Splunk SOAR (f.k.a. Phantom)

Phantom MISP "Run Query" action

dphegarty
New Member

I am attempting to use the "Run Query" action from the Phantom MISP app.

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
event_id optional Comma seperated list of Event IDs (allows comma-separated lists) string misp event id
controller required Search for events or attributes string

other optional Other search parameters, as a JSON object string

max_results optional Max results to return numeric
tags optional Comma seperated list of tags string

How do I pass it other search parameters in the "other" field? I've tried multiple times and cannot figure out the correct format.

I've tried -
{ "value": "1.1.1.1" }
{\"value\": \"1.1.1.1\'}
"value": "1.1.1.1"
plus many more

Below is the error I am getting:

Wed Oct 30 2019 18:30:53 GMT-0500 (Central Daylight Time): 'run_query_1' on asset 'dentons us misp': 2 actions failed. (1)For Parameter: {"context":{"artifact_id":0,"guid":"bc1399b8-cf87-4d9e-8774-cfaf49ec16a0","parent_action_run":[]},"controller":"attributes","max_results":"1","other":"{\"value\": \"1.1.1.1\"}"} Message: "". (2)For Parameter: {"context":{"artifact_id":0,"guid":"bc1399b8-cf87-4d9e-8774-cfaf49ec16a0","parent_action_run":[]},"controller":"attributes","max_results":"1","other":"{\"value\": \"1.1.1.1\"}"} Message: "handle_action exception occurred. Error string: 'response'"
Wed Oct 30 2019 18:30:53 GMT-0500 (Central Daylight Time): 'run_query_1' on asset 'dentons us misp' completed with status: 'failed'. Action Info: [{"app_name":"MISP","asset_name":"dentons us misp","param":{"other": "{\"value\": \"1.1.1.1\"}", "context": {"guid": "bc1399b8-cf87-4d9e-8774-cfaf49ec16a0", "artifact_id": 0, "parent_action_run": []}, "controller": "attributes", "max_results": "1"},"status":"failed","message":""},{"app_name":"MISP","asset_name":"dentons us misp","param":{"other": "{\"value\": \"1.1.1.1\"}", "context": {"guid": "bc1399b8-cf87-4d9e-8774-cfaf49ec16a0", "artifact_id": 0, "parent_action_run": []}, "controller": "attributes", "max_results": "1"},"status":"failed","message":"handle_action exception occurred. Error string: 'response'"}]
Wed Oct 30 2019 18:30:53 GMT-0500 (Central Daylight Time): action 'run query' did not have any callback. The action is now marked completed

Playbook 'Testing Artifact Lookup' (playbook id: 281) executed (playbook run id: 358) on splunk_web_check 'Sophos Malicious Web Blocks'(container id: 1314).
Playbook execution status is 'failed'
Total actions executed: 1
Action 'run_query_1'(run query)
Status: failed
App 'MISP' executed the action on asset 'misp'
Status: failed
Parameter: {"controller":"attributes","max_results":"1","other":"{\"value\": \"1.1.1.1\"}"}
App 'MISP' executed the action on asset 'misp'
Status: failed
Parameter: {"controller":"attributes","max_results":"1","other":"{\"value\": \"1.1.1.1\"}"}

Thanks

Labels (1)
Tags (1)
0 Karma
1 Solution

ansusabu
Communicator

Use double braces in format block like {{ "value": "1.1.1.1" }} and pass this as the"other" field

View solution in original post

0 Karma

ansusabu
Communicator

Use double braces in format block like {{ "value": "1.1.1.1" }} and pass this as the"other" field

0 Karma

baya151
Explorer

Hi ansusabu,

My question is about the "other" field.

When I initiate the query, MISP returns all attributes or events independent of the value I am looking for. In the MISP audit logs, I don't see any parameters passed with the request to the Rest API.

Have you encountered such an issue or any suggestions to get it working? 

Best regards,

Yanko

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...