IOCs Extraction
This command identifies, classifies, and writes indicators of compromise (IOCs), such as URLs and IP addresses, into a structured JSON format.
Implementation | Python |
Command Category | System Utility |
Tags | ARTIFACT IOC |
Inputs
Parameter Name | Required/Optional | Description | Sample Data |
---|---|---|---|
Raw Text | Optional | NOT AVAILABLE |
|
Output
Remote Command API
The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.
Request
POST
https:/{base_url}/{api_namespace}/api/Command/IOCsExtraction
Headers
Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.
Request Body
{
"Username": <Username here>,
"Site": <Site here>,
"CommandParams": {
"Raw Text": <>
}
}
Body Parameters
Parameter Name | Type | Required/Optional | Description |
---|---|---|---|
Username |
| Required | The username of your D3 SOAR account. |
Site |
| Required | The D3 SOAR site to run the remote command. |
Raw Text |
| Optional |
Sample Request
SAMPLE DATA
{
"Username": "Admin",
"Site": "Security Operations",
"CommandParams": {
"Raw Text": "216.251.148.1 192.168.1.1 ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft https://www.google.com\r\n T1055 8[.]8[.]8[.]8 sample@d3security.com"
}
}
Response
Response Fields
Field Name | Type | Description |
---|---|---|
error |
| The error message if the API request has failed. |
returnData |
| The return data from the API request. |
Sample Response
{
"error": "",
"returnData": {
"urls": [
"https://www.google.com"
],
"xmpp_addresses": [],
"email_addresses_complete": [
"hhe@d3security.com"
],
"email_addresses": [
"hhe@d3security.com"
],
"ipv4_cidrs": [],
"imphashes": [],
"authentihashes": [],
"domains": [
"www.google.com",
"d3security.com"
],
"ipv4s": [
"8.8.8.8",
"216.251.148.1",
"192.168.1.1"
],
"ipv6s": [],
"sha512s": [],
"sha256s": [
"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad"
],
"sha1s": [],
"md5s": [],
"ssdeeps": [],
"asns": [],
"cves": [],
"registry_key_paths": [
"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft"
],
"google_adsense_publisher_ids": [],
"google_analytics_tracker_ids": [],
"bitcoin_addresses": [],
"monero_addresses": [],
"mac_addresses": [],
"user_agents": [],
"tlp_labels": [],
"attack_mitigations": {
"enterprise": [],
"mobile": []
},
"attack_tactics": {
"pre_attack": [],
"enterprise": [],
"mobile": []
},
"attack_techniques": {
"pre_attack": [],
"enterprise": [
"T1055"
],
"mobile": []
},
"file_paths": []
}
}