Solved: Re: Phantom MISP "Run Query" action

dphegarty · ‎10-30-2019

I am attempting to use the "Run Query" action from the Phantom MISP app.

PARAMETER REQUIRED DESCRIPTION TYPE CONTAINS
event_id optional Comma seperated list of Event IDs (allows comma-separated lists) string misp event id
controller required Search for events or attributes string

other optional Other search parameters, as a JSON object string

max_results optional Max results to return numeric
tags optional Comma seperated list of tags string

How do I pass it other search parameters in the "other" field? I've tried multiple times and cannot figure out the correct format.

I've tried -
{ "value": "1.1.1.1" }
{\"value\": \"1.1.1.1\'}
"value": "1.1.1.1"
plus many more

Below is the error I am getting:

Wed Oct 30 2019 18:30:53 GMT-0500 (Central Daylight Time): 'run_query_1' on asset 'dentons us misp': 2 actions failed. (1)For Parameter: {"context":{"artifact_id":0,"guid":"bc1399b8-cf87-4d9e-8774-cfaf49ec16a0","parent_action_run":[]},"controller":"attributes","max_results":"1","other":"{\"value\": \"1.1.1.1\"}"} Message: "". (2)For Parameter: {"context":{"artifact_id":0,"guid":"bc1399b8-cf87-4d9e-8774-cfaf49ec16a0","parent_action_run":[]},"controller":"attributes","max_results":"1","other":"{\"value\": \"1.1.1.1\"}"} Message: "handle_action exception occurred. Error string: 'response'"
Wed Oct 30 2019 18:30:53 GMT-0500 (Central Daylight Time): 'run_query_1' on asset 'dentons us misp' completed with status: 'failed'. Action Info: [{"app_name":"MISP","asset_name":"dentons us misp","param":{"other": "{\"value\": \"1.1.1.1\"}", "context": {"guid": "bc1399b8-cf87-4d9e-8774-cfaf49ec16a0", "artifact_id": 0, "parent_action_run": []}, "controller": "attributes", "max_results": "1"},"status":"failed","message":""},{"app_name":"MISP","asset_name":"dentons us misp","param":{"other": "{\"value\": \"1.1.1.1\"}", "context": {"guid": "bc1399b8-cf87-4d9e-8774-cfaf49ec16a0", "artifact_id": 0, "parent_action_run": []}, "controller": "attributes", "max_results": "1"},"status":"failed","message":"handle_action exception occurred. Error string: 'response'"}]
Wed Oct 30 2019 18:30:53 GMT-0500 (Central Daylight Time): action 'run query' did not have any callback. The action is now marked completed

Playbook 'Testing Artifact Lookup' (playbook id: 281) executed (playbook run id: 358) on splunk_web_check 'Sophos Malicious Web Blocks'(container id: 1314).
Playbook execution status is 'failed'
Total actions executed: 1
Action 'run_query_1'(run query)
Status: failed
App 'MISP' executed the action on asset 'misp'
Status: failed
Parameter: {"controller":"attributes","max_results":"1","other":"{\"value\": \"1.1.1.1\"}"}
App 'MISP' executed the action on asset 'misp'
Status: failed
Parameter: {"controller":"attributes","max_results":"1","other":"{\"value\": \"1.1.1.1\"}"}

Thanks

ansusabu · ‎10-31-2019

Use double braces in format block like {{ "value": "1.1.1.1" }} and pass this as the"other" field

View solution in original post

ansusabu · ‎10-31-2019

Use double braces in format block like {{ "value": "1.1.1.1" }} and pass this as the"other" field

baya151 · ‎09-07-2021

Hi ansusabu,

My question is about the "other" field.

When I initiate the query, MISP returns all attributes or events independent of the value I am looking for. In the MISP audit logs, I don't see any parameters passed with the request to the Rest API.

Have you encountered such an issue or any suggestions to get it working?

Best regards,

Yanko

Phantom MISP "Run Query" action

troubleshooting

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation