Breadcrumbs

Look Up Artifact Details

Last updated: Feb 27, 2024

Look up artifact details

Implementation

System

Command Category

System Utility

Tags

artifact

Inputs

Parameter Name

Required/Optional

Description

Sample Data

Artifact Name

Required

The name of the artifact

D3CYBER-DC

Artifact Type

Optional

Artifact type

Internal Endpoint

Output

Return Data

The returned result of this command. If some required parameters are not defined, this returned data could be empty. The returned result can be passed down directly to a subsequent command in playbooks.

Sample Data

JSON
Successful
Context Data

The response data from the utility command.

Sample Data

JSON
[
    {
        "FirstSeen": "02/18/2020 06:45 PM UTC",
        "LastSeen": "01/07/2022 08:40 PM UTC",
        "Id": 386425,
        "AFTypeName": "Internal Endpoint",
        "AFName": "D3CYBER-DC",
        "imgURL": "/images/cyber/New_Internal_Endpoint_50px.png",
        "techId": "d89a8e79-275a-e911-80ce-64006a25830f",
        "techName": "Data from Removable Media",
        "techNum": 7,
        "techniqueString": "Data from Removable Media, Drive-by Compromise, Gather Victim Host Information, Gather Victim Host Information: Firmware, Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Timestomp, User Execution",
        "tacticName": "Collection",
        "tacticNum": 5,
        "tacticString": "Collection, Defense Evasion, Execution, Initial Access, Reconnaissance",
        "riskLevel": "N/A",
        "allowDownload": false,
        "allowDelete": true
    },
    {
        "Related Events": [
            60088,
            60087
        ],
        "Related Incidents": [
            "20220114-11",
            "20210422-30",
            "20210417-27",
            "20200930-36",
            "20200925-35",
            "20200925-34",
            "20200911-6",
            "20200911-5",
            "20200911-4"
        ]
    }
]

Remote Command API

The D3 command API allows you to send requests to D3 SOAR to execute this utility command via REST API.

Request

POST

https:/{base_url}/{api_namespace}/api/Command/LookUpArtifactDetails

Headers

Please refer to the page Webhook Configuration Guide - Authentication Method: API Keys for more details.

Request Body

JSON
{
  "Username": <Username here>,
  "Site": <Site here>,
  "CommandParams": {
    "Artifact Name": <Artifact Name here>,
    "Artifact Type": <Artifact Type here>
  }
}

Body Parameters

Parameter Name

Type

Required/Optional

Description

Username

String

Required

The username of your D3 SOAR account.

Site

String

Required

The D3 SOAR site to run the remote command.

Artifact Name

Text

Required

The name of the artifact

Artifact Type

Number

Optional

Artifact type

Sample Request

Sample Data

JSON
{
  "Username": "Admin",
  "Site": "Security Operations",
  "CommandParams": {
    "Artifact Name": "D3CYBER-DC",
    "Artifact Type": "Internal Endpoint"
  }
}

Response

Response Fields

Field Name

Type

Description

error

Text

The error message if the API request has failed.

returnData

Text

The return data from the API request.

contextData

JSON Array

The context data from the API request.

Sample Response

JSON
{
    "error": "",
    "returnData": "Successful",
    "contextData": [
        {
            "FirstSeen": "02/18/2020 06:45 PM UTC",
            "LastSeen": "01/07/2022 08:40 PM UTC",
            "Id": 386425,
            "AFTypeName": "Internal Endpoint",
            "AFName": "D3CYBER-DC",
            "imgURL": "/images/cyber/New_Internal_Endpoint_50px.png",
            "techId": "d89a8e79-275a-e911-80ce-64006a25830f",
            "techName": "Data from Removable Media",
            "techNum": 7,
            "techniqueString": "Data from Removable Media, Drive-by Compromise, Gather Victim Host Information, Gather Victim Host Information: Firmware, Man-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Timestomp, User Execution",
            "tacticName": "Collection",
            "tacticNum": 5,
            "tacticString": "Collection, Defense Evasion, Execution, Initial Access, Reconnaissance",
            "riskLevel": "N/A",
            "allowDownload": false,
            "allowDelete": true
        },
        {
            "Related Events": [
                60088,
                60087
            ],
            "Related Incidents": [
                "20220114-11",
                "20210422-30",
                "20210417-27",
                "20200930-36",
                "20200925-35",
                "20200925-34",
                "20200911-6",
                "20200911-5",
                "20200911-4"
            ]
        }
    ]
}