Add New Artifacts in Event Playbook
Adds new artifacts of the selected type
Implementation | Python |
Command Category | System Utility |
Tags |
|
Inputs
Parameter Name | Required/Optional | Description | Sample Data |
---|---|---|---|
Source Type | Optional | NOT AVAILABLE |
|
Artifact Type | Optional | The type of the artifact(s). The command supports both system artifact and user-defined artifact types. System composite artifact types include: URL, User, File, ExternalEndpoint, InternalEndpoint, EmailAddress, Process, Service, Module, Driver, Signature, Certificate, Registry. System single-field artifact types include: Username, Filename, File Hash SHA256, File Hash MD5, File Hash SHA1, Process Guid, Signature Identity, Host Name, Internal Endpoint Domain Name, Internal IP, External Endpoint Domain Name, External IP, Registry Key. If this parameter is left blank, the command will automatically detect and match system composite artifact types based on the values provided in Artifact Fields. | |
Artifact Fields | Optional | The value of the artifact(s). For system composite artifact types, please adhere to the JSON format provided in the sample data. For single-field artifacts, an identity field must be provided along with any additional fields and reputation. |
JSON
|
Output
Remote Command API
The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.
Request
POST
https://{base_url}/{api_namespace}/api/Command/addNewArtifact
Headers
Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.
Request Body
{
"Username": <Username here>,
"Site": <Site here>,
"CommandParams": {
"Source Type": <Source Type here>,
"Artifact Type": <Artifact Type here>,
"Artifact Fields": <Artifact Fields here>
}
}
Body Parameters
Parameter Name | Type | Required/Optional | Description |
---|---|---|---|
Username |
| Required | The username of your D3 SOAR account. |
Site |
| Required | The D3 SOAR site to run the remote command. |
Source Type |
| Optional | |
Artifact Type |
| Optional | The type of the artifact(s). The command supports both system artifact and user-defined artifact types. System composite artifact types include: URL, User, File, ExternalEndpoint, InternalEndpoint, EmailAddress, Process, Service, Module, Driver, Signature, Certificate, Registry. System single-field artifact types include: Username, Filename, File Hash SHA256, File Hash MD5, File Hash SHA1, Process Guid, Signature Identity, Host Name, Internal Endpoint Domain Name, Internal IP, External Endpoint Domain Name, External IP, Registry Key. If this parameter is left blank, the command will automatically detect and match system composite artifact types based on the values provided in Artifact Fields. |
Artifact Fields |
| Optional | The value of the artifact(s). For system composite artifact types, please adhere to the JSON format provided in the sample data. For single-field artifacts, an identity field must be provided along with any additional fields and reputation. |
Sample Request
SAMPLE DATA
{
"Username": "Admin",
"Site": "Security Operations",
"CommandParams": {
"Source Type": "Trigger Output Data",
"Artifact Type": null,
"Artifact Fields": [
{
"Internal_HostName": "InternalHost",
"Internal_IPAddress": "192.168.1.1",
"Internal_HostFQDN": "internalEndpoint.com"
},
{
"External_HostName": "ExternalHost",
"External_IPAddress": "64.233.161.147",
"External_HostFQDN": "externalEndpoint.com",
"REP": {
"RiskLevel": "low"
}
},
{
