maestro-ioc-poll-ip
Retrieves an IP address IOC from the indicator queue of a Maestro playbook and returns it as a record. Use this command to obtain an IP address indicator for analysis within a playbook execution context.
Command properties
| Item | Description |
|---|---|
| Command type | Driver query |
| Required permission | User |
| License usage | Not counted toward license |
| Parallel execution | Not supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Options
limit=INT- Number of indicators to retrieve at once. Default is
1.
Output fields
| Field | Type | Description |
|---|---|---|
ip | string | IP address IOC value retrieved from the queue |
Error codes
Parse errors
| Error code | Message | Description |
|---|---|---|
user-not-found | user-not-found | Raised when the logged-in user for the query session cannot be found. |
Runtime errors
| Error code | Message | Description | Post-action |
|---|---|---|---|
| (none) | company guid not found | Raised when the company GUID cannot be determined from the session. | Query aborted |
| (none) | no more ip indicator for playbook {playbookGuid} | Raised when there are no pending IP address IOCs for the specified playbook. | Query aborted |
Description
During Maestro playbook execution, this command retrieves an indicator of type IP address from the indicator queue (IndicatorQueueService). The retrieved indicator is returned in the ip field. You can specify the number of items to retrieve at once using the limit option, but the current implementation returns one item at a time.
The playbook GUID is automatically looked up from the execution context (playbook_guid constant). If there are no pending indicators in the queue, a runtime error is raised and the query is aborted.
Usage examples
-
Retrieve one IP address IOC from a playbook
maestro-ioc-poll-ipRetrieves one IP address IOC from the indicator queue and returns it in the
ipfield. -
Retrieve an IP address IOC and compare it against a threat intelligence feed
maestro-ioc-poll-ip | eval matched = matchfeed("threat_intel", ip) | search matched == trueCompares the retrieved IP address IOC against a threat intelligence feed to check whether it is malicious.
-
Retrieve an IP address IOC and update its reputation to malicious
maestro-ioc-poll-ip | maestro-ioc-update-ip resource=$(ip) reputation=MALICIOUS risk=HIGHUpdates the reputation of the retrieved IP address IOC to malicious.
Compatibility
The maestro-ioc-poll-ip command is available since before Sonar 4.0.
Related
- maestro-ioc-poll-domain — Retrieve domain IOCs
- maestro-ioc-poll-email — Retrieve email IOCs
- maestro-ioc-poll-md5 — Retrieve MD5 hash IOCs
- maestro-ioc-poll-url — Retrieve URL IOCs
- maestro-ioc-update-ip — Update IP address IOC reputation