Skip to main content
Skip table of contents

Trellix McAfee ESM

LAST UPDATED: OCT 22, 2024

Overview

Trellix McAfee ESM (ESM) is a SIEM solution that can collect logs from various sources and correlate events for investigation and incident response.

D3 SOAR is providing REST operations to function with Trellix McAfee ESM.

Trellix McAfee ESM is available for use in:

D3 SOAR

V12.7.83.0+

Category

SIEM

Deployment Options

Option I, Option III

Connection

To connect to Trellix McAfee ESM from D3 SOAR, please follow this part to collect the required information below:

Parameter

Description

Example

Server URL

The server URL of the McAfee ESM instance.

https://*****

Username

The username to access McAfee ESM.

NGCP

Password

The password credential to access McAfee ESM.

D**ec**it**

Version

The API version to use for the connection.

v2

Configuring Trellix McAfee ESM to Work with D3 SOAR

  1. Log in to McAfee ESM with your credentials.

  2. Click on the hamburger icon to reveal the sidebar menu. Select System Properties.

  3. To configure System Properties, you must have the ESM Administrator App installed on your computer. If you have not already done so, click Download .exe (Windows). If the ESM Administrator App is already installed, click Launch.

    1. After you have downloaded the .exe file, run and install it. Click Finish to complete the installation.

  4. Go back to McAfee ESM, and click Launch. A pop-up window will appear asking for permission to open ESM_Administrator_App. Select Open ESM_Administrator_App. You will be directed to the ESM Administrator App.

  5. In the ESM Administrator App, click on the hamburger icon to reveal the sidebar menu. Select System Properties > Users and Groups.

  6. You will be prompted to enter a password. Input your account login password and click OK.

  7. Click Add to create a new user. Input a Username, and set your Password. Grant Administrator Rights, then click OK.

  8. Input your account login password in the popup to save this user.

You will be able to find the created user account from the user list. The created account is ready for configuring an integration connection in D3 SOAR.

Configuring D3 SOAR to Work with Trellix McAfee ESM

  1. Log in to D3 SOAR.

  2. Find the Trellix McAfee ESM integration.

    Frame 39 (2)-20241022-183244.png
    1. Navigate to Configuration on the top header menu.

    2. Click on the Integration icon on the left sidebar.

    3. Type Trellix McAfee ESM in the search box to find the integration, then click it to select it.

    4. Click New Connection, on the right side of the Connections section. A new connection window will appear.

  3. Configure the following fields to create a connection to Trellix McAfee ESM.

    Frame 43 (4)-20241022-183632.png
    1. Connection Name: The desired name for the connection.

    2. Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.

    3. Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.

    4. Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.

    5. Description (Optional): Add your desired description for the connection.

    6. Configure User Permissions: Defines which users have access to the connection.

    7. Active: Check the tick box to ensure the connection is available for use.

      Frame 44 (3)-20241022-183650.png
    8. System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
      1. Input your McAfee ESM Server URL.
      2. Input your McAfee ESM Username.
      3. Input your McAfee ESM Password.
      4. Input your Version. The default value is v2.

    9. Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active. To set up a connection health check, check the Connection Health Check tickbox. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.

    10. Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.

  4. Test the connection.

    1. Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green checkmark appear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.

    2. Click OK to close the alert window.

    3. Click Add to create and add the configured connection.

Commands

Trellix McAfee ESM includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.

Integration API Note

For more information about the Trellix McAfee ESM API, please refer to the Trellix McAfee ESM API reference at https://<Server Address>/rs/esm/v2/help.

Note for Time-related parameters

The input format of time-related parameters may vary based on your account settings. As a result, the sample data provided in our commands is different from what you see. To set your preferred time format, follow these steps:

  1. Navigate to Configuration > Application Settings. Select Date/Time Format.

    Frame 23 (10)-20241022-183751.png
  2. Choose your desired date and time format.

    Frame 24 (12)-20241022-183818.png

After that, you will be able to view your preferred time format when configuring the DateTime input parameters for commands.

Acknowledge Triggered Alarm

Marks a triggered alarm as acknowledged.

READER NOTE

The parameter Alarm IDs is required to run this command.

  • Run the Get Triggered Alarms command to obtain Alarm IDs. Alarm IDs can be found in the returned raw data at the path $.id.

Input

Input Parameter

Required/Optional

Description

Example

Alarm IDs

Required

The ID(s) of triggered alarm(s) to mark as acknowledged. Alarm IDs can be obtained using the Get Triggered Alarms command.

[*****]

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "AlarmID": *****,
        "Status": "Acknowledged"
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "AlarmID": *****,
        "Status": "Acknowledged"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "AlarmID": ["*****"],
  "Status": ["Acknowledged"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

AlarmID

Status

*****

Acknowledged

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Acknowledge Triggered Alarm failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trellix McAfee ESM portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Alarm IDs Not Found.

Error Sample Data

Acknowledge Triggered Alarm failed.

Status Code: 404.

Message: Alarm IDs Not Found.

Add Values To Watchlist

Adds values to watchlists. Note: Hidden watchlists (e.g. GTI) are not supported.

READER NOTE

The parameter Watchlist IDs required to run this command.

  • Run the List Watchlists command to obtain Watchlist IDs. Watchlist IDs can be found in the raw data at the path $.[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Watchlist IDs

Required

The ID(s) of the watchlist(s) to add values to. Watchlist IDs can be obtained using the List Watchlists command.

[*****]

Values

Required

The string value(s) to add to the specified watchlist(s).

["***.***.***.***","***.***.***.***","***.***.***.***"]

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "id": *****,
        "add value status": "successful",
        "values": [
            "***.***.***.***",
            "***.***.***.***",
            "***.***.***.***"
        ]
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "id": *****,
        "add value status": "successful",
        "values": [
            "***.***.***.***",
            "***.***.***.***",
            "***.***.***.***"
        ]
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "IDs": [*****]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id

add value status

values

*****

successful

[
"***.***.***.***",
"***.***.***.***",
"***.***.***.***"
]

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Add Values To Watchlist failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trellix McAfee ESM portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Watchlist IDs Not Found.

Error Sample Data

Add Values To Watchlist failed.

Status Code: 404.

Message: Watchlist IDs Not Found.

Add Watchlist

Adds watchlists to the system.

READER NOTE

If you input an existing Watchlist Name in the system, an error will return. Use the List Watchlists command to return a list of watchlists to check for duplicates.

Input

Input Parameter

Required/Optional

Description

Example

Watchlist Names

Required

The names of the new watchlists.

NewWatchlist

Watchlist Type

Required

The watchlist type to assign the new watchlists to.

Port

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "value": *****
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "value": *****
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "IDs": [*****],
  "Names": ["wl681"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

value

*****

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Add Watchlist failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trellix McAfee ESM portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: ERROR_DuplicateName.

Error Sample Data

Add Watchlist failed.

Status Code: 400.

Message: ERROR_DuplicateName.

Delete Triggered Alarm

Deletes specified triggered alarms in the system.

READER NOTE

The parameter Alarm IDs is required to run this command.

  • Run the Get Triggered Alarms command to obtain Alarm IDs. Alarm IDs can be found in the raw data at the path $.[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Alarm IDs

Required

The ID(s) of triggered alarm(s) to delete. Alarm IDs can be obtained using the Get Triggered Alarms command.

[*****]

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "AlarmID": *****,
        "Status": "Deleted"
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "AlarmID": *****,
        "Status": "Deleted"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "AlarmID": ["*****"],
  "Status": ["Deleted"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

AlarmID

Status

*****

Deleted

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Delete Triggered Alarm failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trellix McAfee ESM portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Alarm IDs Not Found.

Error Sample Data

Delete Triggered Alarm failed.

Status Code: 404.

Message: Alarm IDs Not Found.

Edit Watchlist

Edits the properties of a watchlist (except watchlist type). Note: Hidden watchlists (e.g. GTI) are not supported.

READER NOTE

Watchlist ID is a required parameter to run this command.

  • Run the List Watchlists command to obtain Watchlist ID. Watchlist IDs can be found in the raw data at the path $.[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Watchlist ID

Required

The ID of the watchlist to edit. Watchlist ID can be obtained using the List Watchlists command.

*****

Active Status

Optional

The active status of the watchlist.

1

Watchlist Type

Optional

The updated type of the watchlist.

DstIP

Scored Category

Optional

Puts the watchlist in the scored category.

False

Dynamic Category

Optional

Puts the watchlist in the dynamic category.

False

Hidden Status

Optional

Sets the watchlist to hidden.

False

Watchlist Name

Required

The updated name of the watchlist.

wl100t1

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "id": *****,
    "active": true,
    "customType": {
        "name": "DstIP"
    },
    "scored": false,
    "dynamic": false,
    "hidden": false,
    "type": {
        "name": "DstIP"
    },
    "name": "wl100t1",
    "edited status": "updated"
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
{
    "id": *****,
    "active": true,
    "customType": {
        "name": "DstIP"
    },
    "scored": false,
    "dynamic": false,
    "hidden": false,
    "type": {
        "name": "DstIP"
    },
    "name": "wl100t1",
    "edited status": "updated"
}
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "ID": *****
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id

active

customType

scored

dynamic

hidden

type

name

edited status

*****

True

{
"name": "DstIP"
}

False

False

False

{
"name": "DstIP"
}

wl100t1

updated

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Edit Watchlist failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trellix McAfee ESM portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: ERROR_InsufficientRights.

Error Sample Data

Edit Watchlist failed.

Status Code: 400.

Message: ERROR_InsufficientRights.

Fetch Event

Returns events from McAfee ESM based on the specified criteria.

READER NOTE

Input parameter Fields is optional to run this command.

  • Run the List Available Select Fields command to obtain Fields. Fields can be found in the raw data at the path $.[*].name.

Input

Input Parameter

Required/Optional

Description

Example

Start Time

Required

The start time of the time range to fetch events in UTC time.

2022-09-22 00:00

End Time

Optional

The end time of the time range to fetch events in UTC time.

2022-11-23 00:00

Fields

Optional

The comma-separated list of the additional fields to return in the response data. The available fields can be obtained using the List Available Select Fields command. The following fields are returned by default:

  • ASNGeoDst

  • ASNGeoSrc

  • AvgSeverity

  • DSIDSigID

  • DstIP

  • DstMac

  • DstPort

  • EventCount

  • FirstTime

  • IPSID

  • IPSIDAlertID

  • LastTime

  • GUIDDst

  • GUIDSrc

  • SessionID

  • SigID

  • SrcIP

  • SrcMac

  • SrcPort

  • ZoneDst

  • ZoneSrc

  • Rule_NDSNormSigID.msg

Rule.NormID, VLan

Search Condition

Required

The JSON-formatted query to filter results. Refer to the McAfee ESM API documentation at https://<Server Address>/rs/esm/v2/help/types/EsmFieldFilter for more information about the query syntax.

[

{

"type": "EsmFieldFilter",

"field": {

"name": "DstIP"

},

"operator": "CONTAINS",

"values": [

{

"type": "EsmBasicValue",

"value": "*****"

}

]

}

]

Tolerance Scope

Optional

The tolerance scope (the default value is 10) in minutes of the query to fetch events between start and end time to avoid the loss of events. Events will be fetched between {Start Time - Tolerance Scope, End Time}.

10

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "return": [
        {
            "Alert.RemCaseID": "*****",
            "AppID": "microsoft-windows-security-auditing",
            "ASNGeoDst": "*****",
            "ASNGeoSrc": "*****",
            "AvgSeverity": "25",
            "CommandID": "",
            "Destination_Network": "",
            "Destination_UserID": "",
            "DomainID": "workgroup",
            "DSIDSigID": "*****",
            "DstIP": "***.***.***.***",
            "DstMac": "00:00:00:00:00:00",
            "DstPort": "port/code:0",
            "Elapsed_Time": "",
            "EventCount": "1",
            "FirstTime": "09/24/2021 19:19:10",
            "FirstTimeLocal": "2021-09-24 19:19:10+00:00",
            "Flow": "0",
            "GUIDDst": "*****",
            "GUIDSrc": "*****",
            "HostID": "mcafee",
            "Interface": "",
            "Interface_Dest": "",
            "IPSID": "*****",
            "IPSIDAlertID": "*****|*****",
            "LastTime": "09/24/2021 19:19:10",
            "LastTimeLocal": "2021-09-24 19:19:10+00:00",
            "Protocol": "n/a",
            "RemOpenTicketTime": "",
            "Reviewed": "0",
            "Rule_NDSNormSigID.msg": "Host Login",
            "Rule.NormID": "*****",
            "Sequence": "0",
            "SessionID": "*****",
            "SigID": "*****",
            "Source_Network": "",
            "Source_UserID": "",
            "SrcIP": "***.***.***.***",
            "SrcMac": "00:00:00:00:00:00",
            "SrcPort": "*****",
            "Subcategory": "",
            "Trusted": "2",
            "VLan": "0",
            "ZoneDst": "1",
            "ZoneSrc": "1",
            "NormID": "*****",
            "AlertData": {
                "command": "",
                "cases": [],
                "subtype": "failure",
                "ipsId": "*****",
                "eventCount": 1,
                "ruleName": "Failed User Logon",
                "severity": 25,
                "destIp": "*****",
                "destPort": "0",
                "flowId": *****,
                "lastTime": "09/24/2021 19:19:10",
                "destMac": "00:00:00:00:00:00",
                "firstTime": "09/24/2021 19:19:10",
                "flowSessionId": *****,
                "reviewed": "F",
                "srcIp": "***.***.***.***",
                "srcMac": "00:00:00:00:00:00",
                "srcPort": "0",
                "vlan": 0,
                "alertId": *****,
                "sigId": "*****",
                "sigDesc": "Failed User Logon",
                "sigText": "",
                "deviceName": "Local ESM",
                "normId": *****,
                "app": "WIN",
                "srcUser": "NGCP",
                "destUser": "",
                "remedyCaseId": *****,
                "remedyTicketTime": null,
                "deviceTime": "",
                "remedyAnalyst": "",
                "sequence": 0,
                "trusted": 2,
                "sessionId": *****,
                "asnGeoSrcId": "*****",
                "srcAsnGeo": "",
                "asnGeoDestId": "*****",
                "destAsnGeo": "",
                "normMessage": "Login",
                "normDesc": "The Login category indicates events related to logging in to hosts or services.  Belongs to Authentication: The authentication category indicates events relating to system access.",
                "archiveId": "*****",
                "srcZone": "",
                "destZone": "",
                "srcGuid": "",
                "destGuid": "",
                "agg1Name": "",
                "agg1Value": "0.00000000000000E+000",
                "agg2Name": "",
                "agg2Value": "0.00000000000000E+000",
                "agg3Name": "",
                "agg3Value": "0.00000000000000E+000",
                "iocName": "",
                "iocId": *****,
                "customTypes": [
                    {
                        "fieldId": *****,
                        "fieldName": "AppID",
                        "definedFieldNumber": 1,
                        "unformattedValue": "*****",
                        "formatedValue": "WIN"
                    },
                    {
                        "fieldId": *****,
                        "fieldName": "UserIDSrc",
                        "definedFieldNumber": 7,
                        "unformattedValue": "*****",
                        "formatedValue": "NGCP"
                    },
                    {
                        "fieldId": *****,
                        "fieldName": "Message_Text",
                        "definedFieldNumber": 9,
                        "unformattedValue": "*****",
                        "formatedValue": "User Log In failed with: Invalid username"
                    }
                ],
                "object": "",
                "duration": "00:00:00.000",
                "host": "",
                "domain": "",
                "protocol": "n/a",
                "note": ""
            }
        }
    ]
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path $.return in API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "Alert.RemCaseID": "*****",
        "AppID": "microsoft-windows-security-auditing",
        "ASNGeoDst": "*****",
        "ASNGeoSrc": "*****",
        "AvgSeverity": "25",
        "CommandID": "",
        "Destination_Network": "",
        "Destination_UserID": "",
        "DomainID": "workgroup",
        "DSIDSigID": "*****",
        "DstIP": "***.***.***.***",
        "DstMac": "00:00:00:00:00:00",
        "DstPort": "port/code:0",
        "Elapsed_Time": "",
        "EventCount": "1",
        "FirstTime": "09/24/2021 19:19:10",
        "FirstTimeLocal": "2021-09-24 19:19:10+00:00",
        "Flow": "0",
        "GUIDDst": "*****",
        "GUIDSrc": "*****",
        "HostID": "mcafee",
        "Interface": "",
        "Interface_Dest": "",
        "IPSID": "*****",
        "IPSIDAlertID": "*****|*****",
        "LastTime": "09/24/2021 19:19:10",
        "LastTimeLocal": "2021-09-24 19:19:10+00:00",
        "Protocol": "n/a",
        "RemOpenTicketTime": "",
        "Reviewed": "0",
        "Rule_NDSNormSigID.msg": "Host Login",
        "Rule.NormID": "*****",
        "Sequence": "0",
        "SessionID": "*****",
        "SigID": "*****",
        "Source_Network": "",
        "Source_UserID": "",
        "SrcIP": "***.***.***.***",
        "SrcMac": "00:00:00:00:00:00",
        "SrcPort": "*****",
        "Subcategory": "",
        "Trusted": "2",
        "VLan": "0",
        "ZoneDst": "1",
        "ZoneSrc": "1",
        "NormID": "*****",
        "AlertData": {
            "command": "",
            "cases": [],
            "subtype": "failure",
            "ipsId": "*****",
            "eventCount": 1,
            "ruleName": "Failed User Logon",
            "severity": 25,
            "destIp": "*****",
            "destPort": "0",
            "flowId": *****,
            "lastTime": "09/24/2021 19:19:10",
            "destMac": "00:00:00:00:00:00",
            "firstTime": "09/24/2021 19:19:10",
            "flowSessionId": *****,
            "reviewed": "F",
            "srcIp": "***.***.***.***",
            "srcMac": "00:00:00:00:00:00",
            "srcPort": "0",
            "vlan": 0,
            "alertId": *****,
            "sigId": "*****",
            "sigDesc": "Failed User Logon",
            "sigText": "",
            "deviceName": "Local ESM",
            "normId": *****,
            "app": "WIN",
            "srcUser": "NGCP",
            "destUser": "",
            "remedyCaseId": *****,
            "remedyTicketTime": null,
            "deviceTime": "",
            "remedyAnalyst": "",
            "sequence": 0,
            "trusted": 2,
            "sessionId": *****,
            "asnGeoSrcId": "*****",
            "srcAsnGeo": "",
            "asnGeoDestId": "*****",
            "destAsnGeo": "",
            "normMessage": "Login",
            "normDesc": "The Login category indicates events related to logging in to hosts or services.  Belongs to Authentication: The authentication category indicates events relating to system access.",
            "archiveId": "*****",
            "srcZone": "",
            "destZone": "",
            "srcGuid": "",
            "destGuid": "",
            "agg1Name": "",
            "agg1Value": "0.00000000000000E+000",
            "agg2Name": "",
            "agg2Value": "0.00000000000000E+000",
            "agg3Name": "",
            "agg3Value": "0.00000000000000E+000",
            "iocName": "",
            "iocId": *****,
            "customTypes": [
                {
                    "fieldId": *****,
                    "fieldName": "AppID",
                    "definedFieldNumber": 1,
                    "unformattedValue": "*****",
                    "formatedValue": "WIN"
                },
                {
                    "fieldId": *****,
                    "fieldName": "UserIDSrc",
                    "definedFieldNumber": 7,
                    "unformattedValue": "*****",
                    "formatedValue": "NGCP"
                },
                {
                    "fieldId": *****,
                    "fieldName": "Message_Text",
                    "definedFieldNumber": 9,
                    "unformattedValue": "*****",
                    "formatedValue": "User Log In failed with: Invalid username"
                }
            ],
            "object": "",
            "duration": "00:00:00.000",
            "host": "",
            "domain": "",
            "protocol": "n/a",
            "note": ""
        }
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "IDs": ["*****" ],
  "AvgSeverities": ["19"],
  "IPSIDAlertIDs": ["*****|*****"],
  "RuleNames": ["*****|*****"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Fetch Event Field Mapping

