Get Artifact Detail

This command supports the retrieval of detailed information for both custom and system artifacts and streamlines the process by allowing users to look up details for multiple artifacts simultaneously. This command requires at least the input of an artifact name. If the artifact type is left blank, the command will automatically detect and match the provided artifact name.

Reader Note

Please note that this command is not publicly available. To request access, please contact D3 support.

Implementation	System
Command Category	System Utility
Tags	ARTIFACT

Inputs

Parameter Name	Required/Optional	Description	Sample Data
Artifact Info	Required	The JSON array with pairs of artifact names and artifact types for querying. The command supports both system artifact and user-defined artifact types. System composite artifact types include: URL, User, File, ExternalEndpoint, InternalEndpoint, EmailAddress, Process, Service, Module, Driver, Signature, Certificate, Registry. System single-field artifact types include: Username, Filename, File Hash SHA256, File Hash MD5, File Hash SHA1, Process Guid, Signature Identity, Host Name, Internal Endpoint Domain Name, Internal IP, External Endpoint Domain Name, External IP, Registry Key. If this parameter is left blank, the command will automatically detect and match the provided artifact name.	CODE `[ { "Artifact Name": "192.168.87.104", "Artifact Type": "Internal Endpoint" }, { "Artifact Name": "user1", "Artifact Type": "User" }, { "Artifact Name": "customartifactid", "Artifact Type": "test01" } ]`

Output

Return Data

The returned result of this command. If some required parameters are not defined, this returned data could be empty. The returned result can be passed down directly to a subsequent command in playbooks.

SAMPLE DATA

CODE

{

    "Status": "Successful",

    "Results": {

        "Successful List": [

            {

                "Artifact Unique Id": "FFB6376C-90E1-466E-A187-C5EBBDA193D7",

                "IP Address": "192.168.87.104",

                "Related Event Count": 16,

                "Related Incident Count": 5,

                "First Seen": "2021-10-15 23:59:31",

                "Last Seen": "2021-10-27 23:05:05",

                "Artifact Name": "192.168.87.104",

                "Artifact Type": "Internal Endpoint",

                "Is User Defined": "No",

                "Is Single Identity Field": "No",

                "Risk Level": "N/A",

                "Is Key Asset": "False",

                "Technique": null,

                "Tactic": null,

                "Last 10 Related Event IDs": [

                    29,

                    27,

                    25,

                    23,

                    20,

                    11,

                    10,

                    9,

                    8,

                    7

                ],

                "Last 10 Related Incident Numbers": [

                    "20211027-9",

                    "20211027-8",

                    "20211027-4",

                    "20211015-3",

                    "20211015-2"

                ]

            },

            {

                "Artifact Unique Id": "2D5F83FB-45C8-4D9C-99E4-5E2CB8739DB9",

                "User Name": "user1",

                "Related Event Count": 16,

                "Related Incident Count": 5,

                "First Seen": "2021-10-15 23:59:31",

                "Last Seen": "2021-10-27 23:05:05",

                "Artifact Name": "user1",

                "Artifact Type": "User",

                "Is User Defined": "No",

                "Is Single Identity Field": "No",

                "Risk Level": "N/A",

                "Is Key Asset": "False",

                "Technique": null,

                "Tactic": null,

                "Last 10 Related Event IDs": [

                    29,

                    27,

                    25,

                    23,

                    20,

                    11,

                    10,

                    9,

                    8,

                    7

                ],

                "Last 10 Related Incident Numbers": [

                    "20211027-9",

                    "20211027-8",

                    "20211027-4",

                    "20211015-3",

                    "20211015-2"

                ]

            },

            {

                "Artifact Unique Id": "2F049802-3FB0-44C4-9EED-4F96E42CD9E9",

                "Related Event Count": 1,

                "Related Incident Count": 2,

                "First Seen": "2024-01-29 21:24:04",

                "Last Seen": "2024-01-29 21:24:04",

                "Artifact Name": "customartifactid",

                "Artifact Type": "test01",

                "Is User Defined": "Yes",

                "Is Single Identity Field": "Yes",

                "Risk Level": "N/A",

                "Is Key Asset": "False",

                "Technique": null,

                "Tactic": null,

                "Last 10 Related Event IDs": [

                    4

                ],

                "Last 10 Related Incident Numbers": [

                    "20230914-3",

                    "20211015-2"

                ]

            }

        ],

        "Failed List": []

    }

}

Remote Command API

The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.

