def run(self,data,persistentData,actionResult): domainName = helpers.evalString(self.domainName,{"data" : data}) apiToken = auth.getPasswordFromENC(self.apiToken) result = ip2whois._ip2whois(apiToken).whois(domainName) if result: actionResult["result"] = True actionResult["rc"] = 0 actionResult["whois"] = result else: actionResult["result"] = False actionResult["rc"] = 404 actionResult["msg"] = "Failed to get a valid response from ip2whois API" return actionResult
def run(self, data, persistentData, actionResult): apiToken = auth.getPasswordFromENC(self.apiToken) dropletID = helpers.evalString(self.dropletID, {"data": data}) result = digitalocean._digitalocean(apiToken).getDroplet(dropletID, network=True) if result: actionResult["result"] = True actionResult["rc"] = 0 actionResult["droplet"] = result else: actionResult["result"] = False actionResult["rc"] = 500 actionResult["msg"] = "Failed to get a valid response from API" return actionResult
def doAction(self, data): message = helpers.evalString(self.message, {"data": data["flowData"]}) url = auth.getPasswordFromENC(self.url) result = microsoftteamswebhooks._microsoftteamswebhooks( url).postMessage(message) if result: return {"result": True, "rc": 0, "msg": "Message posted."} else: return { "result": False, "rc": 400, "msg": "Invalid response from web service, check your url." }
def doAction(self, data): host = helpers.evalString(self.host, {"data": data["flowData"]}) user = helpers.evalString(self.user, {"data": data["flowData"]}) password = auth.getPasswordFromENC(self.password) client = windows.windows(host, user, password) if client.client != None: data["eventData"]["remote"] = {"client": client} return {"result": True, "rc": 0, "msg": "Connection successful"} else: return { "result": False, "rc": 403, "msg": "Connection failed - {0}".format(client.error) }
def run(self, data, persistentData, actionResult): ip = helpers.evalString(self.ip, {"data": data}) apiToken = auth.getPasswordFromENC(self.apiToken) result = whoisxmlapi._whoisxmlapi(apiToken).ipGeolocation(ip) if result: actionResult["result"] = True actionResult["rc"] = 0 actionResult["apiResult"] = result else: actionResult["result"] = False actionResult["rc"] = 404 actionResult[ "msg"] = "Failed to get a valid response from whoisxmlapi API" return actionResult
def run(self, data, persistentData, actionResult): domainName = helpers.evalString(self.domainName, {"data": data}) apiToken = auth.getPasswordFromENC(self.apiToken) result = whoisxmlapi._whoisxmlapi(apiToken).websiteContacts(domainName) if result: actionResult["result"] = True actionResult["rc"] = 0 actionResult["base64Image"] = result else: actionResult["result"] = False actionResult["rc"] = 404 actionResult[ "msg"] = "Failed to get a valid response from whoisxmlapi API" return actionResult
def run(self,data,persistentData,actionResult): if not hasattr(self,"plain_apiToken"): self.plain_apiToken = auth.getPasswordFromENC(self.apiToken) targetURL = helpers.evalString(self.targetURL,{"data" : data}) screenshotClass = screenshotapi._screenshotapi(self.plain_apiToken) response = screenshotClass.takeScreenshot(targetURL) if response: actionResult["filename"] = screenshotClass.downloadScreenshot(response["screenshot"]) actionResult["result"] = True actionResult["rc"] = 0 actionResult["msg"] = "Screenshot taken and saved" return actionResult actionResult["result"] = False actionResult["rc"] = 1 actionResult["msg"] = "Error taking screenshot" return actionResult
def run(self, data, persistentData, actionResult): mailServerFQDN = helpers.evalString(self.mailServerFQDN, {"data": data}) apiToken = auth.getPasswordFromENC(self.apiToken) result = whoisxmlapi._whoisxmlapi(apiToken).reverseMXLookup( mailServerFQDN) if result: actionResult["result"] = True actionResult["rc"] = 0 actionResult["apiResult"] = result else: actionResult["result"] = False actionResult["rc"] = 404 actionResult[ "msg"] = "Failed to get a valid response from whoisxmlapi API" return actionResult