Please note that Fetch Event commands require event field mapping. Field mapping plays a key role in the data normalization process part of the event pipeline. Field mapping converts the original data fields from the different providers to the D3 fields which are standardized by the D3 Model. Please refer to Event and Incident Intake Field Mapping for details.

If you require a custom field mapping, click +Add Field to add a custom field mapping. You may also remove built-in field mappings by clicking x. Please note that two underscore characters will automatically prefix the defined Field Name as the System Name for a custom field mapping. Additionally, if an input Field Name contains any spaces, they will automatically be replaced with underscores for the corresponding System Name.

The Trellix McAfee ESM integration in D3 SOAR has two pre-configured field mappings: Default Event Source and ESM Alarm Events. Only the default field mapping will be used for the Fetch Event command. Both the default field mapping and ESM Alarm Events mapping can be used for the Fetch Incident command.

  • Default Event Source
    The Default Event Source is the default set of field mappings that are applied when this fetch event command is executed. For out-of-the-box integrations, you will find a set of field mapping provided by the system. Default event source provides field mappings for common fields from fetched events. The default event source has a “Main Event JSON Path” (i.e., $.return) that is used to extract a batch of events from the response raw data. Click Edit Event Source to view the “Main Event JSON Path”.

    Frame 45 (2)-20241022-184029.png
    • Main Event JSON Path: $.return

The Main Event JSON Path determines the root path where the system starts parsing raw response data into D3 event data. The JSON path begins with $, representing the root element. The path is formed by appending a sequence of child elements to $, each separated by a dot (.). Square brackets with nested quotation marks ([‘...’]) should be used to separate child elements in JSON arrays.

For example, the root node of a JSON Path is return. The child node denoting the FirstTime field would be FirstTime. Putting it together, the JSON Path expression to extract the FirstTime is $.return.FirstTime.

  • ESM Alarm Events

    Frame 46 (3)-20241022-184334.png

    Configures the field mapping which are specific to the ESM Alarm Events. If a source field in the field mapping is not found, the corresponding field mapping will be ignored. As the data of the ESM Alarm Events have a character that the value of the isAlarmEvent field is true, the ESM Alarm Events can be defined by the Search String: {$.isAlarmEvent}=true. Click Edit Event Source to view the Search String.

The pre-configured field mappings are detailed below:

Field Name

Source Field

Default Event Source (Main Event JSON Path: $.return)

Unique Event Key

*{EventID}-{__FirstTime}-{__LastTime}

ASNGeoDst

.ASNGeoDst

ASNGeoSrc

.ASNGeoSrc

Severity

.AvgSeverity

Event code

.DSIDSigID

Destination IP address

.DstIP

Destination MAC

.DstMac

Destination port

.DstPort

Aggregated / Correlated Event count

.EventCount

GUIDDst

.GUIDDst

GUIDSrc

.GUIDSrc

IPSID

.IPSID

IPSIDAlertID

.IPSIDAlertID

Rule name

.AlertData.ruleName

Session ID

.SessionID

Signature ID

.SigID

Source IP address

.SrcIP

Source MAC address

.SrcMac

Source port

.SrcPort

Destination zone

.ZoneDst

Source zone

.ZoneSrc

FirstTime

.FirstTime

LastTime

.LastTime

Event Type

.['Rule_NDSNormSigID.msg']

Start Time

.FirstTimeLocal

End Time

.LastTimeLocal

Description

.AlertData.normDesc

ESM Alarm Events (Search String: {$.isAlarmEvent}=true)

The search string format is {jsonpath}=value. If the value of the isAlarmEvent key is true in the event object under raw data, then the ESM Alarm Events will use the field mapping below.

Unique Event Key

.eventId

Rule name

.ruleName

Severity

.severity

Destination IP address

.destIp

Destination MAC

.destMac

Destination port

.destPort

Signature ID

.sigId

Device

.deviceName

Source username

.srcUser

Hostname

.host

Source IP address

.srcIp

Source MAC address

.srcMac

Source port

.srcPort

Event Type

.ruleName

Start Time

.firstTimeLocal

End Time

.lastTimeLocal

Description

.normMessage

READER NOTE

*{EventID}-{__FirstTime}-{__LastTime}

In D3 SOAR, the events from Trellix McAfee ESM will be predefined with {EventID}-{__FirstTime}-{__LastTime} as the Unique Event Key.

  • Please note that the source type for Event Type is defined as Placeholder. {EventID}-{__FirstTime}-{__LastTime} is a default mapping value provided by D3.

  • {EventID}-{__FirstTime}-{__LastTime} will be auto filled by the Event Code, FirstTime and LastTime field mappings.

  • See Source Field Type from Event and Incident Intake Field Mapping for more details on event field mapping field types.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Fetch Event failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trellix McAfee ESM portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Invalid fields.

Error Sample Data

Fetch Event failed.

Status Code: 400.

Message: Invalid Fields.

Fetch Incident

Returns incidents from McAfee ESM based on the specified criteria.

Input

Input Parameter

Required/Optional

Description

Example

Start Time

Required

The start time of the time range to fetch incidents in UTC time.

2022-09-22 00:00

End Time

Optional

The end time of the time range to fetch incidents in UTC time.

2022-11-23 00:00

Tolerance Scope

Optional

The tolerance scope (the default value is 10) in minutes of the query to fetch incidents between start and end time to avoid the loss of incidents. Incidents will be fetched between {Start Time - Tolerance Scope, End Time}.

0

Event Search Condition

Optional

The query to filter results. Refer to the McAfee ESM API documentation at https://<Server Address>/rs/esm/v2/help/types/EsmFieldFilter for more information about the query syntax.

[

{

"type": "EsmFieldFilter",

"field": {

"name": "DstIP"

},

"operator": "CONTAINS",

"values": [

{

"type": "EsmBasicValue",

"value": "*****"

}

]

}

]

Create Incidents Only When Events Match Search Conditions

Optional

The option to only create incidents when events in the alarms match the event search conditions. The default value is False.

False

Number of Incident(s) Fetched

Optional

The maximum number of incidents to return. The default value is 10.

10

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "id": *****,
        "assignee": "NGCP",
        "severity": 50,
        "conditionType": *****,
        "summary": "Signature ID 'Multiple Signatures...' match found",
        "triggeredDate": "05/07/2021 18:23:32",
        "acknowledgedDate": "",
        "acknowledgedUsername": "",
        "alarmName": "ATT&amp;CK Alarm - Initial Access - TA0001",
        "events": [
            {
                "command": "",
                "cases": [],
                "subtype": "failure",
                "ipsId": {
                    "id": *****
                },
                "ruleName": "Failed User Logon",
                "eventCount": 1,
                "severity": 25,
                "destIp": "*****",
                "destPort": "0",
                "flowId": *****,
                "lastTime": "05/07/2021 18:22:52",
                "lastTimeLocal": "2021-05-07 18:22:52+00:00",
                "destMac": "00:00:00:00:00:00",
                "firstTime": "05/07/2021 18:22:52",
                "firstTimeLocal": "2021-05-07 18:22:52+00:00",
                "flowSessionId": *****,
                "reviewed": "F",
                "srcIp": "***.***.***.***",
                "srcMac": "00:00:00:00:00:00",
                "srcPort": "0",
                "vlan": 0,
                "sigId": "*****",
                "sigDesc": "Failed User Logon",
                "sigText": "",
                "deviceName": "Local ESM",
                "normId": *****,
                "app": "WIN",
                "srcUser": "*****==",
                "destUser": "",
                "remedyCaseId": *****,
                "remedyTicketTime": null,
                "deviceTime": "",
                "remedyAnalyst": "",
                "sequence": 0,
                "trusted": 2,
                "sessionId": *****,
                "asnGeoSrcId": "*****",
                "srcAsnGeo": "",
                "asnGeoDestId": "*****",
                "destAsnGeo": "",
                "normMessage": "Login",
                "normDesc": "The Login category indicates events related to logging in to hosts or services.  Belongs to Authentication: The authentication category indicates events relating to system access.",
                "archiveId": "*****",
                "srcZone": "",
                "destZone": "",
                "srcGuid": "",
                "destGuid": "",
                "agg1Name": "",
                "agg1Value": "0.00000000000000E+000",
                "agg2Name": "",
                "agg2Value": "0.00000000000000E+000",
                "agg3Name": "",
                "agg3Value": "0.00000000000000E+000",
                "iocName": "",
                "iocId": *****,
                "customTypes": [
                    {
                        "fieldId": *****,
                        "fieldName": "AppID",
                        "definedFieldNumber": 1,
                        "unformattedValue": "*****",
                        "formatedValue": "WIN"
                    },
                    {
                        "fieldId": *****,
                        "fieldName": "UserIDSrc",
                        "definedFieldNumber": 7,
                        "unformattedValue": "*****",
                        "formatedValue": "*****=="
                    },
                    {
                        "fieldId": *****,
                        "fieldName": "Message_Text",
                        "definedFieldNumber": 9,
                        "unformattedValue": "*****",
                        "formatedValue": "User Log In failed with: Invalid username"
                    }
                ],
                "alertId": *****,
                "host": "",
                "duration": "00:00:00.000",
                "object": "",
                "domain": "",
                "protocol": "n/a",
                "note": "",
                "eventId": "*****|*****",
                "isAlarmEvent": "true"
            }
        ]
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "id": *****,
        "assignee": "NGCP",
        "severity": 50,
        "conditionType": *****,
        "summary": "Signature ID 'Multiple Signatures...' match found",
        "triggeredDate": "05/07/2021 18:23:32",
        "acknowledgedDate": "",
        "acknowledgedUsername": "",
        "alarmName": "ATT&amp;amp;CK Alarm - Initial Access - TA0001",
        "events": [
            {
                "command": "",
                "cases": [],
                "subtype": "failure",
                "ipsId": {
                    "id": *****
                },
                "ruleName": "Failed User Logon",
                "eventCount": 1,
                "severity": 25,
                "destIp": "*****",
                "destPort": "0",
                "flowId": *****,
                "lastTime": "05/07/2021 18:22:52",
                "lastTimeLocal": "2021-05-07 18:22:52+00:00",
                "destMac": "00:00:00:00:00:00",
                "firstTime": "05/07/2021 18:22:52",
                "firstTimeLocal": "2021-05-07 18:22:52+00:00",
                "flowSessionId": *****,
                "reviewed": "F",
                "srcIp": "***.***.***.***",
                "srcMac": "00:00:00:00:00:00",
                "srcPort": "0",
                "vlan": 0,
                "sigId": "*****",
                "sigDesc": "Failed User Logon",
                "sigText": "",
                "deviceName": "Local ESM",
                "normId": *****,
                "app": "WIN",
                "srcUser": "*****==",
                "destUser": "",
                "remedyCaseId": *****,
                "remedyTicketTime": null,
                "deviceTime": "",
                "remedyAnalyst": "",
                "sequence": 0,
                "trusted": 2,
                "sessionId": *****,
                "asnGeoSrcId": "*****",
                "srcAsnGeo": "",
                "asnGeoDestId": "*****",
                "destAsnGeo": "",
                "normMessage": "Login",
                "normDesc": "The Login category indicates events related to logging in to hosts or services.  Belongs to Authentication: The authentication category indicates events relating to system access.",
                "archiveId": "*****",
                "srcZone": "",
                "destZone": "",
                "srcGuid": "",
                "destGuid": "",
                "agg1Name": "",
                "agg1Value": "0.00000000000000E+000",
                "agg2Name": "",
                "agg2Value": "0.00000000000000E+000",
                "agg3Name": "",
                "agg3Value": "0.00000000000000E+000",
                "iocName": "",
                "iocId": *****,
                "customTypes": [
                    {
                        "fieldId": *****,
                        "fieldName": "AppID",
                        "definedFieldNumber": 1,
                        "unformattedValue": "*****",
                        "formatedValue": "WIN"
                    },
                    {
                        "fieldId": *****,
                        "fieldName": "UserIDSrc",
                        "definedFieldNumber": 7,
                        "unformattedValue": "*****",
                        "formatedValue": "*****=="
                    },
                    {
                        "fieldId": *****,
                        "fieldName": "Message_Text",
                        "definedFieldNumber": 9,
                        "unformattedValue": "*****",
                        "formatedValue": "User Log In failed with: Invalid username"
                    }
                ],
                "alertId": *****,
                "host": "",
                "duration": "00:00:00.000",
                "object": "",
                "domain": "",
                "protocol": "n/a",
                "note": "",
                "eventId": "*****|*****",
                "isAlarmEvent": "true"
            }
        ]
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "AlarmIDs": [*****],
  "AlarmNames": [ "ATT&amp;CK Alarm - Initial Access - TA0001" ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Incident Field Mapping

For this integration, the default incident fields in D3 SOAR are fixed with no built-in source fields. Users can specify the source fields as needed.

Event and Incident Intake Field Mapping

Please note that incident and event intake commands require both Event Field and Incident Field Mapping. These field mappings are the default event/incident field mappings for D3 system integrations. You can edit the provided mappings or create custom mappings as needed. Please refer to Event and Incident Intake Field Mapping for more details.

Incident Main JSON Path: $

Field Name

Source Field

Title

User to define

Description

User to define

Severity

User to define, default is “Low”

Incident Type *

User to define, default is the first Incident form in D3 SOAR system

Incident Creator

User to define

Incident Owner

User to define

Incident Playbook

User to define

Due In Date

User to define

Unique Key

User to define

Tactics

User to define

Techniques

User to define

Event Field Mapping

Main Event JSON Path

  • $.return

The event field mapping in Fetch Incident is the same as the one in Command Fetch Event.

Please refer to the command Fetch Event for detail.

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Fetch Incident failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trellix McAfee ESM portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Invalid Search Condition.

Error Sample Data

Fetch Incident failed.

Status Code: 400.

Message: Invalid Search Condition.

Fetch Related Events

Returns related events from McAfee ESM based on the specified criteria.

READER NOTE

The parameter Fields is optional to run this command.

  • Run the List Available Select Fields command to obtain Fields. Fields can be found in the raw data at the path $.[*].name.

Input

Input Parameter

Required/Optional

Description

Example

Related Hours

Optional

The number of hours before the current time to fetch related incidents. If this parameter is not defined, the default value is 1.

1

Fields

Optional

The comma-separated list of the additional fields to return in the response data. The available fields can be obtained using the List Available Select Fields command.

IPSIDAlertID,DstIP,SrcIP,NormID

Search Condition

Required

The JSON-formatted query to filter results. Refer to the McAfee ESM API documentation at https://<Server Address>/rs/esm/v2/help/types/EsmFieldFilter for more information about the query syntax.

[{"type":"EsmFieldFilter","field":{"name":"DstIP"},"operator":"CONTAINS","values":[{"type":"EsmBasicValue","value":"*****"}]}]

Tolerance Scope

Optional

The tolerance scope (the default value is 10) in minutes of the query to fetch events between start and end time to avoid the loss of events. Events will be fetched between {Start Time - Tolerance Scope, End Time}.

