maestro-ioc-poll-email
Retrieves an email IOC from the indicator queue of a Maestro playbook and returns it as a record. Use this command to obtain an email indicator for analysis within a playbook execution context.
Command properties
| Item | Description |
|---|---|
| Command type | Driver query |
| Required permission | User |
| License usage | Not counted toward license |
| Parallel execution | Not supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Options
limit=INT- Number of indicators to retrieve at once. Default is
1.
Output fields
| Field | Type | Description |
|---|---|---|
email | string | Email IOC value retrieved from the queue |
Error codes
Parse errors
| Error code | Message | Description |
|---|---|---|
user-not-found | user-not-found | Raised when the logged-in user for the query session cannot be found. |
Runtime errors
| Error code | Message | Description | Post-action |
|---|---|---|---|
| (none) | company guid not found | Raised when the company GUID cannot be determined from the session. | Query aborted |
| (none) | no more email indicator for playbook {playbookGuid} | Raised when there are no pending email IOCs for the specified playbook. | Query aborted |
Description
During Maestro playbook execution, this command retrieves an indicator of type email from the indicator queue (IndicatorQueueService). The retrieved indicator is returned in the email field. You can specify the number of items to retrieve at once using the limit option, but the current implementation returns one item at a time.
The playbook GUID is automatically looked up from the execution context (playbook_guid constant). If there are no pending indicators in the queue, a runtime error is raised and the query is aborted.
Usage examples
-
Retrieve one email IOC from a playbook
maestro-ioc-poll-emailRetrieves one email IOC from the indicator queue and returns it in the
emailfield. -
Retrieve an email IOC and compare it against a threat intelligence feed
maestro-ioc-poll-email | eval matched = matchfeed("threat_intel", email) | search matched == trueCompares the retrieved email IOC against a threat intelligence feed to check whether it is malicious.
-
Retrieve an email IOC and update its reputation
maestro-ioc-poll-email | maestro-ioc-update-email resource=$(email) reputation=MALICIOUS risk=HIGHUpdates the reputation of the retrieved email IOC to malicious.
Compatibility
The maestro-ioc-poll-email command is available since before Sonar 4.0.
Related
- maestro-ioc-poll-domain — Retrieve domain IOCs
- maestro-ioc-poll-ip — Retrieve IP address IOCs
- maestro-ioc-poll-md5 — Retrieve MD5 hash IOCs
- maestro-ioc-poll-url — Retrieve URL IOCs
- maestro-ioc-update-email — Update email IOC reputation