tags,type,watchlist

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request. For check reputation commands, D3-defined risk levels and risk level names are also included.

SAMPLE DATA

JSON
{
    "total": 349062,
    "data": [
        {
            "id": *****,
            "type_id": *****,
            "status_id": *****,
            "class": "network",
            "hash": "*****",
            "value": "*****",
            "description": null,
            "last_detected_at": null,
            "expires_at": null,
            "expired_at": null,
            "expires_needs_calc": "N",
            "expires_calculated_at": "2021-11-02 21:10:56",
            "created_at": "2021-11-02 21:05:38",
            "updated_at": "2021-11-02 21:05:38",
            "touched_at": "2021-11-02 21:09:32",
            "status": {
                "id": *****,
                "name": "Active",
                "description": "Active",
                "user_editable": "Y",
                "visible": "Y",
                "include_in_export": "N",
                "protected": "Y",
                "created_at": "2020-05-18 17:44:11",
                "updated_at": "2021-10-21 23:30:37"
            },
            "type": {
                "id": *****,
                "name": "IP Address",
                "class": "network",
                "score": null,
                "wildcard_matching": "N",
                "created_at": "2020-05-18 17:43:04",
                "updated_at": "2020-05-18 17:43:04"
            },
            "adversaries": [],
            "attachments": [],
            "attributes": [],
            "comments": [],
            "events": [],
            "indicators": [],
            "score": {
                "indicator_id": *****,
                "generated_score": "0.00",
                "manual_score": null,
                "score_config_hash": "*****",
                "created_at": "2021-11-02 21:05:38",
                "updated_at": "2021-11-02 21:05:38"
            },
            "signatures": [],
            "sources": [
                {
                    "id": *****,
                    "type": "connectors",
                    "reference_id": *****,
                    "name": "blocklist.de (All)",
                    "tlp_id": null,
                    "created_at": "2021-11-02 21:05:40",
                    "updated_at": "2021-11-02 21:05:40",
                    "published_at": null,
                    "pivot": {
                        "indicator_id": *****,
                        "source_id": *****,
                        "id": *****,
                        "creator_source_id": *****
                    }
                },
                {
                    "id": *****,
                    "type": "connectors",
                    "reference_id": *****,
                    "name": "blocklist.de (Ssh)",
                    "tlp_id": null,
                    "created_at": "2021-11-02 21:09:32",
                    "updated_at": "2021-11-02 21:09:32",
                    "published_at": null,
                    "pivot": {
                        "indicator_id": *****,
                        "source_id": *****,
                        "id": *****,
                        "creator_source_id": *****
                    }
                }
            ],
            "tags": [],
            "watchlist": []
        },
        {
            "id": *****,
            "type_id": *****,
            "status_id": *****,
            "class": "network",
            "hash": "*****",
            "value": "*****",
            "description": null,
            "last_detected_at": null,
            "expires_at": null,
            "expired_at": null,
            "expires_needs_calc": "N",
            "expires_calculated_at": "2021-11-02 21:10:56",
            "created_at": "2021-11-02 21:05:38",
            "updated_at": "2021-11-02 21:05:38",
            "touched_at": "2021-11-02 21:09:32",
            "status": {
                "id": *****,
                "name": "Active",
                "description": "Active",
                "user_editable": "Y",
                "visible": "Y",
                "include_in_export": "N",
                "protected": "Y",
                "created_at": "2020-05-18 17:44:11",
                "updated_at": "2021-10-21 23:30:37"
            },
            "type": {
                "id": *****,
                "name": "IP Address",
                "class": "network",
                "score": null,
                "wildcard_matching": "N",
                "created_at": "2020-05-18 17:43:04",
                "updated_at": "2020-05-18 17:43:04"
            },
            "adversaries": [],
            "attachments": [],
            "attributes": [],
            "comments": [],
            "events": [],
            "indicators": [],
            "score": {
                "indicator_id": *****,
                "generated_score": "0.00",
                "manual_score": null,
                "score_config_hash": "*****",
                "created_at": "2021-11-02 21:05:38",
                "updated_at": "2021-11-02 21:05:38"
            },
            "signatures": [],
            "sources": [
                {
                    "id": *****,
                    "type": "connectors",
                    "reference_id": *****,
                    "name": "blocklist.de (All)",
                    "tlp_id": null,
                    "created_at": "2021-11-02 21:05:39",
                    "updated_at": "2021-11-02 21:05:39",
                    "published_at": null,
                    "pivot": {
                        "indicator_id": *****,
                        "source_id": *****,
                        "id": *****,
                        "creator_source_id": *****
                    }
                },
                {
                    "id": *****,
                    "type": "connectors",
                    "reference_id": *****,
                    "name": "blocklist.de (Ssh)",
                    "tlp_id": null,
                    "created_at": "2021-11-02 21:09:32",
                    "updated_at": "2021-11-02 21:09:32",
                    "published_at": null,
                    "pivot": {
                        "indicator_id": *****,
                        "source_id": *****,
                        "id": *****,
                        "creator_source_id": *****
                    }
                }
            ],
            "tags": [],
            "watchlist": []
        }
    ]
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
[
    {
        "id": *****,
        "type_id": *****,
        "status_id": *****,
        "class": "network",
        "hash": "*****",
        "value": "*****",
        "description": null,
        "last_detected_at": null,
        "expires_at": null,
        "expired_at": null,
        "expires_needs_calc": "N",
        "expires_calculated_at": "2021-11-02 21:10:56",
        "created_at": "2021-11-02 21:05:38",
        "updated_at": "2021-11-02 21:05:38",
        "touched_at": "2021-11-02 21:09:32",
        "status": {
            "id": *****,
            "name": "Active",
            "description": "Active",
            "user_editable": "Y",
            "visible": "Y",
            "include_in_export": "N",
            "protected": "Y",
            "created_at": "2020-05-18 17:44:11",
            "updated_at": "2021-10-21 23:30:37"
        },
        "type": {
            "id": *****,
            "name": "IP Address",
            "class": "network",
            "score": null,
            "wildcard_matching": "N",
            "created_at": "2020-05-18 17:43:04",
            "updated_at": "2020-05-18 17:43:04"
        },
        "adversaries": [],
        "attachments": [],
        "attributes": [],
        "comments": [],
        "events": [],
        "indicators": [],
        "score": {
            "indicator_id": *****,
            "generated_score": "0.00",
            "manual_score": null,
            "score_config_hash": "*****",
            "created_at": "2021-11-02 21:05:38",
            "updated_at": "2021-11-02 21:05:38"
        },
        "signatures": [],
        "sources": [
            {
                "id": *****,
                "type": "connectors",
                "reference_id": *****,
                "name": "blocklist.de (All)",
                "tlp_id": null,
                "created_at": "2021-11-02 21:05:40",
                "updated_at": "2021-11-02 21:05:40",
                "published_at": null,
                "pivot": {
                    "indicator_id": *****,
                    "source_id": *****,
                    "id": *****,
                    "creator_source_id": *****
                }
            },
            {
                "id": *****,
                "type": "connectors",
                "reference_id": *****,
                "name": "blocklist.de (Ssh)",
                "tlp_id": null,
                "created_at": "2021-11-02 21:09:32",
                "updated_at": "2021-11-02 21:09:32",
                "published_at": null,
                "pivot": {
                    "indicator_id": *****,
                    "source_id": *****,
                    "id": 7061891,
                    "creator_source_id": *****
                }
            }
        ],
        "tags": [],
        "watchlist": []
    },
    {
        "id": *****,
        "type_id": *****,
        "status_id": *****,
        "class": "network",
        "hash": "*****",
        "value": "*****",
        "description": null,
        "last_detected_at": null,
        "expires_at": null,
        "expired_at": null,
        "expires_needs_calc": "N",
        "expires_calculated_at": "2021-11-02 21:10:56",
        "created_at": "2021-11-02 21:05:38",
        "updated_at": "2021-11-02 21:05:38",
        "touched_at": "2021-11-02 21:09:32",
        "status": {
            "id": *****,
            "name": "Active",
            "description": "Active",
            "user_editable": "Y",
            "visible": "Y",
            "include_in_export": "N",
            "protected": "Y",
            "created_at": "2020-05-18 17:44:11",
            "updated_at": "2021-10-21 23:30:37"
        },
        "type": {
            "id": *****,
            "name": "IP Address",
            "class": "network",
            "score": null,
            "wildcard_matching": "N",
            "created_at": "2020-05-18 17:43:04",
            "updated_at": "2020-05-18 17:43:04"
        },
        "adversaries": [],
        "attachments": [],
        "attributes": [],
        "comments": [],
        "events": [],
        "indicators": [],
        "score": {
            "indicator_id": *****,
            "generated_score": "0.00",
            "manual_score": null,
            "score_config_hash": "*****",
            "created_at": "2021-11-02 21:05:38",
            "updated_at": "2021-11-02 21:05:38"
        },
        "signatures": [],
        "sources": [
            {
                "id": *****,
                "type": "connectors",
                "reference_id": *****,
                "name": "blocklist.de (All)",
                "tlp_id": null,
                "created_at": "2021-11-02 21:05:39",
                "updated_at": "2021-11-02 21:05:39",
                "published_at": null,
                "pivot": {
                    "indicator_id": *****,
                    "source_id": *****,
                    "id": *****,
                    "creator_source_id": *****
                }
            },
            {
                "id": *****,
                "type": "connectors",
                "reference_id": *****,
                "name": "blocklist.de (Ssh)",
                "tlp_id": null,
                "created_at": "2021-11-02 21:09:32",
                "updated_at": "2021-11-02 21:09:32",
                "published_at": null,
                "pivot": {
                    "indicator_id": *****,
                    "source_id": *****,
                    "id": *****,
                    "creator_source_id": *****
                }
            }
        ],
        "tags": [],
        "watchlist": []
    }
]
Key Fields