10

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "return": [
        {
            "Alert.RemCaseID": "*****",
            "AppID": "*****",
            "ASNGeoDst": "0",
            "ASNGeoSrc": "0",
            "AvgSeverity": "19",
            "CommandID": "",
            "Destination_Network": "",
            "Destination_UserID": "",
            "DomainID": "",
            "DSIDSigID": "*****",
            "DstIP": "*****",
            "DstMac": "00:00:00:00:00:00",
            "DstPort": "0",
            "Elapsed_Time": "",
            "EventCount": "1",
            "FirstTime": "04/20/2021 00:38:02",
            "Flow": "0",
            "GUIDDst": "*****",
            "GUIDSrc": "*****",
            "HostID": "",
            "Interface": "",
            "Interface_Dest": "",
            "IPSID": "*****",
            "IPSIDAlertID": "*****|*****",
            "LastTime": "04/20/2021 00:38:02",
            "Protocol": "n/a",
            "RemOpenTicketTime": "",
            "Reviewed": "0",
            "Rule_NDSNormSigID.msg": "Login",
            "Rule.NormID": "*****",
            "Sequence": "0",
            "SessionID": "*****",
            "SigID": "11",
            "Source_Network": "",
            "Source_UserID": "",
            "SrcIP": "***.***.***.***",
            "SrcMac": "00:00:00:00:00:00",
            "SrcPort": "0",
            "Subcategory": "",
            "Trusted": "2",
            "VLan": "0",
            "ZoneDst": "0",
            "ZoneSrc": "0",
            "NormID": "*****"
        },
        {
            "Alert.RemCaseID": "*****",
            "AppID": "*****",
            "ASNGeoDst": "0",
            "ASNGeoSrc": "0",
            "AvgSeverity": "19",
            "CommandID": "",
            "Destination_Network": "",
            "Destination_UserID": "",
            "DomainID": "",
            "DSIDSigID": "*****",
            "DstIP": "*****",
            "DstMac": "00:00:00:00:00:00",
            "DstPort": "0",
            "Elapsed_Time": "",
            "EventCount": "1",
            "FirstTime": "04/20/2021 00:36:48",
            "Flow": "0",
            "GUIDDst": "*****",
            "GUIDSrc": "*****",
            "HostID": "",
            "Interface": "",
            "Interface_Dest": "",
            "IPSID": "*****",
            "IPSIDAlertID": "*****|*****",
            "LastTime": "04/20/2021 00:36:48",
            "Protocol": "n/a",
            "RemOpenTicketTime": "",
            "Reviewed": "0",
            "Rule_NDSNormSigID.msg": "Login",
            "Rule.NormID": "*****",
            "Sequence": "0",
            "SessionID": "*****",
            "SigID": "11",
            "Source_Network": "",
            "Source_UserID": "",
            "SrcIP": "***.***.***.***",
            "SrcMac": "00:00:00:00:00:00",
            "SrcPort": "0",
            "Subcategory": "",
            "Trusted": "2",
            "VLan": "0",
            "ZoneDst": "0",
            "ZoneSrc": "0",
            "NormID": "*****"
        },
        {
            "Alert.RemCaseID": "*****",
            "AppID": "*****",
            "ASNGeoDst": "0",
            "ASNGeoSrc": "0",
            "AvgSeverity": "25",
            "CommandID": "",
            "Destination_Network": "",
            "Destination_UserID": "",
            "DomainID": "",
            "DSIDSigID": "*****",
            "DstIP": "*****",
            "DstMac": "00:00:00:00:00:00",
            "DstPort": "0",
            "Elapsed_Time": "",
            "EventCount": "1",
            "FirstTime": "04/20/2021 00:27:46",
            "Flow": "0",
            "GUIDDst": "*****",
            "GUIDSrc": "*****",
            "HostID": "",
            "Interface": "",
            "Interface_Dest": "",
            "IPSID": "*****",
            "IPSIDAlertID": "*****|*****",
            "LastTime": "04/20/2021 00:27:46",
            "Protocol": "n/a",
            "RemOpenTicketTime": "",
            "Reviewed": "0",
            "Rule_NDSNormSigID.msg": "Login",
            "Rule.NormID": "*****",
            "Sequence": "0",
            "SessionID": "*****",
            "SigID": "*****",
            "Source_Network": "",
            "Source_UserID": "",
            "SrcIP": "***.***.***.***",
            "SrcMac": "00:00:00:00:00:00",
            "SrcPort": "0",
            "Subcategory": "",
            "Trusted": "2",
            "VLan": "0",
            "ZoneDst": "0",
            "ZoneSrc": "0",
            "NormID": "*****"
        }
    ]
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path $.return in API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "Alert.RemCaseID": "*****",
        "AppID": "*****",
        "ASNGeoDst": "0",
        "ASNGeoSrc": "0",
        "AvgSeverity": "19",
        "CommandID": "",
        "Destination_Network": "",
        "Destination_UserID": "",
        "DomainID": "",
        "DSIDSigID": "*****",
        "DstIP": "*****",
        "DstMac": "00:00:00:00:00:00",
        "DstPort": "0",
        "Elapsed_Time": "",
        "EventCount": "1",
        "FirstTime": "04/20/2021 00:38:02",
        "Flow": "0",
        "GUIDDst": "*****",
        "GUIDSrc": "*****",
        "HostID": "",
        "Interface": "",
        "Interface_Dest": "",
        "IPSID": "*****",
        "IPSIDAlertID": "*****|*****",
        "LastTime": "04/20/2021 00:38:02",
        "Protocol": "n/a",
        "RemOpenTicketTime": "",
        "Reviewed": "0",
        "Rule_NDSNormSigID.msg": "Login",
        "Rule.NormID": "*****",
        "Sequence": "0",
        "SessionID": "*****",
        "SigID": "11",
        "Source_Network": "",
        "Source_UserID": "",
        "SrcIP": "***.***.***.***",
        "SrcMac": "00:00:00:00:00:00",
        "SrcPort": "0",
        "Subcategory": "",
        "Trusted": "2",
        "VLan": "0",
        "ZoneDst": "0",
        "ZoneSrc": "0",
        "NormID": "*****"
    },
    {
        "Alert.RemCaseID": "*****",
        "AppID": "*****",
        "ASNGeoDst": "0",
        "ASNGeoSrc": "0",
        "AvgSeverity": "19",
        "CommandID": "",
        "Destination_Network": "",
        "Destination_UserID": "",
        "DomainID": "",
        "DSIDSigID": "*****",
        "DstIP": "*****",
        "DstMac": "00:00:00:00:00:00",
        "DstPort": "0",
        "Elapsed_Time": "",
        "EventCount": "1",
        "FirstTime": "04/20/2021 00:36:48",
        "Flow": "0",
        "GUIDDst": "*****",
        "GUIDSrc": "*****",
        "HostID": "",
        "Interface": "",
        "Interface_Dest": "",
        "IPSID": "*****",
        "IPSIDAlertID": "*****|*****",
        "LastTime": "04/20/2021 00:36:48",
        "Protocol": "n/a",
        "RemOpenTicketTime": "",
        "Reviewed": "0",
        "Rule_NDSNormSigID.msg": "Login",
        "Rule.NormID": "*****",
        "Sequence": "0",
        "SessionID": "*****",
        "SigID": "11",
        "Source_Network": "",
        "Source_UserID": "",
        "SrcIP": "***.***.***.***",
        "SrcMac": "00:00:00:00:00:00",
        "SrcPort": "0",
        "Subcategory": "",
        "Trusted": "2",
        "VLan": "0",
        "ZoneDst": "0",
        "ZoneSrc": "0",
        "NormID": "*****"
    },
    {
        "Alert.RemCaseID": "*****",
        "AppID": "*****",
        "ASNGeoDst": "0",
        "ASNGeoSrc": "0",
        "AvgSeverity": "25",
        "CommandID": "",
        "Destination_Network": "",
        "Destination_UserID": "",
        "DomainID": "",
        "DSIDSigID": "*****",
        "DstIP": "*****",
        "DstMac": "00:00:00:00:00:00",
        "DstPort": "0",
        "Elapsed_Time": "",
        "EventCount": "1",
        "FirstTime": "04/20/2021 00:27:46",
        "Flow": "0",
        "GUIDDst": "*****",
        "GUIDSrc": "*****",
        "HostID": "",
        "Interface": "",
        "Interface_Dest": "",
        "IPSID": "*****",
        "IPSIDAlertID": "*****|*****",
        "LastTime": "04/20/2021 00:27:46",
        "Protocol": "n/a",
        "RemOpenTicketTime": "",
        "Reviewed": "0",
        "Rule_NDSNormSigID.msg": "Login",
        "Rule.NormID": "*****",
        "Sequence": "0",
        "SessionID": "*****",
        "SigID": "*****",
        "Source_Network": "",
        "Source_UserID": "",
        "SrcIP": "***.***.***.***",
        "SrcMac": "00:00:00:00:00:00",
        "SrcPort": "0",
        "Subcategory": "",
        "Trusted": "2",
        "VLan": "0",
        "ZoneDst": "0",
        "ZoneSrc": "0",
        "NormID": "*****"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "IDs": [
    "*****-04/20/2021 00:38:02-04/20/2021 00:38:02",
    "*****-04/20/2021 00:36:48-04/20/2021 00:36:48",
    "*****-04/20/2021 00:27:46-04/20/2021 00:27:46"
  ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

Alert.RemCaseID

0

0

0

AppID

WIN

WIN

WIN

ASNGeoDst

0

0

0

ASNGeoSrc

0

0

0

AvgSeverity

19

19

25

CommandID

Destination_Network

Destination_UserID

DomainID

DSIDSigID

*****

*****

*****

DstIP

*****

*****

*****

DstMac

00:00:00:00:00:00

00:00:00:00:00:00

00:00:00:00:00:00

DstPort

0

0

0

Elapsed_Time

EventCount

1

1

1

FirstTime

04/20/2021 0:38:02

04/20/2021 0:36:48

04/20/2021 0:27:46

Flow

0

0

0

GUIDDst

*****

*****

*****

GUIDSrc

*****

*****

*****

HostID

Interface

Interface_Dest

IPSID

*****

*****

*****

IPSIDAlertID

*****|*****

*****|*****

*****|*****

LastTime

04/20/2021 0:38:02

04/20/2021 0:36:48

04/20/2021 0:27:46

Protocol

n/a

n/a

n/a

RemOpenTicketTime

Reviewed

0

0

0

Rule_NDSNormSigID.msg

Login

Login

Login

Rule.NormID

*****

*****

*****

Sequence

0

0

0

SessionID

0

0

0

SigID

11

11

*****

Source_Network

Source_UserID

SrcIP

***.***.***.***

***.***.***.***

***.***.***.***

SrcMac

00:00:00:00:00:00

00:00:00:00:00:00

00:00:00:00:00:00

SrcPort

0

0

0

Subcategory

Trusted

2

2

2

VLan

0

0

0

ZoneDst

0

0

0

ZoneSrc

0

0

0

NormID

0

0

0

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Fetch Related Events failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trellix McAfee ESM portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Invalid Fields.

Error Sample Data

Fetch Related Events failed.

Status Code: 400.

Message: Invalid Fields.

Get Alarm Event Details

Returns details of the specified triggered alarm event(s).

READER NOTE

The parameter Event IDs is required to run this command.

  • You should already have your desired Event IDs on hand to run this command. If you don’t, you may use the Fetch Event command with defined filters to retrieve the desired Event IDs. Event IDs can be found in the raw data at the path $.return.[*].IPSIDAlertID

Input

Input Parameter

Required/Optional

Description

Example

Event IDs

Required

The ID(s) of the triggered alarm event(s) to retrieve details. Event IDs can be obtained using the Fetch Event command.

["*****|*****"]

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "command": "",
        "subtype": "informational",
        "cases": [],
        "ipsId": "*****",
        "severity": 61,
        "flowId": *****,
        "destPort": "port/code:0",
        "eventCount": 1,
        "destIp": "***.***.***.***",
        "lastTime": "*****/18/2019 23:11:41",
        "destMac": "00:00:00:00:00:00",
        "firstTime": "*****/18/2019 23:11:41",
        "flowSessionId": *****,
        "reviewed": "F",
        "srcIp": "***.***.***.***",
        "srcMac": "**:**:**:**:**:**",
        "srcPort": "port/type:0",
        "vlan": 0,
        "sigId": "*****",
        "sigDesc": "Access Protection rule violation detected and NOT blocked",
        "sigText": "",
        "ruleName": "Access Protection rule violation detected and NOT blocked",
        "duration": "00:00:00.000",
        "deviceName": "Mcafee_ePo82.10 - Mcafee_ePo82.10_Endpoint Security Threat Prevention (ePO)",
        "normId": *****,
        "app": "THREATPREVENTION",
        "srcUser": "NT AUTHORITY\\SYSTEM",
        "destUser": "SYSTEM",
        "srcNetworkDevice": "Unknown",
        "destNetworkDevice": "Unknown",
        "srcInterface": "Unknown",
        "destInterface": "Unknown",
        "srcNetworkDeviceId": 0,
        "destNetworkDeviceId": 0,
        "srcInterfaceId": 0,
        "destInterfaceId": 0,
        "remedyCaseId": *****,
        "remedyTicketTime": null,
        "deviceTime": "*****/18/2019 23:11:57",
        "remedyAnalyst": "",
        "sequence": 0,
        "trusted": 2,
        "sessionId": *****,
        "asnGeoSrcId": "*****",
        "srcAsnGeo": "",
        "asnGeoDestId": "*****",
        "destAsnGeo": "",
        "normMessage": "Potential Exploit",
        "normDesc": "The Potential Exploit category indicates potential exploits and vulnerabilities. Belongs to Suspicious Activity: The Suspicious Activity category indicates suspicious or abnormal events.",
        "archiveId": "*****",
        "srcZone": "",
        "destZone": "",
        "alertId": *****,
        "srcGuid": "D6EA27FB09504B589375BA34036A2D74",
        "destGuid": "",
        "agg1Name": "",
        "agg1Value": "0.00000000000000E+000",
        "agg2Name": "",
        "agg2Value": "0.00000000000000E+000",
        "agg3Name": "",
        "agg3Value": "0.00000000000000E+000",
        "iocName": "",
        "iocId": *****,
        "customTypes": [
            {
                "fieldId": *****,
                "fieldName": "AppID",
                "definedFieldNumber": 1,
                "unformattedValue": "*****",
                "formatedValue": "THREATPREVENTION"
            },
            {
                "fieldId": *****,
                "fieldName": "Object_Type",
                "definedFieldNumber": 2,
                "unformattedValue": "*****",
                "formatedValue": "IDS_THREAT_TYPE_VALUE_AP"
            },
            {
                "fieldId": *****,
                "fieldName": "Filename",
                "definedFieldNumber": 3,
                "unformattedValue": "*****",
                "formatedValue": "gpt.ini"
            }
        ],
        "host": "D3Cyber-DC",
        "object": "FirstActionStatus=0 SecondActionStatus=0",
        "domain": "",
        "protocol": "n/a",
        "note": ""
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by reconstructing the JSON Array with "EventID", "AlertID", "SubType", "Severity", "FirstTime", "LastTime", "SourceIp", "SourcePort", "SourceMAC", "DestIp", "DestPort", "DestMAC", "Cases" and "Message" fields.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "EventID": "*****|*****",
        "AlertID": *****,
        "SubType": "informational",
        "Severity": 61,
        "FirstTime": "*****/18/2019 23:11:41",
        "LastTime": "*****/18/2019 23:11:41",
        "SourceIp": "***.***.***.***",
        "SourcePort": "port/type:0",
        "SourceMAC": "**:**:**:**:**:**",
        "DestIp": "***.***.***.***",
        "DestPort": "port/code:0",
        "DestMAC": "00:00:00:00:00:00",
        "Cases": [],
        "Message": "Potential Exploit"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "AlertID": [*****],
  "CaseID": [],
  "CaseSeverity": ,
  "CaseStatus": ,
  "DestIp": ["***.***.***.***"],
  "EventId": ["*****|*****"],
  "FirstTime": [ "*****/18/2019 23:11:41" ],
  "LastTime": [ "*****/18/2019 23:11:41" ],
  "Severity": [61],
  "SrcIP": ["***.***.***.***"],
  "SubType": ["informational"]
}

Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

EventID

*****|*****

AlertID

*****

SubType

informational

Severity

61

FirstTime

*****/18/2019 23:11:41

LastTime

*****/18/2019 23:11:41

SourceIp

***.***.***.***

SourcePort

port/type:0

SourceMAC

**:**:**:**:**:**

DestIp

***.***.***.***

DestPort

port/code:0

DestMAC

00:00:00:00:00:00

Cases

[]

Message

Potential Exploit

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Alarm Event Details failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trellix McAfee ESM portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Event Ids Not Found.

Error Sample Data

Get Alarm Event Details failed.

Status Code: 404.

Message: Event IDs Not Found.

Get Alarm Events

Retrieves a list of triggered alarms.

READER NOTE

The parameter Alarm IDs is required to run this command.

  • Run the Get Triggered Alarms command to obtain Alarm IDs. Alarm IDs can be found in the raw data at the path $.[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Alarm IDs

Required

The ID(s) of triggered alarm(s) to return. Triggered alarm IDs can be obtained using the Get Triggered Alarms command.

