Look Up Artifact Details

Look up artifact details

Implementation	System
Command Category	System Utility
Tags	ARTIFACT

Inputs

Parameter Name	Required/Optional	Description	Sample Data
Artifact Name	Required	The name of the artifact	`D3CYBER-DC`
Artifact Type	Optional	Artifact type	`Internal Endpoint`

Output

Return Data

The returned result of this command. If some required parameters are not defined, this returned data could be empty. The returned result can be passed down directly to a subsequent command in playbooks.

SAMPLE DATA

JSON

Successful

Context Data

The response data from the utility command.

SAMPLE DATA

JSON

[
    {
        "FirstSeen": "02/18/2020 06:45 PM UTC",
        "LastSeen": "01/07/2022 08:40 PM UTC",
        "Id": 386425,
        "AFTypeName": "Internal Endpoint",
        "AFName": "D3CYBER-DC",
        "imgURL": "/images/cyber/New_Internal_Endpoint_50px.png",
        "techId": "d89a8e79-275a-e911-80ce-64006a25830f",
        "techName": "Data from Removable Media",
        "techNum": 7,
        "techniqueString": "Data from Removable Media, Drive-by Compromise, Gather Victim Host Information, Gather Victim Host Information: Firmware, Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Timestomp, User Execution",
        "tacticName": "Collection",
        "tacticNum": 5,
        "tacticString": "Collection, Defense Evasion, Execution, Initial Access, Reconnaissance",
        "riskLevel": "N/A",
        "allowDownload": false,
        "allowDelete": true
    },
    {
        "Related Events": [
            60088,
            60087
        ],
        "Related Incidents": [
            "20220114-11",
            "20210422-30",
            "20210417-27",
            "20200930-36",
            "20200925-35",
            "20200925-34",
            "20200911-6",
            "20200911-5",
            "20200911-4"
        ]
    }
]

Remote Command API

The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.

Request

POST

CODE

https:/{base_url}/{api_namespace}/api/Command/LookUpArtifactDetails

Headers

Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.

Request Body

JSON

{
  "Username": <Username here>,
  "Site": <Site here>,
  "CommandParams": {
    "Artifact Name": <Artifact Name here>,
    "Artifact Type": <Artifact Type here>
  }
}

Body Parameters

Parameter Name	Type	Required/Optional	Description
Username	`String`	Required	The username of your D3 SOAR account.
Site	`String`	Required	The D3 SOAR site to run the remote command.
Artifact Name	`Text`	Required	The name of the artifact
Artifact Type	`Number`	Optional	Artifact type

Sample Request

SAMPLE DATA

JSON

{
  "Username": "Admin",
  "Site": "Security Operations",
  "CommandParams": {
    "Artifact Name": "D3CYBER-DC",
    "Artifact Type": "Internal Endpoint"
  }
}

Response

Response Fields

Field Name	Type	Description
error	`Text`	The error message if the API request has failed.
returnData	`Text`	The return data from the API request.
contextData	`JSON Array`	The context data from the API request.

Sample Response

JSON

{
    "error": "",
    "returnData": "Successful",
    "contextData": [
        {
            "FirstSeen": "02/18/2020 06:45 PM UTC",
            "LastSeen": "01/07/2022 08:40 PM UTC",
            "Id": 386425,
            "AFTypeName": "Internal Endpoint",
            "AFName": "D3CYBER-DC",
            "imgURL": "/images/cyber/New_Internal_Endpoint_50px.png",
            "techId": "d89a8e79-275a-e911-80ce-64006a25830f",
            "techName": "Data from Removable Media",
            "techNum": 7,
            "techniqueString": "Data from Removable Media, Drive-by Compromise, Gather Victim Host Information, Gather Victim Host Information: Firmware, Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Timestomp, User Execution",
            "tacticName": "Collection",
            "tacticNum": 5,
            "tacticString": "Collection, Defense Evasion, Execution, Initial Access, Reconnaissance",
            "riskLevel": "N/A",
            "allowDownload": false,
            "allowDelete": true
        },
        {
            "Related Events": [
                60088,
                60087
            ],
            "Related Incidents": [
                "20220114-11",
                "20210422-30",
                "20210417-27",
                "20200930-36",
                "20200925-35",
                "20200925-34",
                "20200911-6",
                "20200911-5",
                "20200911-4"
            ]
        }
    ]
}