Common cyber security indicators such as risk levels, risk level names, unique IDs, file hash values, CVE numbers and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "IDs": [
        "*****",
        "*****"
    ],
    "Classes": [
        "network",
        "network"
    ],
    "Hashes": [
        "*****",
        "*****"
    ],
    "Values": [
        "*****",
        "*****"
    ],
    "Statuses": [
        "Active",
        "Active"
    ],
    "Types": [
        "IP Address",
        "IP Address"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id

*****

*****

type_id

*****

*****

status_id

*****

*****

class

network

network

hash

*****

*****

value

*****

*****

description

None

None

last_detected_at

None

None

expires_at

None

None

expired_at

None

None

expires_needs_calc

N

N

expires_calculated_at

2021-11-02 21:10:56

2021-11-02 21:10:56

created_at

2021-11-02 21:05:38

2021-11-02 21:05:38

updated_at

2021-11-02 21:05:38

2021-11-02 21:05:38

touched_at

2021-11-02 21:09:32

2021-11-02 21:09:32

status

{'id': *****, 'name': 'Active', 'description': 'Active', 'user_editable': 'Y', 'visible': 'Y', 'include_in_export': 'N', 'protected': 'Y', 'created_at': '2020-05-18 17:44:11', 'updated_at': '2021-10-21 23:30:37'}