Request

POST

CODE

https:/{base_url}/{api_namespace}/api/Command/GetArtifactDetail

Headers

Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.

Request Body

CODE

{

  "Username": <Username here>,

  "Site": <Site here>,

  "CommandParams": {

	"Artifact Info": <Artifact Info here>

  }

}

Body Parameters

Parameter Name	Type	Required/Optional	Description
Username	`String`	Required	The username of your D3 SOAR account.
Site	`String`	Required	The D3 SOAR site to run the remote command.
Artifact Info	`JSON Array`	Optional	The JSON array with pairs of artifact names and artifact types for querying. The command supports both system artifact and user-defined artifact types. System composite artifact types include: URL, User, File, ExternalEndpoint, InternalEndpoint, EmailAddress, Process, Service, Module, Driver, Signature, Certificate, Registry. System single-field artifact types include: Username, Filename, File Hash SHA256, File Hash MD5, File Hash SHA1, Process Guid, Signature Identity, Host Name, Internal Endpoint Domain Name, Internal IP, External Endpoint Domain Name, External IP, Registry Key. If this parameter is left blank, the command will automatically detect and match the provided artifact name.

Sample Request

SAMPLE DATA

CODE

{

  "Username": "Admin",

  "Site": "Security Operations",

  "CommandParams": {

    "Artifact Info": [

      {

        "Artifact Name": "192.168.87.104",

        "Artifact Type": "Internal Endpoint"

      },

      {

        "Artifact Name": "user1",

        "Artifact Type": "User"

      },

      {

        "Artifact Name": "customartifactid",

        "Artifact Type": "test01"

      }

    ]

  }

}

Response

Response Fields

Field Name	Type	Description
error	`String`	The error message if the API request has failed.
returnData	`String`	The return data from the API request.

Sample Response

CODE

{

    "error": "",

    "returnData": {

        "Status": "Partially Successful",

        "Results": {

            "Successful List": [

                {

                    "Artifact Unique Id": "F6D3B734-8154-467F-AC06-11D69950FF70",

                    "Related Event Count": 0,

                    "Related Incident Count": 0,

                    "First Seen": "2024-02-05 18:31:33",

                    "Last Seen": "2024-02-05 18:31:33",

                    "Artifact Name": "customartifactid",

                    "Artifact Type": "test",

                    "Is User Defined": "Yes",

                    "Is Single Identity Field": "Yes",

                    "Additional": {},

                    "Risk Level": "N/A",

                    "Is Key Asset": "False",

                    "Technique": null,

                    "Tactic": null,

                    "Artifact Notes": [

                        {

                            "NoteID": 3,

                            "Content": "!@#$%&&%",

                            "LastModifiedBy": "Admin User",

                            "CreatedUTCDate": "2024-02-17T01:04:50.723",

                            "LastModifiedUTCDate": "2024-02-17T01:04:50.723"

                        },

                        {

                            "NoteID": 2,

                            "Content": "dasfsafsa",

                            "LastModifiedBy": "Admin User",

                            "CreatedUTCDate": "2024-02-17T01:04:39.023",

                            "LastModifiedUTCDate": "2024-02-17T01:04:39.023"

                        },

                        {

                            "NoteID": 1,

                            "Content": "dafsadfsadf",

                            "LastModifiedBy": "Admin User",

                            "CreatedUTCDate": "2024-02-17T01:04:36.21",

                            "LastModifiedUTCDate": "2024-02-17T01:04:36.21"

                        }

                    ],

                    "Last 10 Related Event IDs": [],

                    "Last 10 Related Incident Numbers": []

                }

            ],

            "Failed List": [

                {

                    "Artifact Name": "192.168.87.104",

                    "Error": "The Artifact does not exits!",

                    "Artifact Type": "Internal Endpoint"

                },

                {

                    "Artifact Name": "user1",

                    "Error": "The Artifact does not exits!",

                    "Artifact Type": "User"

                }

            ]

        }

    }

}