"Url": "http://sampleurl.com",
"REP": {
"RiskLevel": "low"
}
},
{
"FileName": "sampleFile",
"FilePath": "samplePath",
"SHA256": "5e966c80f6122cd1c766e1c6c45fba3584940f9d99135ab7fe8fa000f859c469",
"MD5": "098f6bcd4621d373cade4e832627b4f6",
"SHA1": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3",
"REP": {
"RiskLevel": "High"
}
},
{
"UserName": "sampleUser",
"UserFQDN": "sampleUser.com"
},
{
"EmailAddress": "sampleEmailAddress@gmail.com"
},
{
"DriverBaseAddr": "sampleDriver.com"
},
{
"ProcessGuid": "1589170327575",
"ProcessName": "powershell.exe",
"ProcessID": "21721",
"ProcessIntegrityLevel": "",
"ProcessCurrentDirectory": "",
"ProcessCommandLine": "powershell -Command $File=\\C:\\Users\\devin\\AppData\\Local\\Temp\\bbotstage.png\\;$Content=get-content $File;$Contento=[System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String($Content));Set-ExecutionPolicy Bypass -Scope Process -Force;IEX($Contento)",
"ProcessOS": ""
},
{
"RegistryKey": "sampleKey",
"RegistryPath": "samplePath",
"RegistryValueName": "sampleRegistryValueName",
"RegistryValueData": "sampleRegistryValueData",
"RegistryDetails": "sampleRegistryDetails"
},
{
"ServiceId": "sampleServiceId",
"ServiceName": "sampleServiceName",
"ServiceStartMode": "sampleServiceStartMode",
"ServiceStatus": "sampleServiceStatus"
},
{
"ModuleBaseAddr": "sampleModuleBaseAddr.com"
},
{
"Signature": "sampleSignature",
"SignatureID": "sampleSignatureID",
"SignatureSeverity": "Low",
"SignatureSource": "sampleSignatureSource",
"SignatureType": "sampleSignatureType"
},
{
"CertName": "sampleCertName",
"CertSerial": "sampleCertSerial"
},
{
"Identity": "customartifactid",
"REP": {
"RiskLevel": "High"
},
"Additional": {
"Action result": "action result update",
"Action result ID": "",
"Action taken": "",
"Affected Machine Name": "affected Machines Name"
}
}
]
}
}
Response
Response Fields
Field Name | Type | Description |
---|---|---|
error |
| The error message if the API request has failed. |
returnData |
| The return data from the API request. |
Sample Response
{
"error": "",
"returnData": " {
"AFTypeId": 6,
"RoleId": 1301,
"EmailAddr": "sampleSender@gmail.com",
"REP": null
},
{
"AFTypeId": 6,
"RoleId": 1302,
"EmailAddr": "sampleRecipient@gmail.com",
"REP": null
},
{
"AFTypeId": 6,
"RoleId": 1303,
"EmailAddr": "sampleOriginalSender@gamil.com",
"REP": null
},
{
"AFTypeId": 6,
"RoleId": 1304,
"EmailAddr": "sampleOriginalRecipient@gmail.com",
"REP": null
},
{
"AFTypeId": 6,
"RoleId": 1306,
"EmailAddr": "sampleToRecipient@gmail.com",
"REP": null
},
{
"AFTypeId": 6,
"RoleId": 1307,
"EmailAddr": "sampleCcRecipient@gmail.com",
"REP": null
}
],
"Files": [
{
"AFTypeId": 4,
"RoleId": 300,
"REP": null,
"FileName": "sampleFile",
"FilePath": "samplePath",
"SHA256": "5e966c80f6122cd1c766e1c6c45fba3584940f9d99135ab7fe8fa000f859c469",
"MD5": "098f6bcd4621d373cade4e832627b4f6",
"SHA1": "a94a8fe5ccb19ba61c4c0873d391e987982fbbd3",
"FileSignatureExists": "True",
"FileSignatureVerified": "True",
"FileVersion": "1.0",
"FileDesc": "Sample file",
"CreationUtcTime": "2022-06-16",
"PreviousCreationUtcTime": "2022-06-15",
"FileAccessTimeUtc": "2022-06-15",
"FileModifyTimeUtc": "2022-06-15"
}
],
"InternalURLs": [
{
"AFName": "test3.com",
"AFTypeId": 3,
"RoleId": 1200,
"REP": null,
"UrlHash": "de8190c59e122d397cf759e01c83feebd1e0d94b382a44ff33df008e4395f63c",
"Url": "test3.com"
}
],
"Drivers": [
{
"AFTypeId": 10,
"RoleId": 500,
"REP": null,
"DriverBaseAddr": "sampleDriver.com"
}
]
}",
}