Solved: Phantom MISP "Run Query" action

dphegarty · ‎10-30-2019

I am attempting to use the "Run Query" action from the Phantom MISP app.

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
event_id optional Comma seperated list of Event IDs (allows comma-separated lists) string misp event id
controller required Search for events or attributes string

other optional Other search parameters, as a JSON object string

max_results optional Max results to return numeric
tags optional Comma seperated list of tags string

How do I pass it other search parameters in the "other" field? I've tried multiple times and cannot figure out the correct format.

I've tried -
{ "value": "1.1.1.1" }
{\"value\": \"1.1.1.1\'}
"value": "1.1.1.1"
plus many more

Below is the error I am getting:

Wed Oct 30 2019 18:30:53 GMT-0500 (Central Daylight Time): 'run_query_1' on asset 'dentons us misp': 2 actions failed. (1)For Parameter: {"context":{"artifact_id":0,"guid":"bc1399b8-cf87-4d9e-8774-cfaf49ec16a0","parent_action_run":[]},"controller":"attributes","max_results":"1","other":"{\"value\": \"1.1.1.1\"}"} Message: "". (2)For Parameter: {"context":{"artifact_id":0,"guid":"bc1399b8-cf87-4d9e-8774-cfaf49ec16a0","parent_action_run":[]},"controller":"attributes","max_results":"1","other":"{\"value\": \"1.1.1.1\"}"} Message: "handle_action exception occurred. Error string: 'response'"
Wed Oct 30 2019 18:30:53 GMT-0500 (Central Daylight Time): 'run_query_1' on asset 'dentons us misp' completed with status: 'failed'. Action Info: [{"app_name":"MISP","asset_name":"dentons us misp","param":{"other": "{\"value\": \"1.1.1.1\"}", "context": {"guid": "bc1399b8-cf87-4d9e-8774-cfaf49ec16a0", "artifact_id": 0, "parent_action_run": []}, "controller": "attributes", "max_results": "1"},"status":"failed","message":""},{"app_name":"MISP","asset_name":"dentons us misp","param":{"other": "{\"value\": \"1.1.1.1\"}", "context": {"guid": "bc1399b8-cf87-4d9e-8774-cfaf49ec16a0", "artifact_id": 0, "parent_action_run": []}, "controller": "attributes", "max_results": "1"},"status":"failed","message":"handle_action exception occurred. Error string: 'response'"}]
Wed Oct 30 2019 18:30:53 GMT-0500 (Central Daylight Time): action 'run query' did not have any callback. The action is now marked completed

Playbook 'Testing Artifact Lookup' (playbook id: 281) executed (playbook run id: 358) on splunk_web_check 'Sophos Malicious Web Blocks'(container id: 1314).
Playbook execution status is 'failed'
Total actions executed: 1
Action 'run_query_1'(run query)
Status: failed
App 'MISP' executed the action on asset 'misp'
Status: failed
Parameter: {"controller":"attributes","max_results":"1","other":"{\"value\": \"1.1.1.1\"}"}
App 'MISP' executed the action on asset 'misp'
Status: failed
Parameter: {"controller":"attributes","max_results":"1","other":"{\"value\": \"1.1.1.1\"}"}

Thanks

ansusabu · ‎10-31-2019

Use double braces in format block like {{ "value": "1.1.1.1" }} and pass this as the"other" field

View solution in original post

ansusabu · ‎10-31-2019

Use double braces in format block like {{ "value": "1.1.1.1" }} and pass this as the"other" field

baya151 · ‎09-07-2021

Hi ansusabu,

My question is about the "other" field.

When I initiate the query, MISP returns all attributes or events independent of the value I am looking for. In the MISP audit logs, I don't see any parameters passed with the request to the Rest API.

Have you encountered such an issue or any suggestions to get it working?

Best regards,

Yanko

Phantom MISP "Run Query" action

troubleshooting

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...