["*****"]

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "filters": "",
        "caseName": "",
        "actions": "1\u00*****\u00149\u00*****Email|*****@*****.***, *****@*****.***|Alarm Name: ePO Event Access Protection\rSummary: Signature ID 'Access Protection rule violation detected and NOT blocked' (*****) match found\u0014",
        "events": [
            {
                "eventSubType": "informational",
                "severity": 61,
                "ruleMessage": "Access Protection rule violation detected and NOT blocked",
                "eventCount": 1,
                "sourceIp": "***.***.***.***",
                "destIp": "***.***.***.***",
                "lastTime": "*****/18/2019 23:11:41",
                "eventId": "*****|*****",
                "protocol": "n/a"
            },
            {
                "eventSubType": "informational",
                "severity": 61,
                "ruleMessage": "Access Protection rule violation detected and NOT blocked",
                "eventCount": 1,
                "sourceIp": "***.***.***.***",
                "destIp": "***.***.***.***",
                "lastTime": "*****/18/2019 23:11:41",
                "eventId": "*****|*****",
                "protocol": "n/a"
            },
            {
                "eventSubType": "informational",
                "severity": 61,
                "ruleMessage": "Access Protection rule violation detected and NOT blocked",
                "eventCount": 1,
                "sourceIp": "***.***.***.***",
                "destIp": "***.***.***.***",
                "lastTime": "*****/18/2019 23:11:41",
                "eventId": "*****|*****",
                "protocol": "n/a"
            },
            {
                "eventSubType": "informational",
                "severity": 61,
                "ruleMessage": "Access Protection rule violation detected and NOT blocked",
                "eventCount": 1,
                "sourceIp": "***.***.***.***",
                "destIp": "***.***.***.***",
                "lastTime": "*****/18/2019 23:11:41",
                "eventId": "*****|*****",
                "protocol": "n/a"
            },
            {
                "eventSubType": "informational",
                "severity": 61,
                "ruleMessage": "Access Protection rule violation detected and NOT blocked",
                "eventCount": 1,
                "sourceIp": "***.***.***.***",
                "destIp": "***.***.***.***",
                "lastTime": "*****/18/2019 23:11:41",
                "eventId": "*****|*****",
                "protocol": "n/a"
            }
        ],
        "queryId": *****,
        "iocName": "",
        "iocId": *****,
        "timeFilter": "",
        "alretRateMin": 0,
        "alertRateCount": 0,
        "percentAbove": 0,
        "percentBelow": 0,
        "offsetMinutes": 0,
        "maximumConditionTriggerFrequency": 1,
        "useWatchlist": "F",
        "matchField": "DSIDSigID",
        "matchValue": "*****",
        "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
        "escalatedDate": "",
        "caseId": 0,
        "assigneeId": *****,
        "description": "",
        "id": *****,
        "alarmName": "ePO Event Access Protection",
        "conditionType": 14,
        "assignee": "admin",
        "triggeredDate": "*****/18/2019 23:*****:*****",
        "acknowledgedDate": "*****/19/2019 20:05:18",
        "acknowledgedUsername": null,
        "severity": 50,
        "summary": "Signature ID 'Access Protection rule violation detected and NOT blocked' (*****) match found"
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path $.events in API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "eventSubType": "informational",
        "severity": 61,
        "ruleMessage": "Access Protection rule violation detected and NOT blocked",
        "eventCount": 1,
        "sourceIp": "***.***.***.***",
        "destIp": "***.***.***.***",
        "lastTime": "*****/18/2019 23:11:41",
        "eventId": "*****|*****",
        "protocol": "n/a"
    },
    {
        "eventSubType": "informational",
        "severity": 61,
        "ruleMessage": "Access Protection rule violation detected and NOT blocked",
        "eventCount": 1,
        "sourceIp": "***.***.***.***",
        "destIp": "***.***.***.***",
        "lastTime": "*****/18/2019 23:11:41",
        "eventId": "*****|*****",
        "protocol": "n/a"
    },
    {
        "eventSubType": "informational",
        "severity": 61,
        "ruleMessage": "Access Protection rule violation detected and NOT blocked",
        "eventCount": 1,
        "sourceIp": "***.***.***.***",
        "destIp": "***.***.***.***",
        "lastTime": "*****/18/2019 23:11:41",
        "eventId": "*****|*****",
        "protocol": "n/a"
    },
    {
        "eventSubType": "informational",
        "severity": 61,
        "ruleMessage": "Access Protection rule violation detected and NOT blocked",
        "eventCount": 1,
        "sourceIp": "***.***.***.***",
        "destIp": "***.***.***.***",
        "lastTime": "*****/18/2019 23:11:41",
        "eventId": "*****|*****",
        "protocol": "n/a"
    },
    {
        "eventSubType": "informational",
        "severity": 61,
        "ruleMessage": "Access Protection rule violation detected and NOT blocked",
        "eventCount": 1,
        "sourceIp": "***.***.***.***",
        "destIp": "***.***.***.***",
        "lastTime": "*****/18/2019 23:11:41",
        "eventId": "*****|*****",
        "protocol": "n/a"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "DestIp": [
    "***.***.***.***",
    "***.***.***.***",
    "***.***.***.***",
    "***.***.***.***",
    "***.***.***.***"
  ],
  "EventId": [
    "*****|*****",
    "*****|*****",
    "*****|*****",
    "*****|*****",
    "*****|*****"
  ],
  "Severity": [
    61,
    61,
    61,
    61,
    61
  ],
  "SrcIP": [
    "***.***.***.***",
    "***.***.***.***",
    "***.***.***.***",
    "***.***.***.***",
    "***.***.***.***"
  ]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

severity

61

61

61

61

61

ruleMessage

Access Protection rule violation detected and NOT blocked

Access Protection rule violation detected and NOT blocked

Access Protection rule violation detected and NOT blocked

Access Protection rule violation detected and NOT blocked

Access Protection rule violation detected and NOT blocked

eventCount

1

1

1

1

1

sourceIp

***.***.***.***

***.***.***.***

***.***.***.***

***.***.***.***

***.***.***.***

destIp

***.***.***.***

***.***.***.***

***.***.***.***

***.***.***.***

***.***.***.***

lastTime

*****/18/2019 23:*****:40

*****/18/2019 23:23:37

*****/18/2019 23:23:37

*****/18/2019 23:23:37

*****/18/2019 23:23:36

eventId

*****|*****

*****|*****

*****|*****

*****|*****

*****|*****

eventSubType

informational

informational

informational

informational

informational

protocol

n/a

n/a

n/a

n/a

n/a

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Alarm Events failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trellix McAfee ESM portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Alarm IDs Not Found.

Error Sample Data

Get Alarm Events failed.

Status Code: 404.

Message: Alarm IDs Not Found.

Get Triggered Alarms

Returns a list of triggered alarms based on the specified criteria.

READER NOTE

If you select CUSTOM for the Triggered Time Range parameter and do not define the Start Time and End Time parameters, the current datetime will be used.

Input

Input Parameter

Required/Optional

Description

Example

Username

Optional

The assignee username to filter the returned alarms. The default user is the user used to configure the integration connection.

admin

Triggered Time Range

Required

The time range of the alarms’ triggered time to filter results. The dropdown list provides an option to specify a custom time range, defined using the Start Time and End Time parameters. You can also select a predefined triggered time range from the list (e.g. LAST_MINUTE and LAST_10_MINUTES).

CUSTOM

Start Time

Optional

The start time of the custom time range to retrieve alarms in UTC time if the Triggered Time Range parameter is set to CUSTOM. If this field is left empty, the current date and time will be used.

2022-12-01 00:00

End Time

Optional

The end time of the custom time range to retrieve alarms in UTC time if the Triggered Time Range parameter is set to CUSTOM. If this field is left empty, the current date and time will be used.

2022-12-06 00:00

Alarm Status

Optional

The alarm status to filter results. The valid options are All, Acknowledged and Unacknowledged.

All

Page Size

Optional

The maximum number (up to 5,000) of alarms to return on each result page. The default value is 5.

5

Page Number

Optional

The number of result pages to return. The default value is 1.

1

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "id": *****,
        "alarmName": "ePO Event Access Protection",
        "conditionType": *****,
        "assignee": "admin",
        "triggeredDate": "*****/19/2019 11:19:00",
        "acknowledgedDate": "",
        "acknowledgedUsername": "",
        "severity": 50,
        "summary": "Signature ID 'Access Protection rule violation detected and NOT blocked' (*****) match found"
    },
    {
        "id": *****,
        "alarmName": "ste alarm-success login",
        "conditionType": 37,
        "assignee": "admin",
        "triggeredDate": "*****/19/2019 11:18:00",
        "acknowledgedDate": "",
        "acknowledgedUsername": "",
        "severity": 50,
        "summary": "Signature ID 'User Logon' (*****) match found"
    },
    {
        "id": *****,
        "alarmName": "ste alarm-success login",
        "conditionType": 37,
        "assignee": "admin",
        "triggeredDate": "*****/19/2019 11:*****:59",
        "acknowledgedDate": "",
        "acknowledgedUsername": "",
        "severity": 50,
        "summary": "Signature ID 'User Logon' (*****) match found"
    },
    {
        "id": *****,
        "alarmName": "ePO Event Access Protection",
        "conditionType": *****,
        "assignee": "admin",
        "triggeredDate": "*****/19/2019 11:*****:59",
        "acknowledgedDate": "",
        "acknowledgedUsername": "",
        "severity": 50,
        "summary": "Signature ID 'Access Protection rule violation detected and NOT blocked' (*****) match found"
    },
    {
        "id": *****,
        "alarmName": "ste alarm-success login",
        "conditionType": 37,
        "assignee": "admin",
        "triggeredDate": "*****/19/2019 11:11:28",
        "acknowledgedDate": "",
        "acknowledgedUsername": "",
        "severity": 50,
        "summary": "Signature ID 'User Logon' (*****) match found"
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "id": *****,
        "alarmName": "ePO Event Access Protection",
        "conditionType": *****,
        "assignee": "admin",
        "triggeredDate": "*****/19/2019 11:19:00",
        "acknowledgedDate": "",
        "acknowledgedUsername": "",
        "severity": 50,
        "summary": "Signature ID 'Access Protection rule violation detected and NOT blocked' (*****) match found"
    },
    {
        "id": *****,
        "alarmName": "ste alarm-success login",
        "conditionType": 37,
        "assignee": "admin",
        "triggeredDate": "*****/19/2019 11:18:00",
        "acknowledgedDate": "",
        "acknowledgedUsername": "",
        "severity": 50,
        "summary": "Signature ID 'User Logon' (*****) match found"
    },
    {
        "id": *****,
        "alarmName": "ste alarm-success login",
        "conditionType": 37,
        "assignee": "admin",
        "triggeredDate": "*****/19/2019 11:*****:59",
        "acknowledgedDate": "",
        "acknowledgedUsername": "",
        "severity": 50,
        "summary": "Signature ID 'User Logon' (*****) match found"
    },
    {
        "id": *****,
        "alarmName": "ePO Event Access Protection",
        "conditionType": *****,
        "assignee": "admin",
        "triggeredDate": "*****/19/2019 11:*****:59",
        "acknowledgedDate": "",
        "acknowledgedUsername": "",
        "severity": 50,
        "summary": "Signature ID 'Access Protection rule violation detected and NOT blocked' (*****) match found"
    },
    {
        "id": *****,
        "alarmName": "ste alarm-success login",
        "conditionType": 37,
        "assignee": "admin",
        "triggeredDate": "*****/19/2019 11:11:28",
        "acknowledgedDate": "",
        "acknowledgedUsername": "",
        "severity": 50,
        "summary": "Signature ID 'User Logon' (*****) match found"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "AlarmID": [*****,*****,*****,*****,*****],
  "AlarmName": [ "ePO Event Access Protection", "ste alarm-success login", "ste alarm-success login", "ePO Event Access Protection", "ste alarm-success login" ],
  "Assignee": ["admin","admin","admin","admin","admin"],
  "Severity": [50,50,50,50,50],
  "Summary": [ "Signature ID 'Access Protection rule violation detected and NOT blocked' (*****) match found", "Signature ID 'User Logon' (*****) match found", "Signature ID 'User Logon' (*****) match found", "Signature ID 'Access Protection rule violation detected and NOT blocked' (*****) match found", "Signature ID 'User Logon' (*****) match found" ],
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id

*****

*****

*****

*****

*****

severity

50

50

50

50

50

summary

Signature ID 'Access Protection rule violation detected and NOT blocked' (*****) match found

Signature ID 'User Logon' (*****) match found

Signature ID 'User Logon' (*****) match found

Signature ID 'Access Protection rule violation detected and NOT blocked' (*****) match found

Signature ID 'User Logon' (*****) match found

alarmName

ePO Event Access Protection

ste alarm-success login

ste alarm-success login

ePO Event Access Protection

ste alarm-success login

conditionType

*****

37

37

*****

37

assignee

admin

admin

admin

admin

admin

triggeredDate

*****/19/2019 11:19:00

*****/19/2019 11:18:00

*****/19/2019 11:*****:59

*****/19/2019 11:*****:59

*****/19/2019 11:11:28

acknowledgedDate

acknowledgedUsername

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Triggered Alarms failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trellix McAfee ESM portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: ERROR_InsufficientRights.

Error Sample Data

Get Triggered Alarms failed.

Status Code: 400.

Message: ERROR_InsufficientRights.

Get Watchlist Detail

Returns detailed information on the specified watchlist(s).

READER NOTE

The parameter Watchlist IDs is required to run this command.

  • Run the List Watchlists command to obtain Watchlist IDs. Watchlist IDs can be found in the raw data at the path $.[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Watchlist IDs

Required

The ID(s) of the watchlist(s) to retrieve information from. Watchlist IDs can be obtained using the List Watchlists command.

[*****]

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
 [
    {
        "ipsid": "",
        "id": *****,
        "age": 0,
        "groups": "",
        "valueFile": {
            "fileToken": "*****/*****/*****"
        },
        "recordCount": 0,
        "jobTrackerPort": "",
        "sslcheck": "",
        "values": null,
        "updateMin": 0,
        "matchRegex": "",
        "delimitRegex": "",
        "jobTrackerURL": "",
        "search": "",
        "lineSkip": 0,
        "dbUrl": "",
        "postArgs": "",
        "ignoreRegex": "",
        "updateType": "EVERY_SO_MANY_MINUTES",
        "mountPoint": "",
        "updateDay": 0,
        "enabled": false,
        "method": 0,
        "lookup": "",
        "port": "",
        "path": "",
        "username": "",
        "password": "",
        "query": "",
        "active": false,
        "customType": {
            "id": *****,
            "name": "DstIP"
        },
        "scored": false,
        "valueCount": 0,
        "errorMsg": null,
        "dynamic": false,
        "hidden": false,
        "type": {
            "id": *****,
            "name": "DstIP"
        },
        "source": 0,
        "name": "wl1001"
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "ipsid": "",
        "id": *****,
        "age": 0,
        "groups": "",
        "valueFile": {
            "fileToken": "*****/*****/*****"
        },
        "recordCount": 0,
        "jobTrackerPort": "",
        "sslcheck": "",
        "values": null,
        "updateMin": 0,
        "matchRegex": "",
        "delimitRegex": "",
        "jobTrackerURL": "",
        "search": "",
        "lineSkip": 0,
        "dbUrl": "",
        "postArgs": "",
        "ignoreRegex": "",
        "updateType": "EVERY_SO_MANY_MINUTES",
        "mountPoint": "",
        "updateDay": 0,
        "enabled": false,
        "method": 0,
        "lookup": "",
        "port": "",
        "path": "",
        "username": "",
        "password": "",
        "query": "",
        "active": false,
        "customType": {
            "id": *****,
            "name": "DstIP"
        },
        "scored": false,
        "valueCount": 0,
        "errorMsg": null,
        "dynamic": false,
        "hidden": false,
        "type": {
            "id": *****,
            "name": "DstIP"
        },
        "source": 0,
        "name": "wl1001"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "IDs": [*****],
  "Names": ["wl1001"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

ipsid

id

*****

age

0

groups

valueFile

{
"fileToken": "*****/*****/*****"
}

recordCount

0

jobTrackerPort

sslcheck

values

updateMin

0

matchRegex

delimitRegex

jobTrackerURL

search

lineSkip

0

dbUrl

postArgs

ignoreRegex

updateType

EVERY_SO_MANY_MINUTES

mountPoint

updateDay

0

enabled

FALSE

method

0

lookup

port

path

username

password

query

active

FALSE

customType

{
"id": *****,
"name": "DstIP"
}

scored

FALSE

valueCount

0

errorMsg

dynamic

FALSE

hidden

FALSE

type

{
"id": *****,
"name": "DstIP"
}

source

0

name

wl

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Watchlist Detail failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trellix McAfee ESM portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Watchlist IDs Not Found.

Error Sample Data

Get Watchlist Detail failed.

Status Code: 404.

Message: Watchlist IDs Not Found.

Get Watchlist Values

Returns the values of the specified watchlist(s). Note: Hidden watchlists (e.g. GTI) are not supported.

READER NOTE

The parameter Watchlist IDs is required to run this command.

  • Run the List Watchlists command to obtain Watchlist IDs. Watchlist IDs can be found in the raw data at the path $.[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Watchlist IDs

Required

The ID(s) of the watchlist(s) to return values for. Watchlist IDs can be obtained using the List Watchlists command.

[*****]

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "fileSize": 41,
        "bytesRead": 41,
        "data": "***.***.***.***\n***.***.***.***\n***.***.***.***\n"
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "fileSize": 41,
        "bytesRead": 41,
        "data": "***.***.***.***\n***.***.***.***\n***.***.***.***\n"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "IDs": [*****]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

fileSize

bytesRead

data

41

41

***.***.***.***
***.***.***.***
***.***.***.***

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get Watchlist Values failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trellix McAfee ESM portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Watchlist IDs Not Found.

