maestro-ioc-poll-md5
Retrieves an MD5 hash IOC from the indicator queue of a Maestro playbook and returns it as a record. Use this command to obtain an MD5 hash indicator for analysis within a playbook execution context.
Command properties
| Item | Description |
|---|---|
| Command type | Driver query |
| Required permission | User |
| License usage | Not counted toward license |
| Parallel execution | Not supported |
| Distributed execution | Runs on Data Node (mapper) |
Syntax
Options
limit=INT- Number of indicators to retrieve at once. Default is
1.
Output fields
| Field | Type | Description |
|---|---|---|
md5 | string | MD5 hash IOC value retrieved from the queue |
Error codes
Parse errors
| Error code | Message | Description |
|---|---|---|
user-not-found | user-not-found | Raised when the logged-in user for the query session cannot be found. |
Runtime errors
| Error code | Message | Description | Post-action |
|---|---|---|---|
| (none) | company guid not found | Raised when the company GUID cannot be determined from the session. | Query aborted |
| (none) | no more md5 indicator for playbook {playbookGuid} | Raised when there are no pending MD5 hash IOCs for the specified playbook. | Query aborted |
Description
During Maestro playbook execution, this command retrieves an indicator of type MD5 hash from the indicator queue (IndicatorQueueService). The retrieved indicator is returned in the md5 field. You can specify the number of items to retrieve at once using the limit option, but the current implementation returns one item at a time.
The playbook GUID is automatically looked up from the execution context (playbook_guid constant). If there are no pending indicators in the queue, a runtime error is raised and the query is aborted.
Usage examples
-
Retrieve one MD5 hash IOC from a playbook
maestro-ioc-poll-md5Retrieves one MD5 hash IOC from the indicator queue and returns it in the
md5field. -
Retrieve an MD5 hash IOC and compare it against a threat intelligence feed
maestro-ioc-poll-md5 | eval matched = matchfeed("threat_intel", md5) | search matched == trueCompares the retrieved MD5 hash IOC against a threat intelligence feed to check whether it is malicious.
-
Retrieve an MD5 hash IOC and update its reputation
maestro-ioc-poll-md5 | maestro-ioc-update-md5 resource=$(md5) reputation=MALICIOUS risk=HIGHUpdates the reputation of the retrieved MD5 hash IOC to malicious.
Compatibility
The maestro-ioc-poll-md5 command is available since before Sonar 4.0.
Related
- maestro-ioc-poll-domain — Retrieve domain IOCs
- maestro-ioc-poll-email — Retrieve email IOCs
- maestro-ioc-poll-ip — Retrieve IP address IOCs
- maestro-ioc-poll-url — Retrieve URL IOCs
- maestro-ioc-update-md5 — Update MD5 hash IOC reputation