{'id': *****, 'name': 'Active', 'description': 'Active', 'user_editable': 'Y', 'visible': 'Y', 'include_in_export': 'N', 'protected': 'Y', 'created_at': '2020-05-18 17:44:11', 'updated_at': '2021-10-21 23:30:37'}

type

{'id': *****, 'name': 'IP Address', 'class': 'network', 'score': None, 'wildcard_matching': 'N', 'created_at': '2020-05-18 17:43:04', 'updated_at': '2020-05-18 17:43:04'}

{'id': *****, 'name': 'IP Address', 'class': 'network', 'score': None, 'wildcard_matching': 'N', 'created_at': '2020-05-18 17:43:04', 'updated_at': '2020-05-18 17:43:04'}

adversaries

[]

[]

attachments

[]

[]

attributes

[]

[]

comments

[]

[]

events

[]

[]

indicators

[]

[]

score

{'indicator_id': *****, 'generated_score': '0.00', 'manual_score': None, 'score_config_hash': '*****', 'created_at': '2021-11-02 21:05:38', 'updated_at': '2021-11-02 21:05:38'}

{'indicator_id': *****, 'generated_score': '0.00', 'manual_score': None, 'score_config_hash': '*****', 'created_at': '2021-11-02 21:05:38', 'updated_at': '2021-11-02 21:05:38'}

signatures

[]

[]

sources

[{'id': *****, 'type': 'connectors', 'reference_id': *****, 'name': 'http://blocklist.de (All)', 'tlp_id': None, 'created_at': '2021-11-02 21:05:40', 'updated_at': '2021-11-02 21:05:40', 'published_at': None, 'pivot': {'indicator_id': *****, 'source_id': *****, 'id': *****, 'creator_source_id': *****}}, {'id': *****, 'type': 'connectors', 'reference_id': *****, 'name': 'http://blocklist.de (Ssh)', 'tlp_id': None, 'created_at': '2021-11-02 21:09:32', 'updated_at': '2021-11-02 21:09:32', 'published_at': None, 'pivot': {'indicator_id': *****, 'source_id': 33, 'id': *****, 'creator_source_id': *****}}]

[{'id': *****, 'type': 'connectors', 'reference_id': *****, 'name': 'http://blocklist.de (All)', 'tlp_id': None, 'created_at': '2021-11-02 21:05:39', 'updated_at': '2021-11-02 21:05:39', 'published_at': None, 'pivot': {'indicator_id': *****, 'source_id': *****, 'id': *****, 'creator_source_id': *****}}, {'id': *****, 'type': 'connectors', 'reference_id': *****, 'name': 'http://blocklist.de (Ssh)', 'tlp_id': None, 'created_at': '2021-11-02 21:09:32', 'updated_at': '2021-11-02 21:09:32', 'published_at': None, 'pivot': {'indicator_id': *****, 'source_id': *****, 'id': *****, 'creator_source_id': *****}}]

tags

[]

[]

watchlist

[]

[]

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Indicators failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ThreatQuotient portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Access denied.

Error Sample Data

List Indicators failed.

Status Code: 401.

Message: Access denied.

Parse File

Parses the file for indicators.

READER NOTE

File ID (Attachment ID) and ParserID are required parameters to run this command.

  • Run the Get Object ID by Value command to obtain the File ID. File IDs can be found in the raw data at the path $.data[*].id.

  • Run the Search File Content Type command to obtain the Parser ID. Parser IDs can be found in the raw data at the path $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

File ID (Attachment ID)

Required

The ID of the attached file. File IDs can be obtained using the Get Object ID by Value command with the file name.

*****

Parser ID

Required

The type of parser used to parse the file. Parser IDs can be obtained using the Search File Content Type command.

*****

Indicator Source

Required

The source of the indicator to be created.

VirusTotal

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

JSON
Successful
Raw Data

The primary response data from the API request. For check reputation commands, D3-defined risk levels and risk level names are also included.