Error Sample Data

Get Watchlist Values failed.

Status Code: 404.

Message: Watchlist IDs Not Found.

Get IPS Correlated Raw Events

Returns correlated raw events for the specified alert event.

READER NOTE

Alert ID is an optional parameter to run this command.

  • You should already have your desired Alert IDs on hand to run this command. If you don’t, you may use the Fetch Event command with defined filters to retrieve the desired Alert IDs. Alert IDs can be found in the raw data at the path $return.[*].IPSIDAlertID.

Input

Input Parameter

Required/Optional

Description

Example

Alert ID

Optional

The ID of the alert to get the correlated raw events. Alert IDs can be obtained using the Fetch Event command.

*****|49*****5

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "text": "",
    "sourceEvents": [
        {
            "eventCount": 1,
            "severity": 15,
            "ruleMessage": "User authenticated successfully",
            "sourceIp": "***.***.***.***",
            "destIp": "",
            "lastTime": "11/18/2021 01:06:22.000",
            "id": "*****|***.***.***.***",
            "usage": "success",
            "protocol": "0"
        }
    ],
    "sourceFlows": [],
    "deviations": []
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by extracting the data from path $.sourceEvents in API returned JSON.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "eventCount": 1,
        "severity": 15,
        "ruleMessage": "User authenticated successfully",
        "sourceIp": "***.***.***.***",
        "destIp": "",
        "lastTime": "11/18/2021 01:06:22.000",
        "id": "*****|***.***.***.***",
        "usage": "success",
        "protocol": "0"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "EventIDs": ["*****|***.***.***.***"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

CODE
No Sample Data

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Get IPS Correlated Raw Events failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trellix McAfee ESM portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Alert ID Not Found.

Error Sample Data

Get IPS Correlated Raw Events failed.

Status Code: 404.

Message: Alert ID Not Found.

List Available Select Fields

Returns the list of available fields to query.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "types": [
            "SSTRING"
        ],
        "name": "ParentProcessId"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "AppID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "ParentImage"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "CommandID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "ParentCommandLine"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "DomainID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Initiated"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "HostID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "DestinationPortName"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "ObjectID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Rulename"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "UserIDDst"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Computer"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "UserIDSrc"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "SourceHostname"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "URL"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "DestinationHostname"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "Database_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "TargetFilename"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Message_Text"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "TargetObject"
    },
    {
        "types": [
            "UINT32",
            "UINT32"
        ],
        "name": "Response_Time"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "RawEvent"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "Application_Protocol"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "CurrentDirectory"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "Object_Type"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "EventID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Filename"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Channel"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "From"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "OriginalFileName"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "To"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Cc"
    },
    {
        "types": [
            "TIME4"
        ],
        "name": "PreviousCreationUtcTime"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Bcc"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Subject"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "Method"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "User_Agent"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Cookie"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Referer"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "File_Operation"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "File_Operation_Succeeded"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Destination_Filename"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "User_Nickname"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "Contact_Name"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "Contact_Nickname"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Client_Version"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Job_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Language"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "SWF_URL"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "TC_URL"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "RTMP_Application"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Version"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Local_User_Name"
    },
    {
        "types": [
            "IPV4",
            "UINT16",
            "UINT16"
        ],
        "name": "NAT_Details"
    },
    {
        "types": [
            "SIGID"
        ],
        "name": "Network_Layer"
    },
    {
        "types": [
            "SIGID"
        ],
        "name": "Transport_Layer"
    },
    {
        "types": [
            "SIGID"
        ],
        "name": "Session_Layer"
    },
    {
        "types": [
            "SIGID"
        ],
        "name": "Application_Layer"
    },
    {
        "types": [
            "SIGID"
        ],
        "name": "HTTP_Layer"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "HTTP_Req_URL"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "HTTP_Req_Cookie"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "HTTP_Req_Referer"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "HTTP_Req_Host"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "HTTP_Req_Method"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "HTTP_User_Agent"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "DNS_Name"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "DNS_Type"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "DNS_Class"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "Query_Response"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "Authoritative_Answer"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "SNMP_Operation"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "SNMP_Item_Type"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "SNMP_Version"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "SNMP_Error_Code"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "NTP_Client_Mode"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "NTP_Server_Mode"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "NTP_Request"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "NTP_Opcode"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "SNMP_Item"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "Interface"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "Direction"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "Sensor_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Sensor_UUID"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "Sensor_Type"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Signature_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Threat_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Destination_Hostname"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Category"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Process_Name"
    },
    {
        "types": [
            "IP"
        ],
        "name": "Grid_Master_IP"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "Response_Code"
    },
    {
        "types": [
            "UINT64"
        ],
        "name": "Device_Port"
    },
    {
        "types": [
            "IP"
        ],
        "name": "Device_IP"
    },
    {
        "types": [
            "UINT64"
        ],
        "name": "PID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Target_Context"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Source_Context"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Target_Class"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Policy_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Destination_Zone"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Source_Zone"
    },
    {
        "types": [
            "STRLIT"
        ],
        "name": "Queue_ID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Delivery_ID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Recipient_ID"
    },
    {
        "types": [
            "FLOAT"
        ],
        "name": "Spam_Score"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Mail_ID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "To_Address"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "From_Address"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Message_ID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Request_Type"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "SQL_Statement"
    },
    {
        "types": [
            "UINT64"
        ],
        "name": "External_EventID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Event_Class"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Description"
    },
    {
        "types": [
            "GUID"
        ],
        "name": "File_Hash"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Mainframe_Job_Name"
    },
    {
        "types": [
            "UINT64"
        ],
        "name": "External_SubEventID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Destination_UserID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Source_UserID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Volume_ID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Step_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Step_Count"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "LPAR_DB2_Subsystem"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Logical_Unit_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Job_Type"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "FTP_Command"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "File_Type"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "DB2_Plan_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Catalog_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Access_Resource"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Table_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "External_DB2_Server"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "External_Application"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Creator_Name"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "Return_Code"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Database_ID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Incoming_ID"
    },
    {
        "types": [
            "UINT64"
        ],
        "name": "Handle_ID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Destination_Network"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Source_Network"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Malware_Insp_Result"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Malware_Insp_Action"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "External_Hostname"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Privileged_User"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Facility"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Area"
    },
    {
        "types": [
            "GUID"
        ],
        "name": "Instance_GUID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Logon_Type"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Operating_System"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "File_Path"
    },
    {
        "types": [
            "GUID"
        ],
        "name": "Agent_GUID"
    },
    {
        "types": [
            "UINT64"
        ],
        "name": "Reputation"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "URL_Category"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Session_Status"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Destination_Logon_ID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Source_Logon_ID"
    },
    {
        "types": [
            "GUID"
        ],
        "name": "UUID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "External_SessionID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Management_Server"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Detection_Method"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Target_Process_Name"
    },
    {
        "types": [
            "FLOAT"
        ],
        "name": "Analyzer_DAT_Version"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Forwarding_Status"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Reason"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Threat_Handled"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Threat_Category"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Device_Action"
    },
    {
        "types": [
            "GUID"
        ],
        "name": "Database_GUID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "SQL_Command"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Destination_Directory"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Directory"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Mailbox"
    },
    {
        "types": [
            "UINT64"
        ],
        "name": "Handheld_ID"
    },
    {
        "types": [
            "UINT64"
        ],
        "name": "Policy_ID"
    },
    {
        "types": [
            "UINT64"
        ],
        "name": "Server_ID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Registry_Value"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Registry_Key"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Caller_Process"
    },
    {
        "types": [
            "FLOAT"
        ],
        "name": "DAT_Version"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Interface_Dest"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Datacenter_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Datacenter_ID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Virtual_Machine_ID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Virtual_Machine_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "PCAP_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Search_Query"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Service_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "External_Device_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "External_Device_ID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "External_Device_Type"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Organizational_Unit"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Privileges"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Reputation_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Vulnerability_References"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Web_Domain"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Sub_Status"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Status"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Access_Privileges"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Rule_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "App_Layer_Protocol"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Group_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Authentication_Type"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "New_Value"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Old_Value"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Security_ID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "SHA1"
    },
    {
        "types": [
            "FLOAT"
        ],
        "name": "Reputation_Score"
    },
    {
        "types": [
            "GUID"
        ],
        "name": "Parent_File_Hash"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "File_ID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Engine_List"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Device_URL"
    },
    {
        "types": [
            "IPV4"
        ],
        "name": "Attacker_IP"
    },
    {
        "types": [
            "IPV4"
        ],
        "name": "Victim_IP"
    },
    {
        "types": [
            "INT64"
        ],
        "name": "Incident_ID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Attribute_Type"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Access_Mask"
    },
    {
        "types": [
            "GUID"
        ],
        "name": "Object_GUID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "VPN_Feature_Name"
    },
    {
        "types": [
            "IP"
        ],
        "name": "Reputation_Server_IP"
    },
    {
        "types": [
            "IP"
        ],
        "name": "DNS_Server_IP"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Hash_Type"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Hash"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Subcategory"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Wireless_SSID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Share_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "CnC_Host"
    },
    {
        "types": [
            "UINT64"
        ],
        "name": "Device_Confidence"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "SHA256"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "tesdr"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "Sysmon_Test"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "RuleName"
    },
    {
        "types": [
            "INT64"
        ],
        "name": "Sysmon_Event_ID"
    },
    {
        "types": [
            "INT64"
        ],
        "name": "Symon_EventID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "ProcessImage"
    },
    {
        "types": [
            "GUID"
        ],
        "name": "ProcessGuid"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "ProcessId"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Image"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "CommandLine"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Product"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Company"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "User"
    },
    {
        "types": [
            "UINT64"
        ],
        "name": "EventId"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "LogonId"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "IntegrityLevel"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Hashes"
    },
    {
        "types": [
            "GUID"
        ],
        "name": "ParentProcessGuid"
    },
    {
        "types": [
            "SIGID"
        ],
        "name": "DSIDSigID"
    },
    {
        "types": [
            "UINT16"
        ],
        "name": "ZoneSrc"
    },
    {
        "types": [
            "UINT8"
        ],
        "name": "Action"
    },
    {
        "types": [
            "UINT64"
        ],
        "name": "ASNGeoDst"
    },
    {
        "types": [
            "UINT32"
        ],
        "name": "FirstTime"
    },
    {
        "types": [
            "UINT16"
        ],
        "name": "SrcPort"
    },
    {
        "types": [
            "FLOAT"
        ],
        "name": "AvgSeverity"
    },
    {
        "types": [
            "UINT64"
        ],
        "name": "DSID"
    },
    {
        "types": [
            "UINT16"
        ],
        "name": "DstPort"
    },
    {
        "types": [
            "IP"
        ],
        "name": "SrcIP"
    },
    {
        "types": [
            "UINT16"
        ],
        "name": "ZoneDst"
    },
    {
        "types": [
            "SIGID"
        ],
        "name": "SigID"
    },
    {
        "types": [
            "GUID"
        ],
        "name": "GUIDSrc"
    },
    {
        "types": [
            "GUID"
        ],
        "name": "GUIDDst"
    },
    {
        "types": [
            "IP"
        ],
        "name": "DstIP"
    },
    {
        "types": [
            "UINT64"
        ],
        "name": "ID"
    },
    {
        "types": [
            "UINT8"
        ],
        "name": "Protocol"
    },
    {
        "types": [
            "UINT32"
        ],
        "name": "NormID"
    },
    {
        "types": [
            "MAC_ADDRESS"
        ],
        "name": "SrcMac"
    },
    {
        "types": [
            "UINT64"
        ],
        "name": "SessionID"
    },
    {
        "types": [
            "UINT64"
        ],
        "name": "ASNGeoSrc"
    },
    {
        "types": [
            "MAC_ADDRESS"
        ],
        "name": "DstMac"
    },
    {
        "types": [
            "UINT32"
        ],
        "name": "LastTime"
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "types": [
            "SSTRING"
        ],
        "name": "ParentProcessId"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "AppID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "ParentImage"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "CommandID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "ParentCommandLine"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "DomainID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Initiated"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "HostID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "DestinationPortName"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "ObjectID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Rulename"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "UserIDDst"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Computer"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "UserIDSrc"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "SourceHostname"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "URL"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "DestinationHostname"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "Database_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "TargetFilename"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Message_Text"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "TargetObject"
    },
    {
        "types": [
            "UINT32",
            "UINT32"
        ],
        "name": "Response_Time"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "RawEvent"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "Application_Protocol"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "CurrentDirectory"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "Object_Type"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "EventID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Filename"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Channel"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "From"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "OriginalFileName"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "To"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Cc"
    },
    {
        "types": [
            "TIME4"
        ],
        "name": "PreviousCreationUtcTime"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Bcc"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Subject"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "Method"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "User_Agent"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Cookie"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Referer"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "File_Operation"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "File_Operation_Succeeded"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Destination_Filename"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "User_Nickname"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "Contact_Name"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "Contact_Nickname"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Client_Version"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Job_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Language"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "SWF_URL"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "TC_URL"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "RTMP_Application"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Version"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Local_User_Name"
    },
    {
        "types": [
            "IPV4",
            "UINT16",
            "UINT16"
        ],
        "name": "NAT_Details"
    },
    {
        "types": [
            "SIGID"
        ],
        "name": "Network_Layer"
    },
    {
        "types": [
            "SIGID"
        ],
        "name": "Transport_Layer"
    },
    {
        "types": [
            "SIGID"
        ],
        "name": "Session_Layer"
    },
    {
        "types": [
            "SIGID"
        ],
        "name": "Application_Layer"
    },
    {
        "types": [
            "SIGID"
        ],
        "name": "HTTP_Layer"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "HTTP_Req_URL"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "HTTP_Req_Cookie"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "HTTP_Req_Referer"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "HTTP_Req_Host"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "HTTP_Req_Method"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "HTTP_User_Agent"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "DNS_Name"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "DNS_Type"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "DNS_Class"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "Query_Response"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "Authoritative_Answer"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "SNMP_Operation"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "SNMP_Item_Type"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "SNMP_Version"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "SNMP_Error_Code"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "NTP_Client_Mode"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "NTP_Server_Mode"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "NTP_Request"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "NTP_Opcode"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "SNMP_Item"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "Interface"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "Direction"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "Sensor_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Sensor_UUID"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "Sensor_Type"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Signature_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Threat_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Destination_Hostname"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Category"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Process_Name"
    },
    {
        "types": [
            "IP"
        ],
        "name": "Grid_Master_IP"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "Response_Code"
    },
    {
        "types": [
            "UINT64"
        ],
        "name": "Device_Port"
    },
    {
        "types": [
            "IP"
        ],
        "name": "Device_IP"
    },
    {
        "types": [
            "UINT64"
        ],
        "name": "PID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Target_Context"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Source_Context"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Target_Class"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Policy_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Destination_Zone"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Source_Zone"
    },
    {
        "types": [
            "STRLIT"
        ],
        "name": "Queue_ID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Delivery_ID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Recipient_ID"
    },
    {
        "types": [
            "FLOAT"
        ],
        "name": "Spam_Score"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Mail_ID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "To_Address"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "From_Address"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Message_ID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Request_Type"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "SQL_Statement"
    },
    {
        "types": [
            "UINT64"
        ],
        "name": "External_EventID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Event_Class"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Description"
    },
    {
        "types": [
            "GUID"
        ],
        "name": "File_Hash"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Mainframe_Job_Name"
    },
    {
        "types": [
            "UINT64"
        ],
        "name": "External_SubEventID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Destination_UserID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Source_UserID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Volume_ID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Step_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Step_Count"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "LPAR_DB2_Subsystem"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Logical_Unit_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Job_Type"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "FTP_Command"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "File_Type"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "DB2_Plan_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Catalog_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Access_Resource"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Table_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "External_DB2_Server"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "External_Application"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Creator_Name"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "Return_Code"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Database_ID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Incoming_ID"
    },
    {
        "types": [
            "UINT64"
        ],
        "name": "Handle_ID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Destination_Network"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Source_Network"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Malware_Insp_Result"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Malware_Insp_Action"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "External_Hostname"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Privileged_User"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Facility"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Area"
    },
    {
        "types": [
            "GUID"
        ],
        "name": "Instance_GUID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Logon_Type"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Operating_System"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "File_Path"
    },
    {
        "types": [
            "GUID"
        ],
        "name": "Agent_GUID"
    },
    {
        "types": [
            "UINT64"
        ],
        "name": "Reputation"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "URL_Category"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Session_Status"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Destination_Logon_ID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Source_Logon_ID"
    },
    {
        "types": [
            "GUID"
        ],
        "name": "UUID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "External_SessionID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Management_Server"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Detection_Method"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Target_Process_Name"
    },
    {
        "types": [
            "FLOAT"
        ],
        "name": "Analyzer_DAT_Version"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Forwarding_Status"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Reason"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Threat_Handled"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Threat_Category"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Device_Action"
    },
    {
        "types": [
            "GUID"
        ],
        "name": "Database_GUID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "SQL_Command"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Destination_Directory"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Directory"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Mailbox"
    },
    {
        "types": [
            "UINT64"
        ],
        "name": "Handheld_ID"
    },
    {
        "types": [
            "UINT64"
        ],
        "name": "Policy_ID"
    },
    {
        "types": [
            "UINT64"
        ],
        "name": "Server_ID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Registry_Value"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Registry_Key"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Caller_Process"
    },
    {
        "types": [
            "FLOAT"
        ],
        "name": "DAT_Version"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Interface_Dest"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Datacenter_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Datacenter_ID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Virtual_Machine_ID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Virtual_Machine_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "PCAP_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Search_Query"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Service_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "External_Device_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "External_Device_ID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "External_Device_Type"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Organizational_Unit"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Privileges"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Reputation_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Vulnerability_References"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Web_Domain"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Sub_Status"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Status"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Access_Privileges"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Rule_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "App_Layer_Protocol"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Group_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Authentication_Type"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "New_Value"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Old_Value"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Security_ID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "SHA1"
    },
    {
        "types": [
            "FLOAT"
        ],
        "name": "Reputation_Score"
    },
    {
        "types": [
            "GUID"
        ],
        "name": "Parent_File_Hash"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "File_ID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Engine_List"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Device_URL"
    },
    {
        "types": [
            "IPV4"
        ],
        "name": "Attacker_IP"
    },
    {
        "types": [
            "IPV4"
        ],
        "name": "Victim_IP"
    },
    {
        "types": [
            "INT64"
        ],
        "name": "Incident_ID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Attribute_Type"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Access_Mask"
    },
    {
        "types": [
            "GUID"
        ],
        "name": "Object_GUID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "VPN_Feature_Name"
    },
    {
        "types": [
            "IP"
        ],
        "name": "Reputation_Server_IP"
    },
    {
        "types": [
            "IP"
        ],
        "name": "DNS_Server_IP"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Hash_Type"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Hash"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Subcategory"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Wireless_SSID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Share_Name"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "CnC_Host"
    },
    {
        "types": [
            "UINT64"
        ],
        "name": "Device_Confidence"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "SHA256"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "tesdr"
    },
    {
        "types": [
            "STRING"
        ],
        "name": "Sysmon_Test"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "RuleName"
    },
    {
        "types": [
            "INT64"
        ],
        "name": "Sysmon_Event_ID"
    },
    {
        "types": [
            "INT64"
        ],
        "name": "Symon_EventID"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "ProcessImage"
    },
    {
        "types": [
            "GUID"
        ],
        "name": "ProcessGuid"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "ProcessId"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Image"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "CommandLine"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Product"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Company"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "User"
    },
    {
        "types": [
            "UINT64"
        ],
        "name": "EventId"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "LogonId"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "IntegrityLevel"
    },
    {
        "types": [
            "SSTRING"
        ],
        "name": "Hashes"
    },
    {
        "types": [
            "GUID"
        ],
        "name": "ParentProcessGuid"
    },
    {
        "types": [
            "SIGID"
        ],
        "name": "DSIDSigID"
    },
    {
        "types": [
            "UINT16"
        ],
        "name": "ZoneSrc"
    },
    {
        "types": [
            "UINT8"
        ],
        "name": "Action"
    },
    {
        "types": [
            "UINT64"
        ],
        "name": "ASNGeoDst"
    },
    {
        "types": [
            "UINT32"
        ],
        "name": "FirstTime"
    },
    {
        "types": [
            "UINT16"
        ],
        "name": "SrcPort"
    },
    {
        "types": [
            "FLOAT"
        ],
        "name": "AvgSeverity"
    },
    {
        "types": [
            "UINT64"
        ],
        "name": "DSID"
    },
    {
        "types": [
            "UINT16"
        ],
        "name": "DstPort"
    },
    {
        "types": [
            "IP"
        ],
        "name": "SrcIP"
    },
    {
        "types": [
            "UINT16"
        ],
        "name": "ZoneDst"
    },
    {
        "types": [
            "SIGID"
        ],
        "name": "SigID"
    },
    {
        "types": [
            "GUID"
        ],
        "name": "GUIDSrc"
    },
    {
        "types": [
            "GUID"
        ],
        "name": "GUIDDst"
    },
    {
        "types": [
            "IP"
        ],
        "name": "DstIP"
    },
    {
        "types": [
            "UINT64"
        ],
        "name": "ID"
    },
    {
        "types": [
            "UINT8"
        ],
        "name": "Protocol"
    },
    {
        "types": [
            "UINT32"
        ],
        "name": "NormID"
    },
    {
        "types": [
            "MAC_ADDRESS"
        ],
        "name": "SrcMac"
    },
    {
        "types": [
            "UINT64"
        ],
        "name": "SessionID"
    },
    {
        "types": [
            "UINT64"
        ],
        "name": "ASNGeoSrc"
    },
    {
        "types": [
            "MAC_ADDRESS"
        ],
        "name": "DstMac"
    },
    {
        "types": [
            "UINT32"
        ],
        "name": "LastTime"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
[
  "ParentProcessId", "AppID", "ParentImage", "CommandID", "ParentCommandLine", "DomainID",
  "Initiated", "HostID", "DestinationPortName", "ObjectID", "Rulename", "UserIDDst", "Computer",
  "UserIDSrc", "SourceHostname", "URL", "DestinationHostname", "Database_Name", "TargetFilename",
  "Message_Text", "TargetObject", "Response_Time", "RawEvent", "Application_Protocol",
  "CurrentDirectory", "Object_Type", "EventID", "Filename", "Channel", "From", "OriginalFileName",
  "To", "Cc", "PreviousCreationUtcTime", "Bcc", "Subject", "Method", "User_Agent", "Cookie",
  "Referer", "File_Operation", "File_Operation_Succeeded", "Destination_Filename", "User_Nickname",
  "Contact_Name", "Contact_Nickname", "Client_Version", "Job_Name", "Language", "SWF_URL",
  "TC_URL", "RTMP_Application", "Version", "Local_User_Name", "NAT_Details", "Network_Layer",
  "Transport_Layer", "Session_Layer", "Application_Layer", "HTTP_Layer", "HTTP_Req_URL",
  "HTTP_Req_Cookie", "HTTP_Req_Referer", "HTTP_Req_Host", "HTTP_Req_Method", "HTTP_User_Agent",
  "DNS_Name", "DNS_Type", "DNS_Class", "Query_Response", "Authoritative_Answer", "SNMP_Operation",
  "SNMP_Item_Type", "SNMP_Version", "SNMP_Error_Code", "NTP_Client_Mode", "NTP_Server_Mode",
  "NTP_Request", "NTP_Opcode", "SNMP_Item", "Interface", "Direction", "Sensor_Name", "Sensor_UUID",
  "Sensor_Type", "Signature_Name", "Threat_Name", "Destination_Hostname", "Category", "Process_Name",
  "Grid_Master_IP", "Response_Code", "Device_Port", "Device_IP", "PID", "Target_Context",
  "Source_Context", "Target_Class", "Policy_Name", "Destination_Zone", "Source_Zone", "Queue_ID",
  "Delivery_ID", "Recipient_ID", "Spam_Score", "Mail_ID", "To_Address", "From_Address", "Message_ID",
  "Request_Type", "SQL_Statement", "External_EventID", "Event_Class", "Description", "File_Hash",
  "Mainframe_Job_Name", "External_SubEventID", "Destination_UserID", "Source_UserID", "Volume_ID",
  "Step_Name", "Step_Count", "LPAR_DB2_Subsystem", "Logical_Unit_Name", "Job_Type", "FTP_Command",
  "File_Type", "DB2_Plan_Name", "Catalog_Name", "Access_Resource", "Table_Name", "External_DB2_Server",
  "External_Application", "Creator_Name", "Return_Code", "Database_ID", "Incoming_ID", "Handle_ID",
  "Destination_Network", "Source_Network", "Malware_Insp_Result", "Malware_Insp_Action",
  "External_Hostname", "Privileged_User", "Facility", "Area", "Instance_GUID", "Logon_Type",
  "Operating_System", "File_Path", "Agent_GUID", "Reputation", "URL_Category", "Session_Status",
  "Destination_Logon_ID", "Source_Logon_ID", "UUID", "External_SessionID", "Management_Server",
  "Detection_Method", "Target_Process_Name", "Analyzer_DAT_Version", "Forwarding_Status", "Reason",
  "Threat_Handled", "Threat_Category", "Device_Action", "Database_GUID", "SQL_Command",
  "Destination_Directory", "Directory", "Mailbox", "Handheld_ID", "Policy_ID", "Server_ID",
  "Registry_Value", "Registry_Key", "Caller_Process", "DAT_Version", "Interface_Dest", "Datacenter_Name",
  "Datacenter_ID", "Virtual_Machine_ID", "Virtual_Machine_Name", "PCAP_Name", "Search_Query",
  "Service_Name", "External_Device_Name", "External_Device_ID", "External_Device_Type",
  "Organizational_Unit", "Privileges", "Reputation_Name", "Vulnerability_References", "Web_Domain",
  "Sub_Status", "Status", "Access_Privileges", "Rule_Name", "App_Layer_Protocol", "Group_Name",
  "Authentication_Type", "New_Value", "Old_Value", "Security_ID", "SHA1", "Reputation_Score",
  "Parent_File_Hash", "File_ID", "Engine_List", "Device_URL", "Attacker_IP", "Victim_IP",
  "Incident_ID", "Attribute_Type", "Access_Mask", "Object_GUID", "VPN_Feature_Name",
  "Reputation_Server_IP", "DNS_Server_IP", "Hash_Type", "Hash", "Subcategory", "Wireless_SSID",
  "Share_Name", "CnC_Host", "Device_Confidence", "SHA256", "tesdr", "Sysmon_Test", "RuleName",
  "Sysmon_Event_ID", "Symon_EventID", "ProcessImage", "ProcessGuid", "ProcessId", "Image",
  "CommandLine", "Product", "Company", "User", "EventId", "LogonId", "IntegrityLevel", "Hashes",
  "ParentProcessGuid", "DSIDSigID", "ZoneSrc", "Action", "ASNGeoDst", "FirstTime", "SrcPort",
  "AvgSeverity", "DSID", "DstPort", "SrcIP", "ZoneDst", "SigID", "GUIDSrc", "GUIDDst", "DstIP",
  "ID", "Protocol", "NormID", "SrcMac", "SessionID", "ASNGeoSrc", "DstMac", "LastTime"
]
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

