Lookup object_refs Returned from MDR Investigation API

All,

I’m wondering if anyone knows if there’s a way to look up the values returned in the object_refs field from the MDR GET /investigations endpoint?

Here’s an example of a single investigation returned from the endpoint:

{
    "id": "x-fireeye-com-investigation--xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx",
    "type": "x-fireeye-com-investigation",
    "name": "Multiple Signatures on HOSTNAME",
    "description": "\n\n\n\nMandiant alerted on endpoint activity related to a suspicious process event. This activity matched the following signatures: \n\n* POWERSHELL UNICORN A (UTILITY)\n* SUSPICIOUS POWERSHELL USAGE B (METHODOLOGY)\n\nAdditional analysis of the alert triage data revealed an Excel spreadsheet document launched an instance of Windows PowerShell with suspicious command-line arguments.\n\n\n## About Suspicious PowerShell Usage\n\nThis signature is designed to detect suspicious PowerShell process executions using specific command parameters commonly used to bypass the default security restrictions or hide execution windows from the user. Generally, this technique is used to bypass Anti-Virus solutions during initial infection stages.\n\nThis methodology is most commonly seen in use by:\n\n* Microsoft Office macro based Trojan downloaders.\n* Fileless malware: Kovter Trojan\n* Pentesting frameworks: PowerSploit, PowerShell Empire or MetaSploit.\n\nMore specific elements of these suspicious PowerShell commands typically include:\n\n* Use of the EncodedCommand parameter to conceal the content within a command.\n* Use of the ExecutionPolicy parameter to bypass/disable the default execution restrictions.\n* Use of the WindowStyle parameter to prevent execution windows appearing to the user.\n* The chaining of multiple instances of cmd.exe, powershell.exe, or wscript.exe together.\n* The implementation of string based obfuscation.\n\n## About PowerShell Unicorn\n\nMagic Unicorn is a PowerShell tool that performs a downgrade attack and injects shellcode directly into memory. Based on Matthew Graeber's PowerShell attacks and the PowerShell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18. It is a public tool available on GitHub:\n\n* https://github.com/trustedsec/unicorn\n\n\n\n\n",
    "investigation_status": "resolved",
    "investigation_form": "case",
    "start_time": "2021-06-29T21:00:12+00:00",
    "end_time": "2021-07-05T20:04:09+00:00",
    "created": "2021-06-29T21:00:12+00:00",
    "modified": "2021-07-05T20:04:09+00:00",
    "published": "2021-06-29T21:00:12+00:00",
    "x_fireeye_com_severity": "low",
    "x_fireeye_com_priority": "3",
    "external_references": [
        {
            "source_name": "FaaS Portal",
            "external_id": "1-xxxxxx",
            "url": "https://md.fireeye.com/investigations/1-xxxxxx"
        }
    ],
    "object_refs": [
        "attack-pattern--397ce4f5-5a53-49d2-bbd1-70bb3091ef3b",
        "attack-pattern--dc9fce9c-4cb9-412f-a41c-7dae8659cc6b",
        "course-of-action--6f42f2c1-9a6b-5f8b-817a-87a8338907db",
        "course-of-action--33c23d24-1875-50c8-a0e0-0aaf20e1c04f",
        "course-of-action--e4d5c119-8930-5b7c-887b-f7e65aede4bc",
        "threat-actor--8e45837c-b3c7-46e4-8441-a3c9c24e3fb9",
        "x-fireeye-com-note--c56eabd1-1573-5df8-ae00-9bdac700de42",
        "x-fireeye-com-compromise-target--xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
    ]
}

I’m hoping the objects like x-fireeye-com-compromise-target--xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx will be the host invovled in the investigation, and I am hoping I can look up that reference somewhere to get the IP / hostname.

The MDR API documentation only outlines the GET /investigations and GET /investigations/{id} endpoints. Unless I’m missing it I’m not seeing any mention of how to look up object references.

It looks like this is similar / invovled with a STIX object, but that hasn’t helped me find an answer to my question.

Thanks!

In case anyone stumbles across this, you are able to get some of the details from the references in object_refs by using the endpoint GET /investigations/{investigation_id}