SAMPLE DATA

JSON
{
    "total": 3,
    "data": [
        {
            "class": "network",
            "score": 0,
            "value": "*****",
            "touched_at": "2021-11-08 21:26:52",
            "id": *****,
            "updated_at": "2021-11-08 21:26:50",
            "published_at": "2021-11-08 21:26:50",
            "created_at": "2021-11-08 21:26:50",
            "status_id": *****,
            "hash": "*****",
            "type_id": *****,
            "adversaries": [],
            "type": {
                "name": "FQDN",
                "id": *****,
                "class": "network"
            },
            "status": {
                "name": "Review",
                "id": *****,
                "description": "Requires further analysis."
            },
            "sources": [
                {
                    "indicator_id": *****,
                    "indicator_status_id": *****,
                    "published_at": "2021-11-08 21:26:50",
                    "source_id": *****,
                    "id": *****,
                    "created_at": "2021-11-08 21:26:50",
                    "source_type": "plugins",
                    "creator_source_id": *****,
                    "indicator_type_id": *****,
                    "reference_id": *****,
                    "updated_at": "2021-11-08 21:26:50",
                    "name": "VirusTotal"
                }
            ]
        },
        {
            "class": "network",
            "score": 0,
            "value": "*****",
            "touched_at": "2021-11-08 21:26:52",
            "id": *****,
            "updated_at": "2021-11-08 21:26:50",
            "published_at": "2021-11-08 21:26:50",
            "created_at": "2021-11-08 21:26:50",
            "status_id": *****,
            "hash": "*****",
            "type_id": *****,
            "adversaries": [],
            "type": {
                "name": "FQDN",
                "id": *****,
                "class": "network"
            },
            "status": {
                "name": "Review",
                "id": *****,
                "description": "Requires further analysis."
            },
            "sources": [
                {
                    "indicator_id": *****,
                    "indicator_status_id": *****,
                    "published_at": "2021-11-08 21:26:50",
                    "source_id": *****,
                    "id": *****,
                    "created_at": "2021-11-08 21:26:50",
                    "source_type": "plugins",
                    "creator_source_id": *****,
                    "indicator_type_id": *****,
                    "reference_id": *****,
                    "updated_at": "2021-11-08 21:26:50",
                    "name": "VirusTotal"
                }
            ]
        },
        {
            "class": "network",
            "score": 0,
            "value": "*****",
            "touched_at": "2021-11-08 21:26:52",
            "id": *****,
            "updated_at": "2021-11-08 21:26:50",
            "published_at": "2021-11-08 21:26:50",
            "created_at": "2021-11-08 21:26:50",
            "status_id": *****,
            "hash": "*****",
            "type_id": *****,
            "adversaries": [],
            "type": {
                "name": "URL",
                "id": *****,
                "class": "network"
            },
            "status": {
                "name": "Review",
                "id": *****,
                "description": "Requires further analysis."
            },
            "attributes": [
                {
                    "value": "*****",
                    "created_at": "2021-11-08 21:26:50",
                    "indicator_id": *****,
                    "updated_at": "2021-11-08 21:26:50",
                    "attribute_id": *****,
                    "id": *****,
                    "touched_at": "2021-11-08 21:26:50",
                    "name": "Scheme"
                }
            ],
            "sources": [
                {
                    "indicator_id": *****,
                    "indicator_status_id": *****,
                    "published_at": "2021-11-08 21:26:50",
                    "source_id": *****,
                    "id": *****,
                    "created_at": "2021-11-08 21:26:50",
                    "source_type": "plugins",
                    "creator_source_id": *****,
                    "indicator_type_id": *****,
                    "reference_id": *****,
                    "updated_at": "2021-11-08 21:26:50",
                    "name": "VirusTotal"
                }
            ]
        }
    ],
    "limit": 100,
    "offset": 0
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
[
    {
        "class": "network",
        "score": 0,
        "value": "*****",
        "touched_at": "2021-11-08 21:26:52",
        "id": *****,
        "updated_at": "2021-11-08 21:26:50",
        "published_at": "2021-11-08 21:26:50",
        "created_at": "2021-11-08 21:26:50",
        "status_id": *****,
        "hash": "*****",
        "type_id": *****,
        "adversaries": [],
        "type": {
            "name": "FQDN",
            "id": *****,
            "class": "network"
        },
        "status": {
            "name": "Review",
            "id": *****,
            "description": "Requires further analysis."
        },
        "sources": [
            {
                "indicator_id": *****,
                "indicator_status_id": *****,
                "published_at": "2021-11-08 21:26:50",
                "source_id": *****,
                "id": *****,
                "created_at": "2021-11-08 21:26:50",
                "source_type": "plugins",
                "creator_source_id": *****,
                "indicator_type_id": *****,
                "reference_id": *****,
                "updated_at": "2021-11-08 21:26:50",
                "name": "VirusTotal"
            }
        ]
    },
    {
        "class": "network",
        "score": 0,
        "value": "*****",
        "touched_at": "2021-11-08 21:26:52",
        "id": *****,
        "updated_at": "2021-11-08 21:26:50",
        "published_at": "2021-11-08 21:26:50",
        "created_at": "2021-11-08 21:26:50",
        "status_id": *****,
        "hash": "*****",
        "type_id": *****,
        "adversaries": [],
        "type": {
            "name": "FQDN",
            "id": *****,
            "class": "network"
        },
        "status": {
            "name": "Review",
            "id": *****,
            "description": "Requires further analysis."
        },
        "sources": [
            {
                "indicator_id": *****,
                "indicator_status_id": *****,
                "published_at": "2021-11-08 21:26:50",
                "source_id": *****,
                "id": *****,
                "created_at": "2021-11-08 21:26:50",
                "source_type": "plugins",
                "creator_source_id": *****,
                "indicator_type_id": *****,
                "reference_id": *****,
                "updated_at": "2021-11-08 21:26:50",
                "name": "VirusTotal"
            }
        ]
    },
    {
        "class": "network",
        "score": 0,
        "value": "*****",
        "touched_at": "2021-11-08 21:26:52",
        "id": *****,
        "updated_at": "2021-11-08 21:26:50",
        "published_at": "2021-11-08 21:26:50",
        "created_at": "2021-11-08 21:26:50",
        "status_id": *****,
        "hash": "*****",
        "type_id": *****,
        "adversaries": [],
        "type": {
            "name": "URL",
            "id": *****,
            "class": "network"
        },
        "status": {
            "name": "Review",
            "id": *****,
            "description": "Requires further analysis."
        },
        "attributes": [
            {
                "value": "*****",
                "created_at": "2021-11-08 21:26:50",
                "indicator_id": *****,
                "updated_at": "2021-11-08 21:26:50",
                "attribute_id": *****,
                "id": *****,
                "touched_at": "2021-11-08 21:26:50",
                "name": "Scheme"
            }
        ],
        "sources": [
            {
                "indicator_id": *****,
                "indicator_status_id": *****,
                "published_at": "2021-11-08 21:26:50",
                "source_id": *****,
                "id": *****,
                "created_at": "2021-11-08 21:26:50",
                "source_type": "plugins",
                "creator_source_id": *****,
                "indicator_type_id": *****,
                "reference_id": *****,
                "updated_at": "2021-11-08 21:26:50",
                "name": "VirusTotal"
            }
        ]
    }
]
Key Fields