types

name

["SSTRING"]

ParentProcessId

["STRING"]

AppID

["SSTRING"]

ParentImage

["STRING"]

CommandID

["SSTRING"]

ParentCommandLine

["STRING"]

DomainID

["SSTRING"]

Initiated

["STRING"]

HostID

["SSTRING"]

DestinationPortName

["STRING"]

ObjectID

["SSTRING"]

Rulename

["STRING"]

UserIDDst

["SSTRING"]

Computer

["STRING"]

UserIDSrc

["SSTRING"]

SourceHostname

["SSTRING"]

URL

["SSTRING"]

DestinationHostname

["STRING"]

Database_Name

["SSTRING"]

TargetFilename

["SSTRING"]

Message_Text

["SSTRING"]

TargetObject

["UINT32", "UINT32"]

Response_Time

["SSTRING"]

RawEvent

["STRING"]

Application_Protocol

["SSTRING"]

CurrentDirectory

["STRING"]

Object_Type

["SSTRING"]

EventID

["SSTRING"]

Filename

["SSTRING"]

Channel

["SSTRING"]

From

["SSTRING"]

OriginalFileName

["SSTRING"]

To

["SSTRING"]

Cc

["TIME4"]

PreviousCreationUtcTime

["SSTRING"]

Bcc

["SSTRING"]

Subject

["STRING"]

Method

["SSTRING"]

User_Agent

["SSTRING"]

Cookie

["SSTRING"]

Referer

["STRING"]

File_Operation

["STRING"]

File_Operation_Succeeded

["SSTRING"]

Destination_Filename

["STRING"]

User_Nickname

["STRING"]

Contact_Name

["STRING"]

Contact_Nickname

["SSTRING"]

Client_Version

["SSTRING"]

Job_Name

["SSTRING"]

Language

["SSTRING"]

SWF_URL

["SSTRING"]

TC_URL

["SSTRING"]

RTMP_Application

["SSTRING"]

Version

["SSTRING"]

Local_User_Name

["IPV4", "UINT16", "UINT16"]

NAT_Details

["SIGID"]

Network_Layer

["SIGID"]

Transport_Layer

["SIGID"]

Session_Layer

["SIGID"]

Application_Layer

["SIGID"]

HTTP_Layer

["SSTRING"]

HTTP_Req_URL

["SSTRING"]

HTTP_Req_Cookie

["SSTRING"]

HTTP_Req_Referer

["SSTRING"]

HTTP_Req_Host

["SSTRING"]

HTTP_Req_Method

["SSTRING"]

HTTP_User_Agent

["SSTRING"]

DNS_Name

["STRING"]

DNS_Type

["STRING"]

DNS_Class

["STRING"]

Query_Response

["STRING"]

Authoritative_Answer

["STRING"]

SNMP_Operation

["STRING"]

SNMP_Item_Type

["STRING"]

SNMP_Version

["STRING"]

SNMP_Error_Code

["STRING"]

NTP_Client_Mode

["STRING"]

NTP_Server_Mode

["STRING"]

NTP_Request

["STRING"]

NTP_Opcode

["SSTRING"]

SNMP_Item

["STRING"]

Interface

["STRING"]

Direction

["STRING"]

Sensor_Name

["SSTRING"]

Sensor_UUID

["STRING"]

Sensor_Type

["SSTRING"]

Signature_Name

["SSTRING"]

Threat_Name

["SSTRING"]

Destination_Hostname

["SSTRING"]

Category

["SSTRING"]

Process_Name

["IP"]

Grid_Master_IP

["STRING"]

Response_Code

["UINT64"]

Device_Port

["IP"]

Device_IP

["UINT64"]

PID

["SSTRING"]

Target_Context

["SSTRING"]

Source_Context

["SSTRING"]

Target_Class

["SSTRING"]

Policy_Name

["SSTRING"]

Destination_Zone

["SSTRING"]

Source_Zone

["STRLIT"]

Queue_ID

["SSTRING"]

Delivery_ID

["SSTRING"]

Recipient_ID

["FLOAT"]

Spam_Score

["SSTRING"]

Mail_ID

["SSTRING"]

To_Address

["SSTRING"]

From_Address

["SSTRING"]

Message_ID

["SSTRING"]

Request_Type

["SSTRING"]

SQL_Statement

["UINT64"]

External_EventID

["SSTRING"]

Event_Class

["SSTRING"]

Description

["GUID"]

File_Hash

["SSTRING"]

Mainframe_Job_Name

["UINT64"]

External_SubEventID

["SSTRING"]

Destination_UserID

["SSTRING"]

Source_UserID

["SSTRING"]

Volume_ID

["SSTRING"]

Step_Name

["SSTRING"]

Step_Count

["SSTRING"]

LPAR_DB2_Subsystem

["SSTRING"]

Logical_Unit_Name

["SSTRING"]

Job_Type

["SSTRING"]

FTP_Command

["SSTRING"]

File_Type

["SSTRING"]

DB2_Plan_Name

["SSTRING"]

Catalog_Name

["SSTRING"]

Access_Resource

["SSTRING"]

Table_Name

["SSTRING"]

External_DB2_Server

["SSTRING"]

External_Application

["SSTRING"]

Creator_Name

["STRING"]

Return_Code

["SSTRING"]

Database_ID

["SSTRING"]

Incoming_ID

["UINT64"]

Handle_ID

["SSTRING"]

Destination_Network

["SSTRING"]

Source_Network

["SSTRING"]

Malware_Insp_Result

["SSTRING"]

Malware_Insp_Action

["SSTRING"]

External_Hostname

["SSTRING"]

Privileged_User

["SSTRING"]

Facility

["SSTRING"]

Area

["GUID"]

Instance_GUID

["SSTRING"]

Logon_Type

["SSTRING"]

Operating_System

["SSTRING"]

File_Path

["GUID"]

Agent_GUID

["UINT64"]

Reputation

["SSTRING"]

URL_Category

["SSTRING"]

Session_Status

["SSTRING"]

Destination_Logon_ID

["SSTRING"]

Source_Logon_ID

["GUID"]

UUID

["SSTRING"]

External_SessionID

["SSTRING"]

Management_Server

["SSTRING"]

Detection_Method

["SSTRING"]

Target_Process_Name

["FLOAT"]

Analyzer_DAT_Version

["SSTRING"]

Forwarding_Status

["SSTRING"]

Reason

["SSTRING"]

Threat_Handled

["SSTRING"]

Threat_Category

["SSTRING"]

Device_Action

["GUID"]

Database_GUID

["SSTRING"]

SQL_Command

["SSTRING"]

Destination_Directory

["SSTRING"]

Directory

["SSTRING"]

Mailbox

["UINT64"]

Handheld_ID

["UINT64"]

Policy_ID

["UINT64"]

Server_ID

["SSTRING"]

Registry_Value

["SSTRING"]

Registry_Key

["SSTRING"]

Caller_Process

["FLOAT"]

DAT_Version

["SSTRING"]

Interface_Dest

["SSTRING"]

Datacenter_Name

["SSTRING"]

Datacenter_ID

["SSTRING"]

Virtual_Machine_ID

["SSTRING"]

Virtual_Machine_Name

["SSTRING"]

PCAP_Name

["SSTRING"]

Search_Query

["SSTRING"]

Service_Name

["SSTRING"]

External_Device_Name

["SSTRING"]

External_Device_ID

["SSTRING"]

External_Device_Type

["SSTRING"]

Organizational_Unit

["SSTRING"]

Privileges

["SSTRING"]

Reputation_Name

["SSTRING"]

Vulnerability_References

["SSTRING"]