def run(self, data, persistentData, actionResult): endpointID = helpers.evalString(self.endpointID, {"data": data}) tenant = helpers.evalString(self.tenant, {"data": data}) client_secret = auth.getPasswordFromENC(self.client_secret) sophos = sophosApi.sophos(None, self.client_id, client_secret, self.XOrganizationID) sophos.setTenant(tenant) res = sophos.postTamperProtection( endpointID, { "enabled": self.enable_protection, "regeneratePassword": self.regenerate_password }) if res["result"]: actionResult["result"] = True actionResult["rc"] = 0 actionResult["data"] = res["data"] return actionResult
def run(self, data, persistentData, actionResult): domainName = helpers.evalString(self.domainName, {"data": data}) lookupType = helpers.evalString(self.lookupType, {"data": data}) apiToken = auth.getPasswordFromENC(self.apiToken) result = whoisxmlapi._whoisxmlapi(apiToken).dnsLookup( domainName, lookupType) if result: actionResult["result"] = True actionResult["rc"] = 0 actionResult["apiResult"] = result else: actionResult["result"] = False actionResult["rc"] = 404 actionResult[ "msg"] = "Failed to get a valid response from whoisxmlapi API" return actionResult
def check(self): password = auth.getPasswordFromENC(self.splunkPassword) secure = not self.insecure s = splunk.splunkClass(self.splunkHost, self.splunkPort, self.splunkUsername, password, secure=secure, ca=self.ca) if not s: if logging.debugEnabled: logging.debug( "Unable to authenticate to Splunk instance. actionID={0}". format(self._id), 1) return jobID = s.startJob(self.searchQuery) if s.waitJob(jobID): pollResult = s.getJob(jobID) self.result["events"] = pollResult["results"]
def run(self, data, persistentData, actionResult): host = helpers.evalString(self.host, {"data": data}) user = helpers.evalString(self.user, {"data": data}) password = auth.getPasswordFromENC(self.password) client = windows.windows(host, user, password) if client.client != None: persistentData["remote"] = {} persistentData["remote"]["client"] = client actionResult["result"] = True actionResult["rc"] = 0 actionResult["msg"] = "Connection successful" return actionResult else: actionResult["result"] = False actionResult["rc"] = 403 actionResult["msg"] = "Connection failed - {0}".format( client.error) return actionResult
def run(self, data, persistentData, actionResult): apiToken = auth.getPasswordFromENC(self.apiToken) dropletName = helpers.evalString(self.dropletName, {"data": data}) region = helpers.evalString(self.region, {"data": data}) image = helpers.evalString(self.image, {"data": data}) size = helpers.evalString(self.size, {"data": data}) ssh_key = int(helpers.evalString(self.ssh_key, {"data": data})) result = digitalocean._digitalocean(apiToken).createDroplet( dropletName, region, image, size, [ssh_key]) if result: actionResult["result"] = True actionResult["rc"] = 0 actionResult["dropletID"] = result else: actionResult["result"] = False actionResult["rc"] = 500 actionResult["msg"] = "Failed to get a valid response from API" return actionResult
def check(self): password = auth.getPasswordFromENC(self.password) client = windows.windows(self.server, self.username, password) now = int(time.time()) command = "powershell.exe -C \"Get-WinEvent -FilterHashtable @{Logname='" + self.eventName + "'} -MaxEvents " + str( self.maxEvents ) + " -oldest | ForEach-Object { '<345start768>';($_ | format-list);'<678end546>' };\"" if self.lastPull > 0: command = "powershell.exe -C \"Get-WinEvent -FilterHashtable @{Logname='" + self.eventName + "';'startTime'=((Get-Date 01.01.1970)+([System.TimeSpan]::fromseconds(" + str( self.lastPull ) + ")))} -MaxEvents " + str( self.maxEvents ) + " -oldest | ForEach-Object { '<345start768>';($_ | format-list);'<678end546>' };\"" exitCode, stdout, stderr = client.command(command) client.disconnect() events = re.findall(r'(<345start768>[\W\w\D\r\n]*?<678end546>)', stdout, re.MULTILINE) self.result["events"] = events self.lastPull = now self.update(["lastPull"])