Common cyber security indicators such as risk levels, risk level names, unique IDs, file hash values, CVE numbers and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "IDs": [
        "*****",
        "*****",
        "*****"
    ],
    "Values": [
        "*****",
        "*****",
        "*****"
    ],
    "Scores": [
        0,
        0,
        0
    ],
    "Types": [
        "FQDN",
        "FQDN",
        "URL"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

class

network

network

network

score

0

0

0

value

*****

*****

*****

touched_at

2021-11-08 21:26:52

2021-11-08 21:26:52

2021-11-08 21:26:52

id

*****

*****

*****

updated_at

2021-11-08 21:26:50

2021-11-08 21:26:50

2021-11-08 21:26:50

published_at

2021-11-08 21:26:50

2021-11-08 21:26:50

2021-11-08 21:26:50

created_at

2021-11-08 21:26:50

2021-11-08 21:26:50

2021-11-08 21:26:50

status_id

*****

*****

*****

hash

*****

*****

*****

type_id

*****

*****

*****

adversaries

[]

[]

[]

type

{'name': 'FQDN', 'id': *****, 'class': 'network'}

{'name': 'FQDN', 'id': *****, 'class': 'network'}

{'name': 'URL', 'id': *****, 'class': 'network'}

status

{'name': 'Review', 'id': *****, 'description': 'Requires further analysis.'}

{'name': 'Review', 'id': *****, 'description': 'Requires further analysis.'}

{'name': 'Review', 'id': *****, 'description': 'Requires further analysis.'}

sources

[{'indicator_id': *****, 'indicator_status_id': *****, 'published_at': '2021-11-08 21:26:50', 'source_id': *****, 'id': *****, 'created_at': '2021-11-08 21:26:50', 'source_type': 'plugins', 'creator_source_id': *****, 'indicator_type_id': *****, 'reference_id': *****, 'updated_at': '2021-11-08 21:26:50', 'name': 'VirusTotal'}]

[{'indicator_id': *****, 'indicator_status_id': *****, 'published_at': '2021-11-08 21:26:50', 'source_id': *****, 'id': *****, 'created_at': '2021-11-08 21:26:50', 'source_type': 'plugins', 'creator_source_id': *****, 'indicator_type_id': *****, 'reference_id': *****, 'updated_at': '2021-11-08 21:26:50', 'name': 'VirusTotal'}]

[{'indicator_id': *****, 'indicator_status_id': *****, 'published_at': '2021-11-08 21:26:50', 'source_id': *****, 'id': *****, 'created_at': '2021-11-08 21:26:50', 'source_type': 'plugins', 'creator_source_id': *****, 'indicator_type_id': *****, 'reference_id': *****, 'updated_at': '2021-11-08 21:26:50', 'name': 'VirusTotal'}]

attributes

[{'value': '*****', 'created_at': '2021-11-08 21:26:50', 'indicator_id': *****, 'updated_at': '2021-11-08 21:26:50', 'attribute_id': *****, 'id': *****, 'touched_at': '2021-11-08 21:26:50', 'name': 'Scheme'}]

expires_calculated_at

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Parse File failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ThreatQuotient portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: File does not exist.

Error Sample Data

Parse File failed.

Status Code: 404.

Message: File does not exist.

Search File Content Type

Lists all file content types.

Input

Input Parameter

Required/Optional

Description

Example

File Content Type

Optional

The file content type to be retrieved. By default, all file content types are returned.

txt

Parsers Only

Optional

Whether the returned file content types can be parsed. If the value is True, then parsable file content types will be returned. By default, the value is False.

false

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request. For check reputation commands, D3-defined risk levels and risk level names are also included.