Web_Domain

["SSTRING"]

Sub_Status

["SSTRING"]

Status

["SSTRING"]

Access_Privileges

["SSTRING"]

Rule_Name

["SSTRING"]

App_Layer_Protocol

["SSTRING"]

Group_Name

["SSTRING"]

Authentication_Type

["SSTRING"]

New_Value

["SSTRING"]

Old_Value

["SSTRING"]

Security_ID

["SSTRING"]

SHA1

["FLOAT"]

Reputation_Score

["GUID"]

Parent_File_Hash

["SSTRING"]

File_ID

["SSTRING"]

Engine_List

["SSTRING"]

Device_URL

["IPV4"]

Attacker_IP

["IPV4"]

Victim_IP

["INT64"]

Incident_ID

["SSTRING"]

Attribute_Type

["SSTRING"]

Access_Mask

["GUID"]

Object_GUID

["SSTRING"]

VPN_Feature_Name

["IP"]

Reputation_Server_IP

["IP"]

DNS_Server_IP

["SSTRING"]

Hash_Type

["SSTRING"]

Hash

["SSTRING"]

Subcategory

["SSTRING"]

Wireless_SSID

["SSTRING"]

Share_Name

["SSTRING"]

CnC_Host

["UINT64"]

Device_Confidence

["SSTRING"]

SHA256

["SSTRING"]

tesdr

["STRING"]

Sysmon_Test

["SSTRING"]

RuleName

["INT64"]

Sysmon_Event_ID

["INT64"]

Symon_EventID

["SSTRING"]

ProcessImage

["GUID"]

ProcessGuid

["SSTRING"]

ProcessId

["SSTRING"]

Image

["SSTRING"]

CommandLine

["SSTRING"]

Product

["SSTRING"]

Company

["SSTRING"]

User

["UINT64"]

EventId

["SSTRING"]

LogonId

["SSTRING"]

IntegrityLevel

["SSTRING"]

Hashes

["GUID"]

ParentProcessGuid

["SIGID"]

DSIDSigID

["UINT16"]

ZoneSrc

["UINT8"]

Action

["UINT64"]

ASNGeoDst

["UINT32"]

FirstTime

["UINT16"]

SrcPort

["FLOAT"]

AvgSeverity

["UINT64"]

DSID

["UINT16"]

DstPort

["IP"]

SrcIP

["UINT16"]

ZoneDst

["SIGID"]

SigID

["GUID"]

GUIDSrc

["GUID"]

GUIDDst

["IP"]

DstIP

["UINT64"]

ID

["UINT8"]

Protocol

["UINT32"]

NormID

["MAC_ADDRESS"]

SrcMac

["UINT64"]

SessionID

["UINT64"]

ASNGeoSrc

["MAC_ADDRESS"]

DstMac

["UINT32"]

LastTim

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Available Select Fields failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trellix McAfee ESM portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: ERROR_InsufficientRights.

Error Sample Data

List Available Select Fields failed.

Status Code: 400.

Message: ERROR_InsufficientRights.

List Users

Returns the list of all users.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "id": *****,
        "master": true,
        "loggedInCount": 9,
        "emailId": 0,
        "sms": "",
        "smsId": 0,
        "admin": true,
        "alias": "",
        "groups": [
            1,
            2
        ],
        "email": "",
        "type": "POWER",
        "locked": false,
        "username": "admin"
    },
    {
        "id": *****,
        "master": true,
        "loggedInCount": 0,
        "emailId": 0,
        "sms": "",
        "smsId": 0,
        "admin": false,
        "alias": "",
        "groups": [],
        "email": "",
        "type": "POWER",
        "locked": false,
        "username": "NGCP"
    },
    {
        "id": *****,
        "master": false,
        "loggedInCount": 0,
        "emailId": 0,
        "sms": "",
        "smsId": 0,
        "admin": false,
        "alias": "",
        "groups": [
            2
        ],
        "email": "",
        "type": "POWER",
        "locked": false,
        "username": "POLICY"
    },
    {
        "id": *****,
        "master": false,
        "loggedInCount": 0,
        "emailId": 0,
        "sms": "",
        "smsId": 0,
        "admin": false,
        "alias": "",
        "groups": [
            1
        ],
        "email": "",
        "type": "POWER",
        "locked": false,
        "username": "REPORT"
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "id": *****,
        "master": true,
        "loggedInCount": 9,
        "emailId": 0,
        "sms": "",
        "smsId": 0,
        "admin": true,
        "alias": "",
        "groups": [
            1,
            2
        ],
        "email": "",
        "type": "POWER",
        "locked": false,
        "username": "admin"
    },
    {
        "id": *****,
        "master": true,
        "loggedInCount": 0,
        "emailId": 0,
        "sms": "",
        "smsId": 0,
        "admin": false,
        "alias": "",
        "groups": [],
        "email": "",
        "type": "POWER",
        "locked": false,
        "username": "NGCP"
    },
    {
        "id": *****,
        "master": false,
        "loggedInCount": 0,
        "emailId": 0,
        "sms": "",
        "smsId": 0,
        "admin": false,
        "alias": "",
        "groups": [
            2
        ],
        "email": "",
        "type": "POWER",
        "locked": false,
        "username": "POLICY"
    },
    {
        "id": *****,
        "master": false,
        "loggedInCount": 0,
        "emailId": 0,
        "sms": "",
        "smsId": 0,
        "admin": false,
        "alias": "",
        "groups": [
            1
        ],
        "email": "",
        "type": "POWER",
        "locked": false,
        "username": "REPORT"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "EMail": ["","*****@*****.***","","",""],
  "UserID": [*****,*****,*****,*****,*****],
  "UserName": ["admin","NGCP","POLICY","REPORT"]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id

*****

*****

*****

*****

master

TRUE

TRUE

FALSE

FALSE

loggedInCount

9

0

0

0

emailId

0

0

0

0

sms

smsId

0

0

0

0

admin

TRUE

FALSE

FALSE

FALSE

alias

groups

[
1,

2

]

[]

[
2

]

[
1

]

email

type

POWER

POWER

POWER

POWER

locked

FALSE

FALSE

FALSE

FALSE

username

admin

NGCP

POLICY

REPOR

rror Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Users failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trellix McAfee ESM portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: ERROR_InsufficientRights.

Error Sample Data

List Users failed.

Status Code: 400.

Message: ERROR_InsufficientRights.

List Watchlists

Returns watchlists and their corresponding information.

Input

Input Parameter

Required/Optional

Description

Example

Showing hidden watchlist

Required

Enables hidden watchlists to be listed. If you select True, both hidden and non-hidden watchlists will be returned.

False

Showing dynamic watchlist

Required

Enables dynamic watchlists to be listed. If you select True, both dynamic and non-dynamic watchlists will be returned.

False

Showing writeOnly watchlist

Required

Enables write-only (modifiable) watchlists to be listed. If you select True, both write-only and non-write-only watchlists will be returned.

False

Showing indexedOnly watchlist

Required

Enables indexed watchlists to be listed. If you select True, both indexed and non-indexed watchlists will be returned.

False

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "id": *****,
        "active": true,
        "customType": {
            "id": *****,
            "name": "DstIP"
        },
        "scored": false,
        "valueCount": 0,
        "errorMsg": "",
        "dynamic": false,
        "hidden": false,
        "type": {
            "id": *****,
            "name": "DstIP"
        },
        "source": 0,
        "name": "test99"
    },
    {
        "id": *****,
        "active": true,
        "customType": {
            "id": *****,
            "name": "IPAddress"
        },
        "scored": false,
        "valueCount": 0,
        "errorMsg": "",
        "dynamic": false,
        "hidden": false,
        "type": {
            "id": *****,
            "name": "IPAddress"
        },
        "source": 0,
        "name": "TIE Data Source IPs"
    },
    {
        "id": *****,
        "active": true,
        "customType": {
            "id": *****,
            "name": "4"
        },
        "scored": false,
        "valueCount": 0,
        "errorMsg": "",
        "dynamic": false,
        "hidden": false,
        "type": {
            "id": *****,
            "name": "HostID"
        },
        "source": 0,
        "name": "WL"
    },
    {
        "id": *****,
        "active": true,
        "customType": {
            "id": *****,
            "name": "DstIP"
        },
        "scored": false,
        "valueCount": 1,
        "errorMsg": "",
        "dynamic": false,
        "hidden": false,
        "type": {
            "id": *****,
            "name": "DstIP"
        },
        "source": 0,
        "name": "wl5"
    },
    {
        "id": *****,
        "active": true,
        "customType": {
            "id": *****,
            "name": "DstIP"
        },
        "scored": false,
        "valueCount": 0,
        "errorMsg": "",
        "dynamic": false,
        "hidden": false,
        "type": {
            "id": *****,
            "name": "DstIP"
        },
        "source": 0,
        "name": "wl4"
    },
    {
        "id": *****,
        "active": true,
        "customType": {
            "id": *****,
            "name": "DstIP"
        },
        "scored": false,
        "valueCount": 0,
        "errorMsg": "",
        "dynamic": false,
        "hidden": false,
        "type": {
            "id": *****,
            "name": "DstIP"
        },
        "source": 0,
        "name": "wl55"
    },
    {
        "id": *****,
        "active": true,
        "customType": {
            "id": *****,
            "name": "DstIP"
        },
        "scored": false,
        "valueCount": 0,
        "errorMsg": "",
        "dynamic": false,
        "hidden": false,
        "type": {
            "id": *****,
            "name": "DstIP"
        },
        "source": 0,
        "name": "wl100"
    },
    {
        "id": *****,
        "active": true,
        "customType": {
            "id": *****,
            "name": "DstIP"
        },
        "scored": false,
        "valueCount": 0,
        "errorMsg": "",
        "dynamic": false,
        "hidden": false,
        "type": {
            "id": *****,
            "name": "DstIP"
        },
        "source": 0,
        "name": "wl75"
    },
    {
        "id": *****,
        "active": true,
        "customType": {
            "id": *****,
            "name": "DstIP"
        },
        "scored": false,
        "valueCount": 0,
        "errorMsg": "",
        "dynamic": false,
        "hidden": false,
        "type": {
            "id": *****,
            "name": "DstIP"
        },
        "source": 0,
        "name": "wl76"
    },
    {
        "id": *****,
        "active": true,
        "customType": {
            "id": *****,
            "name": "DstIP"
        },
        "scored": false,
        "valueCount": 0,
        "errorMsg": "",
        "dynamic": false,
        "hidden": false,
        "type": {
            "id": *****,
            "name": "DstIP"
        },
        "source": 0,
        "name": "wl77"
    },
    {
        "id": *****,
        "active": true,
        "customType": {
            "id": *****,
            "name": "ASNGeoDst"
        },
        "scored": false,
        "valueCount": 0,
        "errorMsg": "",
        "dynamic": false,
        "hidden": false,
        "type": {
            "id": *****,
            "name": "ASNGeoDst"
        },
        "source": 0,
        "name": "Test01"
    },
    {
        "id": *****,
        "active": true,
        "customType": {
            "id": *****,
            "name": "ASNGeoDst"
        },
        "scored": false,
        "valueCount": 0,
        "errorMsg": "",
        "dynamic": false,
        "hidden": false,
        "type": {
            "id": *****,
            "name": "ASNGeoDst"
        },
        "source": 0,
        "name": "Test02"
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "id": *****,
        "active": true,
        "customType": {
            "id": *****,
            "name": "DstIP"
        },
        "scored": false,
        "valueCount": 0,
        "errorMsg": "",
        "dynamic": false,
        "hidden": false,
        "type": {
            "id": *****,
            "name": "DstIP"
        },
        "source": 0,
        "name": "test99"
    },
    {
        "id": *****,
        "active": true,
        "customType": {
            "id": *****,
            "name": "IPAddress"
        },
        "scored": false,
        "valueCount": 0,
        "errorMsg": "",
        "dynamic": false,
        "hidden": false,
        "type": {
            "id": *****,
            "name": "IPAddress"
        },
        "source": 0,
        "name": "TIE Data Source IPs"
    },
    {
        "id": *****,
        "active": true,
        "customType": {
            "id": *****,
            "name": "4"
        },
        "scored": false,
        "valueCount": 0,
        "errorMsg": "",
        "dynamic": false,
        "hidden": false,
        "type": {
            "id": *****,
            "name": "HostID"
        },
        "source": 0,
        "name": "WL"
    },
    {
        "id": *****,
        "active": true,
        "customType": {
            "id": *****,
            "name": "DstIP"
        },
        "scored": false,
        "valueCount": 1,
        "errorMsg": "",
        "dynamic": false,
        "hidden": false,
        "type": {
            "id": *****,
            "name": "DstIP"
        },
        "source": 0,
        "name": "wl5"
    },
    {
        "id": *****,
        "active": true,
        "customType": {
            "id": *****,
            "name": "DstIP"
        },
        "scored": false,
        "valueCount": 0,
        "errorMsg": "",
        "dynamic": false,
        "hidden": false,
        "type": {
            "id": *****,
            "name": "DstIP"
        },
        "source": 0,
        "name": "wl4"
    },
    {
        "id": *****,
        "active": true,
        "customType": {
            "id": *****,
            "name": "DstIP"
        },
        "scored": false,
        "valueCount": 0,
        "errorMsg": "",
        "dynamic": false,
        "hidden": false,
        "type": {
            "id": *****,
            "name": "DstIP"
        },
        "source": 0,
        "name": "wl55"
    },
    {
        "id": *****,
        "active": true,
        "customType": {
            "id": *****,
            "name": "DstIP"
        },
        "scored": false,
        "valueCount": 0,
        "errorMsg": "",
        "dynamic": false,
        "hidden": false,
        "type": {
            "id": *****,
            "name": "DstIP"
        },
        "source": 0,
        "name": "wl100"
    },
    {
        "id": *****,
        "active": true,
        "customType": {
            "id": *****,
            "name": "DstIP"
        },
        "scored": false,
        "valueCount": 0,
        "errorMsg": "",
        "dynamic": false,
        "hidden": false,
        "type": {
            "id": *****,
            "name": "DstIP"
        },
        "source": 0,
        "name": "wl75"
    },
    {
        "id": *****,
        "active": true,
        "customType": {
            "id": *****,
            "name": "DstIP"
        },
        "scored": false,
        "valueCount": 0,
        "errorMsg": "",
        "dynamic": false,
        "hidden": false,
        "type": {
            "id": *****,
            "name": "DstIP"
        },
        "source": 0,
        "name": "wl76"
    },
    {
        "id": *****,
        "active": true,
        "customType": {
            "id": *****,
            "name": "DstIP"
        },
        "scored": false,
        "valueCount": 0,
        "errorMsg": "",
        "dynamic": false,
        "hidden": false,
        "type": {
            "id": *****,
            "name": "DstIP"
        },
        "source": 0,
        "name": "wl77"
    },
    {
        "id": *****,
        "active": true,
        "customType": {
            "id": *****,
            "name": "ASNGeoDst"
        },
        "scored": false,
        "valueCount": 0,
        "errorMsg": "",
        "dynamic": false,
        "hidden": false,
        "type": {
            "id": *****,
            "name": "ASNGeoDst"
        },
        "source": 0,
        "name": "Test01"
    },
    {
        "id": *****,
        "active": true,
        "customType": {
            "id": *****,
            "name": "ASNGeoDst"
        },
        "scored": false,
        "valueCount": 0,
        "errorMsg": "",
        "dynamic": false,
        "hidden": false,
        "type": {
            "id": *****,
            "name": "ASNGeoDst"
        },
        "source": 0,
        "name": "Test02"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs. *****

SAMPLE DATA

CODE
{
  "IDs": [*****,*****,*****,*****,*****,*****,*****,*****,*****,*****,*****,*****,*****,*****],
  "Names": [ "test99", "TIE Data Source IPs", "WL", "wl5", "wl4", "wl55", "wl100", "wl75", "wl76", "wl77", "Test01", "Test02" ] 
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id

11

7

8

9

10

*****

*****

15

16

17

18

19

active

TRUE

TRUE

TRUE

TRUE

TRUE

TRUE

TRUE

TRUE

TRUE

TRUE

TRUE

TRUE

customType

{
"id": *****,
"name": "DstIP"
}

{
"id": *****,
"name": "IPAddress"
}

{
"id": *****,
"name": "4"
}

{
"id": *****,
"name": "DstIP"
}

{
"id": *****,
"name": "DstIP"
}

{
"id": *****,
"name": "DstIP"
}

{
"id": *****,
"name": "DstIP"
}

{
"id": *****,
"name": "DstIP"
}

{
"id": *****,
"name": "DstIP"
}

{
"id": *****,
"name": "DstIP"
}

{
"id": *****,
"name": "ASNGeoDst"
}

{
"id": *****,
"name": "ASNGeoDst"
}

scored

FALSE

FALSE

FALSE

FALSE

FALSE

FALSE

FALSE

FALSE

FALSE

FALSE

FALSE

FALSE

valueCount

0

0

0

1

0

0

0

0

0

0

0

0

errorMsg

dynamic

FALSE

FALSE

FALSE

FALSE

FALSE

FALSE

FALSE

FALSE

FALSE

FALSE

FALSE

FALSE

hidden

FALSE

FALSE

FALSE

FALSE

FALSE

FALSE

FALSE

FALSE

FALSE

FALSE

FALSE

FALSE

type

{
"id": *****,
"name": "DstIP"
}

{
"id": *****,
"name": "IPAddress"
}

{
"id": *****,
"name": "HostID"
}

{
"id": *****,
"name": "DstIP"
}

{
"id": *****,
"name": "DstIP"
}

{
"id": *****,
"name": "DstIP"
}

{
"id": *****,
"name": "DstIP"
}

{
"id": *****,
"name": "DstIP"
}

{
"id": *****,
"name": "DstIP"
}

{
"id": *****,
"name": "DstIP"
}

{
"id": *****,
"name": "ASNGeoDst"
}

{
"id": *****,
"name": "ASNGeoDst"
}

source

0

0

0

0

0

0

0

0

0

0

0

0

name

test99

TIE Data Source IPs

WL

wl5

wl4

wl55

wl100

wl75

wl76

wl77

Test01

Test02

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

List Watchlists failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trellix McAfee ESM portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: ERROR_InsufficientRights.