def run(self, data, persistentData, actionResult): import pyodbc host = helpers.evalString(self.host, {"data": data}) username = helpers.evalString(self.username, {"data": data}) connectionDetails = helpers.evalDict(self.connectionDetails, {"data": data}) dbType = helpers.evalString(self.dbType, {"data": data}) search = helpers.evalString(self.search, {"data": data}) password = auth.getPasswordFromENC(self.password) timeout = 30 if self.timeout != 0: timeout = self.timeout actionResult["result"] = False actionResult["rc"] = 404 actionResult["msg"] = "could not connect" dbControl = database.control(dbType, host, username, password, connectionDetails, timeout) if dbControl.isConnected(): rc, results = dbControl.query(search, self.limit) if rc: if self.limit == 1: if self.count: actionResult["count"] = 1 else: actionResult["row"] = results[0] else: if self.count: actionResult["count"] = len(results) else: actionResult["rows"] = results actionResult["rc"] = 0 actionResult["msg"] = "success" actionResult["result"] = True else: actionResult["msg"] = results else: actionResult["msg"] = dbControl.message return actionResult
def run(self, data, persistentData, actionResult): apiToken = auth.getPasswordFromENC(self.apiToken) dropletName = helpers.evalString(self.dropletName, {"data": data}) result = digitalocean._digitalocean(apiToken).listDroplets( name=dropletName) if result: if "error" in result: actionResult["result"] = False actionResult["msg"] = result["msg"] actionResult["rc"] = result["error"] else: actionResult["result"] = True actionResult["rc"] = 0 actionResult["droplet"] = result else: actionResult["result"] = False actionResult["rc"] = 500 actionResult[ "msg"] = "Unable to get droplet by name, it likely does not exist" return actionResult
def run(self, data, persistentData, actionResult): if not hasattr(self, "plain_humioAPIToken"): self.plain_humio_ingest_token = auth.getPasswordFromENC( self.humio_ingest_token) # Get data dict if len(self.custom_data) > 0: dataToSend = helpers.evalDict(self.custom_data, {"data": data}) else: if len(self.field) > 0: dataToSend = helpers.getDictValue(self.field[0], {"data": data}) else: dataToSend = data # Apply flatten if self.flatten_field: for key, value in data[self.flatten_field].items(): dataToSend[key] = value del dataToSend[self.flatten_field] # Send events if type(dataToSend) is list: events = [] for entry in dataToSend: events.append(self.buildEvents(entry)) if not self.shippingHandlerBulk(events): actionResult["result"] = False actionResult["rc"] = 1 return actionResult elif type(dataToSend) is dict: if not self.shippingHandler(dataToSend): actionResult["result"] = False actionResult["rc"] = 2 return actionResult actionResult["result"] = True actionResult["rc"] = 0 return actionResult
def run(self, data, persistentData, actionResult): if not hasattr(self, "plain_apiToken"): self.plain_apiToken = auth.getPasswordFromENC(self.apiToken) queryString = helpers.evalString(self.queryString, {"data": data}) facetsString = helpers.evalString(self.facetsString, {"data": data}) sapi = shodan._shodanapi(self.plain_apiToken) response = sapi.hostSearch(queryString, facetsString) responseData = response.text if response.status_code == 200: responseData = json.loads(responseData) for x, responseDataItem in enumerate(responseData["matches"]): responseData["matches"][x] = helpers.unicodeEscapeDict( responseDataItem) try: responseData["matches"][x]["ssl"]["cert"]["serial"] = str( responseDataItem["ssl"]["cert"]["serial"]) except: pass actionResult["result"] = True actionResult["rc"] = response.status_code actionResult["data"] = responseData return actionResult