SAMPLE DATA

JSON
{
    "total": 6,
    "data": [
        {
            "id": *****,
            "name": "Cuckoo",
            "is_parsable": "Y",
            "parser_class": "Cuckoo",
            "created_at": "2020-05-18 17:44:11",
            "updated_at": "2020-05-18 17:44:11"
        },
        {
            "id": *****,
            "name": "FireEye Analysis",
            "is_parsable": "Y",
            "parser_class": "FireEye",
            "created_at": "2020-05-18 17:44:11",
            "updated_at": "2020-05-18 17:44:11"
        },
        {
            "id": *****,
            "name": "Generic Text",
            "is_parsable": "Y",
            "parser_class": "Generic",
            "created_at": "2020-05-18 17:44:11",
            "updated_at": "2020-05-18 17:44:11"
        },
        {
            "id": *****,
            "name": "Palo Alto Networks WildFire XML",
            "is_parsable": "Y",
            "parser_class": "WildFire",
            "created_at": "2020-05-18 17:44:11",
            "updated_at": "2020-05-18 17:44:11"
        },
        {
            "id": *****,
            "name": "ThreatAnalyzer Analysis",
            "is_parsable": "Y",
            "parser_class": "ThreatAnalyzer",
            "created_at": "2020-05-18 17:44:11",
            "updated_at": "2020-05-18 17:44:11"
        },
        {
            "id": *****,
            "name": "ThreatQ CSV File",
            "is_parsable": "Y",
            "parser_class": "ThreatQCSV",
            "created_at": "2020-05-18 17:44:11",
            "updated_at": "2020-05-18 17:44:11"
        }
    ]
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
[
    {
        "id": *****,
        "name": "Cuckoo",
        "is_parsable": "Y",
        "parser_class": "Cuckoo",
        "created_at": "2020-05-18 17:44:11",
        "updated_at": "2020-05-18 17:44:11"
    },
    {
        "id": *****,
        "name": "FireEye Analysis",
        "is_parsable": "Y",
        "parser_class": "FireEye",
        "created_at": "2020-05-18 17:44:11",
        "updated_at": "2020-05-18 17:44:11"
    },
    {
        "id": *****,
        "name": "Generic Text",
        "is_parsable": "Y",
        "parser_class": "Generic",
        "created_at": "2020-05-18 17:44:11",
        "updated_at": "2020-05-18 17:44:11"
    },
    {
        "id": *****,
        "name": "Palo Alto Networks WildFire XML",
        "is_parsable": "Y",
        "parser_class": "WildFire",
        "created_at": "2020-05-18 17:44:11",
        "updated_at": "2020-05-18 17:44:11"
    },
    {
        "id": *****,
        "name": "ThreatAnalyzer Analysis",
        "is_parsable": "Y",
        "parser_class": "ThreatAnalyzer",
        "created_at": "2020-05-18 17:44:11",
        "updated_at": "2020-05-18 17:44:11"
    },
    {
        "id": *****,
        "name": "ThreatQ CSV File",
        "is_parsable": "Y",
        "parser_class": "ThreatQCSV",
        "created_at": "2020-05-18 17:44:11",
        "updated_at": "2020-05-18 17:44:11"
    }
]
Key Fields

Common cyber security indicators such as risk levels, risk level names, unique IDs, file hash values, CVE numbers and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "IDs": [
        "*****",
        "*****",
        "*****",
        "*****",
        "*****",
        "*****"
    ],
    "FileContentTypes": [
        "Cuckoo",
        "FireEye Analysis",
        "Generic Text",
        "Palo Alto Networks WildFire XML",
        "ThreatAnalyzer Analysis",
        "ThreatQ CSV File"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id

name

is_parsable

parser_class

created_at

updated_at

*****

Cuckoo

Y

Cuckoo

2020-05-18 17:44:11

2020-05-18 17:44:11

*****

FireEye Analysis

Y

FireEye

2020-05-18 17:44:11

2020-05-18 17:44:11

*****

Generic Text

Y

Generic

2020-05-18 17:44:11

2020-05-18 17:44:11

*****

Palo Alto Networks WildFire XML

Y

WildFire

2020-05-18 17:44:11

2020-05-18 17:44:11

*****

ThreatAnalyzer Analysis

Y

ThreatAnalyzer

2020-05-18 17:44:11

2020-05-18 17:44:11

*****

ThreatQ CSV File

Y

ThreatQCSV

2020-05-18 17:44:11

2020-05-18 17:44:11

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Search File Content Type failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ThreatQuotient portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Access denied.

Error Sample Data

Search File Content Type failed.

Status Code: 401.

Message: Access denied.

Unlink Object

Unlinks two objects in ThreatQ.

READER NOTE

Object 1 ID and Object 2 ID are required parameters to run this command.

  • Run the Get Object by ID Value command to obtain the Object 1 ID and Object 2 ID. Object 1 IDs and Object 2 IDs can be found in the raw data at the path $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Object 1 Type

Required

The type of the first object to unlink.

indicators

Object 1 ID

Required

The ID of the first object to unlink. Object IDs can be obtained using the Get Object ID by Value command.

*****

Object 2 Type

Required

The type of the second object to unlink.

adversaries

Object 2 ID

Required

The ID of the second object to unlink. Object IDs can be obtained using the Get Object ID by Value command.

*****

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Unlink Object failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ThreatQuotient portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Not found.

Error Sample Data

Unlink Object failed.

Status Code: 404.

Message: Not found.

Update Indicator Score

Updates the indicator score in ThreatQ.

READER NOTE

Indicator ID is a required parameter to run this command.

  • Run the Get Object ID by Value command to obtain the Indicator ID. Indicator IDs can be found in the raw data at the path $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Indicator ID

Required

The Indicator ID for which to update the score. Indicator IDs can be obtained using the Get Object ID by Value command.

*****

Indicator Score

Required

The updated indicator score.

10

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request. For check reputation commands, D3-defined risk levels and risk level names are also included.

SAMPLE DATA

JSON
{
    "data": {
        "indicator_id": *****,
        "generated_score": "0.00",
        "manual_score": 1,
        "score_config_hash": "*****",
        "created_at": "2021-11-08 20:09:36",
        "updated_at": "2024-10-04 20:10:57"
    }
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
{
    "indicator_id": *****,
    "generated_score": "0.00",
    "manual_score": 1,
    "score_config_hash": "*****",
    "created_at": "2021-11-08 20:09:36",
    "updated_at": "2024-10-04 20:10:57"
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

indicator_id

*****

generated_score

0.00

manual_score

1

score_config_hash

*****

created_at

2021-11-08 20:09:36

updated_at

2024-10-04 20:10:57

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Update Indicator Score failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ThreatQuotient portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Not found.