Error Sample Data

List Watchlists failed.

Status Code: 400.

Message: ERROR_InsufficientRights.

Query

Get results from a given index based on a query.

READER NOTE

The parameter Fields is an optional parameter to run this command.

  • Run the List Available Select Fields command to obtain Fields. Fields can be found in the raw data at the path $.[*].name.

Input

Input Parameter

Required/Optional

Description

Example

Time Range

Optional

The time range to filter results. There is an option to specify a custom time range (CUSTOM), defined using the Start Time and End Time parameters. You can also specify one of the following predefined time ranges:

  • LAST MINUTE

  • LAST 10 MINUTES

  • LAST 30 MINUTES

  • LAST HOUR

  • CURRENT_DAY

  • PREVIOUS_DAY

  • LAST_24_HOURS

  • LAST_2_DAYS

  • LAST_3_DAYS

  • CURRENT_WEEK

  • PREVIOUS_WEEK

  • CURRENT_MONTH

  • PREVIOUS_MONTH

  • CURRENT_QUARTER

  • PREVIOUS_QUARTER

  • CURRENT_YEAR

  • PREVIOUS_YEAR

CUSTOM

Start Time

Optional

The start time of the custom time range to retrieve results in UTC time if the Time Range parameter is set to CUSTOM. If this field is left empty, the current date and time will be used.

2022-*****-01 00:00

End Time

Optional

The end time of the custom time range to retrieve results in UTC time if the Time Range parameter is set to CUSTOM. If this field is left empty, the current date and time will be used.

2022-*****-06 00:00

Filters

Optional

The array of filters in JSON format.

[{"type":"EsmFieldFilter","field":{"name":"EventID"},"operator":"NUMERIC_EQUALS","values":[{"type":"EsmBasicValue","value":"*****"}]}]

Fields

Optional

The key fields to return in the response data. A list of fields can be obtained using the List Available Select Fields command.

["Channel","EventID"]

Query Type

Optional

The event type to query. The default value is EVENT.

EVENT

Offset

Optional

The offset value to query results. The default value is 0.

0

Limit

Optional

The maximum number of rows to display in the query results.

5

Maximum Wait Time

Optional

The maximum number of tries to retrieve the status for the query. Each try has a 5-second interval. The default value is 10.

10

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
{
    "columns": [
        {
            "name": "Alert.8454179"
        },
        {
            "name": "Alert.8454178"
        }
    ],
    "rows": [],
    "qryFields": [
        "Channel",
        "EventID"
    ]
}
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by reconstructing the JSON Array with "Channel" and "EventID" fields.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "Channel": "Microsoft-Windows-Sysmon/Operational",
        "EventID": "*****"
    },
    {
        "Channel": "Microsoft-Windows-Sysmon/Operational",
        "EventID": "*****"
    },
    {
        "Channel": "Microsoft-Windows-Sysmon/Operational",
        "EventID": "*****"
    },
    {
        "Channel": "Microsoft-Windows-Sysmon/Operational",
        "EventID": "*****"
    },
    {
        "Channel": "Microsoft-Windows-Sysmon/Operational",
        "EventID": "*****"
    }
]
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

Channel

EventID

Microsoft-Windows-Sysmon/Operational

*****

Microsoft-Windows-Sysmon/Operational

*****

Microsoft-Windows-Sysmon/Operational

*****

Microsoft-Windows-Sysmon/Operational

*****

Microsoft-Windows-Sysmon/Operational

*****

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Query failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trellix McAfee ESM portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Fields Not Found.

Error Sample Data

Query failed.

Status Code: 404.

Message: Fields Not Found.

Remove Values From Watchlist

Removes values from watchlists. Note: Hidden watchlists (e.g. GTI) are not supported.

READER NOTE

The parameter Watchlist IDs is required to run this command.

  • Run the List Watchlists command to obtain Watchlist IDs. Watchlist IDs can be found in the raw data at the path $.[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Watchlist IDs

Required

The ID(s) of the watchlist(s) to remove values from. Watchlist IDs can be obtained using the List Watchlists command.

[*****]

Values

Required

The string value(s) to remove from the specified watchlist(s).

["***.***.***.***"]

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "id": *****,
        "removed value status": "successful",
        "values": [
            "***.***.***.***"
        ]
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "id": *****,
        "removed value status": "successful",
        "values": [
            "***.***.***.***"
        ]
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "IDs": [*****]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id

removed value status

values

*****

successful

[
"***.***.***.***"
]

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Remove Values From Watchlist failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trellix McAfee ESM portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Watchlist IDs Not Found.

Error Sample Data

Remove Values From Watchlist failed.

Status Code: 404.

Message: Watchlist IDs Not Found.

Remove Watchlist

Removes watchlists from the system. Note: Hidden watchlists (e.g. GTI) are not supported.

READER NOTE

The parameter Watchlist IDs is required to run this command.

  • Run the List Watchlists command to obtain Watchlist IDs. Watchlist IDs can be found in the raw data at the path $.[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Watchlist IDs

Required

The ID(s) of the watchlist(s) to remove. Watchlist IDs can be obtained using the List Watchlists command.

[*****]

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "id": *****,
        "status": "removed"
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "id": *****,
        "status": "removed"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "IDs": [*****]
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

id

status

*****

removed

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Remove Watchlist failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trellix McAfee ESM portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Watchlist IDs Not Found.

Error Sample Data

Remove Watchlist failed.

Status Code: 404.

Message: Watchlist IDs Not Found.

Search ESM Alarms

Searches and returns alarms in McAfee ESM based on the specified criteria.

READER NOTE

If no input parameters are defined, the command will run successfully with no returned results.

Input

Input Parameter

Required/Optional

Description

Example

Start Time

Optional

The start time of the time range to search for alarms in UTC time.

2022-09-21 00:00

End Time

Optional

The end time of the time range to search for alarms in UTC time.

2022-11-23 00:00

Key Names

Optional

The keys to return in the response data. The key names are the keys in the returned raw data. Define this parameter to return only select fields.

["alarmName"]

Filters

Optional

The filters to search for alarms.

["Windows Event Failed to Logon"]

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

CODE
[
  {
    "filters": "",
    "events": [
      {
        "severity": 19,
        "ruleMessage": "User Logout",
        "eventCount": 1,
        "sourceIp": "***.***.***.***",
        "destIp": "***.***.***.***",
        "lastTime": "2020/01/09 15:57:59",
        "eventId": "*****|*****",
        "eventSubType": "success",
        "protocol": "n/a"
      }
    ],
    "queryId": *****,
    "iocName": "",
    "iocId": *****,
    "timeFilter": "",
    "assigneeId": *****,
    "alertRateMin": 0,
    "alertRateCount": 0,
    "percentAbove": 0,
    "percentBelow": 0,
    "offsetMinutes": 0,
    "maximumConditionTriggerFrequency": 1,
    "useWatchlist": "F",
    "matchField": "DSIDSigID",
    "matchValue": "*****",
    "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
    "escalatedDate": "",
    "caseId": 0,
    "caseName": "",
    "actions": "1\u00*****\u00149\u00*****Email|*****@*****.***, *****@*****.***, *****@*****.***|Alarm Name: Windows Event Failed to Logon\rSummary: Signature ID 'User Logout' (*****) match found\u0014",
    "description": "",
    "id": *****,
    "severity": 100,
    "summary": "Signature ID 'User Logout' (*****) match found",
    "alarmName": "Windows Event Failed to Logon",
    "conditionType": 14,
    "assignee": "admin",
    "triggeredDate": "2020/01/09 15:58:57",
    "acknowledgedDate": "",
    "acknowledgedUsername": null
  },
  {
    "filters": "",
    "events": [
      {
        "severity": 19,
        "ruleMessage": "User Logout",
        "eventCount": 1,
        "sourceIp": "***.***.***.***",
        "destIp": "***.***.***.***",
        "lastTime": "2020/01/09 15:56:24",
        "eventId": "*****|*****",
        "eventSubType": "success",
        "protocol": "n/a"
      }
    ],
    "queryId": *****,
    "iocName": "",
    "iocId": *****,
    "timeFilter": "",
    "assigneeId": *****,
    "alertRateMin": 0,
    "alertRateCount": 0,
    "percentAbove": 0,
    "percentBelow": 0,
    "offsetMinutes": 0,
    "maximumConditionTriggerFrequency": 1,
    "useWatchlist": "F",
    "matchField": "DSIDSigID",
    "matchValue": "*****",
    "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
    "escalatedDate": "",
    "caseId": 0,
    "caseName": "",
    "actions": "1\u00*****\u00149\u00*****Email|*****@*****.***, *****@*****.***, *****@*****.***|Alarm Name: Windows Event Failed to Logon\rSummary: Signature ID 'User Logout' (*****) match found\u0014",
    "description": "",
    "id": *****,
    "severity": 100,
    "summary": "Signature ID 'User Logout' (*****) match found",
    "alarmName": "Windows Event Failed to Logon",
    "conditionType": 14,
    "assignee": "admin",
    "triggeredDate": "2020/01/09 15:57:53",
    "acknowledgedDate": "",
    "acknowledgedUsername": null
  },
  {
    "filters": "",
    "events": [
      {
        "severity": 19,
        "ruleMessage": "User Logout",
        "eventCount": 1,
        "sourceIp": "***.***.***.***",
        "destIp": "***.***.***.***",
        "lastTime": "2020/01/09 15:54:41",
        "eventId": "*****|*****",
        "eventSubType": "success",
        "protocol": "n/a"
      },
      {
        "severity": 19,
        "ruleMessage": "User Logout",
        "eventCount": 1,
        "sourceIp": "***.***.***.***",
        "destIp": "***.***.***.***",
        "lastTime": "2020/01/09 15:53:47",
        "eventId": "*****|*****",
        "eventSubType": "success",
        "protocol": "n/a"
      },
      {
        "severity": 19,
        "ruleMessage": "User Logout",
        "eventCount": 1,
        "sourceIp": "***.***.***.***",
        "destIp": "***.***.***.***",
        "lastTime": "2020/01/09 15:53:41",
        "eventId": "*****|*****",
        "eventSubType": "success",
        "protocol": "n/a"
      }
    ],
    "queryId": *****,
    "iocName": "",
    "iocId": *****,
    "timeFilter": "",
    "assigneeId": *****,
    "alertRateMin": 0,
    "alertRateCount": 0,
    "percentAbove": 0,
    "percentBelow": 0,
    "offsetMinutes": 0,
    "maximumConditionTriggerFrequency": 1,
    "useWatchlist": "F",
    "matchField": "DSIDSigID",
    "matchValue": "*****",
    "healthMonStatus": "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF",
    "escalatedDate": "",
    "caseId": 0,
    "caseName": "",
    "actions": "1\u00*****\u00149\u00*****Email|*****@*****.***, *****@*****.***, *****@*****.***|Alarm Name: Windows Event Failed to Logon\rSummary: Signature ID 'User Logout' (*****) match found\u0014",
    "description": "",
    "id": *****,
    "severity": 100,
    "summary": "Signature ID 'User Logout' (*****) match found",
    "alarmName": "Windows Event Failed to Logon",
    "conditionType": 14,
    "assignee": "admin",
    "triggeredDate": "2020/01/09 15:55:24",
    "acknowledgedDate": "",
    "acknowledgedUsername": null
  }
]
 
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

D3 customizes the Context Data by reconstructing the JSON Array with "sourceIp", "destIp", "alarmName", "summary", "triggeredDate" and "severity" fields.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "sourceIp": [
            "***.***.***.***"
        ],
        "destIp": [
            "***.***.***.***"
        ],
        "alarmName": "Windows Event Failed to Logon",
        "summary": "Signature ID 'User Logout' (*****) match found",
        "triggeredDate": "2020/01/09 15:58:57",
        "severity": 100
    },
    {
        "sourceIp": [
            "***.***.***.***"
        ],
        "destIp": [
            "***.***.***.***"
        ],
        "alarmName": "Windows Event Failed to Logon",
        "summary": "Signature ID 'User Logout' (*****) match found",
        "triggeredDate": "2020/01/09 15:57:53",
        "severity": 100
    },
    {
        "sourceIp": [
            "***.***.***.***",
            "***.***.***.***",
            "***.***.***.***"
        ],
        "destIp": [
            "***.***.***.***",
            "***.***.***.***",
            "***.***.***.***"
        ],
        "alarmName": "Windows Event Failed to Logon",
        "summary": "Signature ID 'User Logout' (*****) match found",
        "triggeredDate": "2020/01/09 15:55:24",
        "severity": 100
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "": 
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

sourceIp

destIp

alarmName

summary

triggeredDate

severity

[

"***.***.***.***"

]

[

"***.***.***.***"

]

Windows Event Failed to Logon

Signature ID 'User Logout' (*****) match found

2020/01/09 15:58:57

100

[

"***.***.***.***"

]

[

"***.***.***.***"

]

Windows Event Failed to Logon

Signature ID 'User Logout' (*****) match found

2020/01/09 15:57:53

100

[

"***.***.***.***",

"***.***.***.***",

"***.***.***.***"

]

[

"***.***.***.***",

"***.***.***.***",

"***.***.***.***"

]

Windows Event Failed to Logon

Signature ID 'User Logout' (*****) match found

2020/01/09 15:55:24

100

Error Handling

If the Return Data is Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Search ESM Alarms failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trellix McAfee ESM portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Key Names Not Found.

Error Sample Data

Search ESM Alarms failed.

Status Code: 404.

Message: Key Names Not Found.

Unacknowledge Triggered Alarm

Marks a triggered alarm as unacknowledged.

READER NOTE

The parameter Alarm IDs is required to run this command.

  • Run the Get Triggered Alarms command to obtain Alarm IDs. Alarm IDs can be found in the raw data at the path $.[*].id.

Input

Input Parameter

Required/Optional

Description

Example

Alarm IDs

Optional

The ID(s) of triggered alarm(s) to mark as unacknowledged. Triggered alarm IDs can be obtained using the Get Triggered Alarms command.

[*****]

Output

Return Data

Indicates one of the possible command execution states: Successful, Partially Successful, or Failed.

The Partially Successful state only occurs when a command’s input accepts an array of items (e.g. an array of IP addresses) and one or more items within the array return an error from the API request.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

Return Data can be passed down directly to a subsequent command or used to create conditional tasks in playbooks.

SAMPLE DATA

CODE
Successful
Raw Data

The primary response data from the API request.

SAMPLE DATA

JSON
[
    {
        "AlarmID": "*****",
        "Status": "Unacknowledged"
    }
]
Context Data

The data extracted from Raw Data converted into JSON format. Context Data may be identical to Raw Data in some cases.

It is recommended to refer to the Raw Data instead of Context Data, since it contains the complete API response data. D3 will deprecate Context Data in the future, and playbook tasks using Context Data will be replaced with Raw Data.

SAMPLE DATA

CODE
[
    {
        "AlarmID": "*****",
        "Status": "Unacknowledged"
    }
]
Key Fields

Common cyber security indicators such as unique IDs, file hash values, CVE numbers, IP addresses, etc., will be extracted from Raw Data as Key Fields.

The system stores these key fields in the path $.[playbookTask].outputData. You can use these key-value pairs as data points for playbook task inputs.

SAMPLE DATA

CODE
{
  "AlarmID": ["*****"],
  "Status": ["Unacknowledged"] 
}
Result

Provides a brief summary of outputs in an HTML formatted table.

SAMPLE DATA

AlarmID

Status

*****

Unacknowledged

Error Handling

If the Return Data is Partially Successful or Failed, an Error tab will appear in the Test Result window.

The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Unacknowledge Triggered Alarm failed.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trellix McAfee ESM portal. Refer to the HTTP Status Code Registry for details.

Status Code: 404.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: Alarm ID Not Found.

Error Sample Data

Unacknowledge Triggered Alarm failed.

Status Code: 404.

Message: Alarm ID Not Found.

Test Connection

Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.

Input

N/A

Output

Return Data

Indicates one of the possible command execution states: Successful or Failed.

The Failed state can be triggered by any of the following errors:

  • A connection issue with the integration

  • The API returned an error message

  • No response from the API

You can view more details about an error in the Error tab.

SAMPLE DATA

CODE
Successful

Error Handling

If the Return Data is failed, an Error tab will appear in the Test Result window.

The error tab contains the responses from the third-party API calls including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.

Parts in Error

Description

Example

Failure Indicator

Indicates the command failure that happened at a specific input and/or API call.

Test Connection failed. Failed to check the connector.

Status Code

The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Trellix McAfee ESM portal. Refer to the HTTP Status Code Registry for details.

Status Code: 400.

Message

The raw data or captured key error message from the integration API server about the API request failure.

Message: ERROR_InsufficientRights.

Error Sample Data

Test Connection failed. Failed to check the connector.

Status Code: 400.

Message: ERROR_InsufficientRights.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.