Splunk SOAR (f.k.a. Phantom)

Phantom MISP "Run Query" action

dphegarty
New Member

I am attempting to use the "Run Query" action from the Phantom MISP app.

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
event_id optional Comma seperated list of Event IDs (allows comma-separated lists) string misp event id
controller required Search for events or attributes string

other optional Other search parameters, as a JSON object string

max_results optional Max results to return numeric
tags optional Comma seperated list of tags string

How do I pass it other search parameters in the "other" field? I've tried multiple times and cannot figure out the correct format.

I've tried -
{ "value": "1.1.1.1" }
{\"value\": \"1.1.1.1\'}
"value": "1.1.1.1"
plus many more

Below is the error I am getting:

Wed Oct 30 2019 18:30:53 GMT-0500 (Central Daylight Time): 'run_query_1' on asset 'dentons us misp': 2 actions failed. (1)For Parameter: {"context":{"artifact_id":0,"guid":"bc1399b8-cf87-4d9e-8774-cfaf49ec16a0","parent_action_run":[]},"controller":"attributes","max_results":"1","other":"{\"value\": \"1.1.1.1\"}"} Message: "". (2)For Parameter: {"context":{"artifact_id":0,"guid":"bc1399b8-cf87-4d9e-8774-cfaf49ec16a0","parent_action_run":[]},"controller":"attributes","max_results":"1","other":"{\"value\": \"1.1.1.1\"}"} Message: "handle_action exception occurred. Error string: 'response'"
Wed Oct 30 2019 18:30:53 GMT-0500 (Central Daylight Time): 'run_query_1' on asset 'dentons us misp' completed with status: 'failed'. Action Info: [{"app_name":"MISP","asset_name":"dentons us misp","param":{"other": "{\"value\": \"1.1.1.1\"}", "context": {"guid": "bc1399b8-cf87-4d9e-8774-cfaf49ec16a0", "artifact_id": 0, "parent_action_run": []}, "controller": "attributes", "max_results": "1"},"status":"failed","message":""},{"app_name":"MISP","asset_name":"dentons us misp","param":{"other": "{\"value\": \"1.1.1.1\"}", "context": {"guid": "bc1399b8-cf87-4d9e-8774-cfaf49ec16a0", "artifact_id": 0, "parent_action_run": []}, "controller": "attributes", "max_results": "1"},"status":"failed","message":"handle_action exception occurred. Error string: 'response'"}]
Wed Oct 30 2019 18:30:53 GMT-0500 (Central Daylight Time): action 'run query' did not have any callback. The action is now marked completed

Playbook 'Testing Artifact Lookup' (playbook id: 281) executed (playbook run id: 358) on splunk_web_check 'Sophos Malicious Web Blocks'(container id: 1314).
Playbook execution status is 'failed'
Total actions executed: 1
Action 'run_query_1'(run query)
Status: failed
App 'MISP' executed the action on asset 'misp'
Status: failed
Parameter: {"controller":"attributes","max_results":"1","other":"{\"value\": \"1.1.1.1\"}"}
App 'MISP' executed the action on asset 'misp'
Status: failed
Parameter: {"controller":"attributes","max_results":"1","other":"{\"value\": \"1.1.1.1\"}"}

Thanks

Labels (1)
Tags (1)
0 Karma
1 Solution

ansusabu
Communicator

Use double braces in format block like {{ "value": "1.1.1.1" }} and pass this as the"other" field

View solution in original post

0 Karma

ansusabu
Communicator

Use double braces in format block like {{ "value": "1.1.1.1" }} and pass this as the"other" field

0 Karma

baya151
Explorer

Hi ansusabu,

My question is about the "other" field.

When I initiate the query, MISP returns all attributes or events independent of the value I am looking for. In the MISP audit logs, I don't see any parameters passed with the request to the Rest API.

Have you encountered such an issue or any suggestions to get it working? 

Best regards,

Yanko

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...