Error Sample Data

Update Indicator Score failed.

Status Code: 404.

Message: Not found.

Update Indicator Status

Updates the indicator status in ThreatQ.

READER NOTE

Indicator ID is a required parameter to run this command.

  • Run the Get Object ID by Value command to obtain the Indicator ID. Indicator IDs can be found in the raw data at the path $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Indicator ID

Required

The Indicator ID for which to update the status. Indicator IDs can be obtained using the Get Object ID by Value command.

*****

Indicator Status

Required

The updated indicator status. Possible values include: "Active", "Expired", "Indirect", "Review", "Whitelisted", and other custom options.

Expired

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

JSON
Successful
Raw Data

The primary response data from the API request. For check reputation commands, D3-defined risk levels and risk level names are also included.

SAMPLE DATA

JSON
{
    "data": {
        "id": *****,
        "type_id": *****,
        "status_id": *****,
        "class": "host",
        "hash": "*****",
        "value": "*****",
        "description": null,
        "last_detected_at": null,
        "expires_at": null,
        "expired_at": "2024-10-03 18:27:26",
        "expires_needs_calc": "N",
        "expires_calculated_at": "2024-10-03 18:25:02",
        "created_at": "2021-11-08 20:09:36",
        "updated_at": "2024-10-03 18:27:26",
        "touched_at": "2024-10-04 20:10:57",
        "status": {
            "id": *****,
            "name": "Expired",
            "description": "No longer poses a serious threat.",
            "user_editable": "N",
            "visible": "Y",
            "include_in_export": "Y",
            "protected": "N",
            "created_at": "2020-05-18 17:44:11",
            "updated_at": "2020-05-18 17:44:11"
        },
        "type": {
            "id": *****,
            "name": "MD5",
            "class": "host",
            "score": null,
            "wildcard_matching": "N",
            "created_at": "2020-05-18 17:43:04",
            "updated_at": "2020-05-18 17:43:04"
        }
    }
}
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
{
    "id": *****,
    "type_id": *****,
    "status_id": *****,
    "class": "host",
    "hash": "*****",
    "value": "*****",
    "description": null,
    "last_detected_at": null,
    "expires_at": null,
    "expired_at": "2024-10-03 18:27:26",
    "expires_needs_calc": "N",
    "expires_calculated_at": "2024-10-03 18:25:02",
    "created_at": "2021-11-08 20:09:36",
    "updated_at": "2024-10-03 18:27:26",
    "touched_at": "2024-10-04 20:10:57",
    "status": {
        "id": *****,
        "name": "Expired",
        "description": "No longer poses a serious threat.",
        "user_editable": "N",
        "visible": "Y",
        "include_in_export": "Y",
        "protected": "N",
        "created_at": "2020-05-18 17:44:11",
        "updated_at": "2020-05-18 17:44:11"
    },
    "type": {
        "id": *****,
        "name": "MD5",
        "class": "host",
        "score": null,
        "wildcard_matching": "N",
        "created_at": "2020-05-18 17:43:04",
        "updated_at": "2020-05-18 17:43:04"
    }
}
Key Fields

Common cyber security indicators such as risk levels, risk level names, unique IDs, file hash values, CVE numbers and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "ID": "*****",
    "Class": "host",
    "Hash": "*****",
    "Value": "*****",
    "Status": "Expired",
    "Type": "MD5"
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id

*****

type_id

*****

status_id

*****

class

host

hash

*****

value

*****

description

None

last_detected_at

None

expires_at

None

expired_at

2024-10-03 18:27:26

expires_needs_calc

N

expires_calculated_at

2024-10-03 18:25:02

created_at

2021-11-08 20:09:36

updated_at

2024-10-03 18:27:26

touched_at

2024-10-04 20:10:57

status

{'id': *****, 'name': 'Expired', 'description': 'No longer poses a serious threat.', 'user_editable': 'N', 'visible': 'Y', 'include_in_export': 'Y', 'protected': 'N', 'created_at': '2020-05-18 17:44:11', 'updated_at': '2020-05-18 17:44:11'}

type

{'id': *****, 'name': 'MD5', 'class': 'host', 'score': None, 'wildcard_matching': 'N', 'created_at': '2020-05-18 17:43:04', 'updated_at': '2020-05-18 17:43:04'}

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Update Indicator Status failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ThreatQuotient portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Not found.

Error Sample Data

Update Indicator Status failed.

Status Code: 404.

Message: Not found.

Update Object Attribute

Updates the attribute of an object.

READER NOTE

Object ID and Object Attribute IDs are required parameters to run this command.

  • Run the Get Object ID by Value command to obtain the Object ID. Object IDs can be found in the raw data at the path $.data[*].id.

  • Run the Add Attribute command to obtain the Object Attribute ID. Object Attribute IDs can be found in the raw data at the path $.data[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Object Type

Required

The type of object for which to update the attribute, with the options: Indicator | Adversary | Event | File | Signature.

indicator

Object ID

Required

The ID of the object for which to update the attribute. Object IDs can be obtained using the Get Object ID by Value command.

*****

Object Attribute ID

Required

The ID of the attribute to be updated. Attribute IDs can be obtained using the Add Attribute or the matched List commands. When using the value for key “id” below “indicator_id”, refer to path $.data[*].id

*****

Attribute Value

Required

The value of the attribute to be added.

4000

Attribute Source Name

Optional

The source name of the attribute to be added.

TQ User

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request. For check reputation commands, D3-defined risk levels and risk level names are also included.

SAMPLE DATA

JSON
{
    "data": {
        "id": *****,
        "indicator_id": *****,
        "attribute_id": *****,
        "value": "New Value",
        "created_at": "2022-02-07 19:19:30",
        "updated_at": "2022-02-07 19:23:48",
        "touched_at": "2022-02-07 19:23:48.684",
        "name": "Port",
        "attribute": {
            "id": *****,
            "name": "Port",
            "created_at": "2022-02-07 19:19:30",
            "updated_at": "2022-02-07 19:19:30"
        },
        "sources": [
            {
                "id": *****,
                "type": "other_sources",
                "reference_id": *****,
                "name": "TQ User",
                "tlp_id": null,
                "created_at": "2022-02-07 19:19:30",
                "updated_at": "2022-02-07 19:19:30",
                "published_at": null,
                "pivot": {
                    "indicator_attribute_id": *****,
                    "source_id": *****,
                    "id": *****,
                    "creator_source_id": *****
                }
            }
        ]
    }
}
Key Fields

Common cyber security indicators such as risk levels, risk level names, unique IDs, file hash values, CVE numbers and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "AttributeID": [*****],
    "AttributeName": ["Port"],
    "AttributeValue": ["New Value"],
    "SourceName": ["TQ User"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No sample data   

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Update Object Attribute failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ThreatQuotient portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: The provided Object ID or Attribute ID doesn't exist.

Error Sample Data

Update Object Attribute failed.

Status Code: 404.

Message: The provided Object ID or Attribute ID doesn't exist.

Upload File

Uploads files to ThreatQ.

File Category is a required parameter to run this command.

  • Run the List Attachment Types command to obtain the File Category. File Categories can be found in the raw data at the path $.data[*].id.

File ID and File Source

It is not recommended to use the Test Command feature with the Upload File command as it is designed for dynamic input files in Playbooks, Incident Attachments, and Artifact Attachments. There is a simple workaround to test the command:

  1. Navigate to Configuration on the top bar menu.

  2. Click on Utility Commands on the left sidebar menu.

  3. Use the search box to find and select the Create a File from input Text Array command.

  4. Select the Test tab.

  5. Input the required information for the parameters.

  6. Click on the Test Command button. A D3 File ID will appear in the output data after the file has been successfully created. The D3 File Source of the created file will be Playbook File).

Input

Input Parameter

Required/Optional

Description

Example

File IDs

Required

The file id of the file source.

JSON
["*****"]

File Source

Required

The file source of the file to send. The options for file sources are:

  • Incident Attachment File: Manually uploaded file from Incident

  • Playbook File: Output from another Task

  • Artifact File: Ingested Artifact in an Event

PB_FILE

File Category

Required

The category of the file that will be uploaded (e.g. CrowdStrike Intelligence, FireEye Analysis, Cuckoo, PDF, ThreatQ CSV File etc). File Category can be obtained using the List Attachment Types command.

application/pdf

Malware safety lock Value

Required

Whether to zip up files for safer download. To unzip, use the password "infected."

true

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request. For check reputation commands, D3-defined risk levels and risk level names are also included.

SAMPLE DATA

JSON
[
    {
        "data": {
            "malware_locked": 1,
            "placeholder": 0,
            "name": "IR-*****.pdf.zip",
            "title": "IR-*****pdfzip",
            "file_size": 592303,
            "hash": "*****",
            "type_id": *****,
            "content_type_id": *****,
            "updated_at": "2024-10-07 17:13:57",
            "created_at": "2024-10-07 17:13:57",
            "id": *****
        }
    }
]
Context Data

The data that has been extracted from Raw Data and converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be updated to use Raw Data.

SAMPLE DATA

JSON
[
    {
        "malware_locked": 1,
        "placeholder": 0,
        "name": "IR-*****.pdf.zip",
        "title": "IR-*****pdfzip",
        "file_size": 592303,
        "hash": "*****",
        "type_id": *****,
        "content_type_id": *****,
        "updated_at": "2024-10-07 17:13:57",
        "created_at": "2024-10-07 17:13:57",
        "id": *****
    }
]
Key Fields

Common cyber security indicators such as risk levels, risk level names, unique IDs, file hash values, CVE numbers and IP addresses will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

JSON
{
    "id": [
        "*****"
    ],
    "hash": [
        "*****"
    ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

malware_locked

1

placeholder

0

name

IR-*****.pdf.zip

title

IR-*****pdfzip

file_size

3521-09-01 0:00:00

hash

*****

type_id

*****

content_type_id

*****

updated_at

2024-10-07 17:13:57

created_at

2024-10-07 17:13:57

id

*****

Error Handling

If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Upload File failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ThreatQuotient portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: The specified File does not have file data.

Error Sample Data

Upload File failed.

Status Code: 404.

Message: The specified File does not have file data.

Test Connection

Performs a health check on an integration connection. A periodic health check can be scheduled by selecting Connection Health Check when editing an integration connection.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

SAMPLE DATA

CODE
Successful

Error Handling

If the Return Data displays Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Test Connection failed. Failed to check the connector.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the ThreatQuotient portal. Refer to the HTTP Status Code Registry for details.

Status Code: 401.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Get Access Token Fail.

Error Sample Data

Test Connection failed. Failed to check the connector.

Status Code: 401.

Message: Get Access Token Fail.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.