def check(self): if not hasattr(self,"client_secret_plain"): self.client_secret_plain = auth.getPasswordFromENC(self.client_secret) sophosAPI = sophos.sophos(certSettings["ca"],self.client_id,self.client_secret_plain,self.XOrganizationID) self.filters.append("view=full") for tenant in self.tenants: computers = [] if sophosAPI.setTenant(tenant): computers = sophosAPI.getEndpoints(filters=self.filters) if computers["result"]: for computer in computers["data"]: result = {} # Name if "hostname" in computer: result["name"] = computer["hostname"].lower() # LastSeen converted to epoch if "lastSeenAt" in computer: result["lastSeen"] = int(datetime.datetime.strptime(computer["lastSeenAt"],"%Y-%m-%dT%H:%M:%S.%fZ").timestamp()*1000) # OS if "os" in computer: if "platform" in computer["os"]: result["platform"] = computer["os"]["platform"].lower() if result["platform"] == "windows": if "name" in computer["os"]: os = re.search('(.*) ((pro|enterprise|standard|datacenter))', computer["os"]["name"], re.IGNORECASE) if os: result["operatingSystem"] = os.group(1).lower() result["operatingSystemEdition"] = os.group(2).lower() if "build" in computer["os"]: result["operatingSystemBuild"] = computer["os"]["build"] if "majorVersion" in computer["os"] and "minorVersion" in computer["os"]: result["operatingSystemVersion"] = "{0}.{1}".format(computer["os"]["majorVersion"],computer["os"]["minorVersion"]) elif result["platform"] == "linux": if "name" in computer["os"]: os = re.search('(.*) ((pro|enterprise|standard|datacenter)).*([0-9]\.[0-9]*)', computer["os"]["name"], re.IGNORECASE) if os: result["operatingSystem"] = os.group(1).lower() result["operatingSystemEdition"] = os.group(2).lower() result["operatingSystemVersion"] = os.group(2) elif result["platform"] == "macOS": result["operatingSystem"] = result["platform"] if "majorVersion" in computer["os"] and "minorVersion" in computer["os"]: result["operatingSystemVersion"] = "{0}.{1}".format(computer["os"]["majorVersion"],computer["os"]["minorVersion"]) if "build" in computer["os"]: result["operatingSystemBuild"] = computer["os"]["build"] # IP if "ipv4Addresses" in computer: if type(computer["ipv4Addresses"]) is list: result["src_ip"] = computer["ipv4Addresses"][0] # User if "associatedPerson" in computer: if "viaLogin" in computer["associatedPerson"]: if "\\" in computer["associatedPerson"]["viaLogin"]: userInfo = re.search('(.*)\\\\(.*)', computer["associatedPerson"]["viaLogin"], re.IGNORECASE) if userInfo: user = userInfo.group(2) domain = userInfo.group(1) else: user = computer["associatedPerson"]["viaLogin"] result["user"] = user.lower() result["domain"] = domain.lower() # Estate result["estate"] = tenant # Other Sophos Values if "tamperProtectionEnabled" in computer: result["tamperProtection"] = computer["tamperProtectionEnabled"] versions = {} if "assignedProducts" in computer: for product in computer["assignedProducts"]: if product["status"] == "installed": versions[product["code"]] = product["version"] result["versions"] = versions if "health" in computer: result["health"] = computer["health"]["overall"] result["sophos_id"] = computer["id"] self.result["events"].append(result)
def run(self, data, persistentData, actionResult): observable = helpers.evalString(self.observable, {"data": data}) resultType = helpers.evalString(self.resultType, {"data": data}) apiKey = helpers.evalString(self.apiKey, {"data": data}) #Helpers paramMap = { "current results only": "report", "current + previous results": "history" } if resultType != None: param = paramMap[resultType] if self.apiPass.startswith("ENC"): apiPass = auth.getPasswordFromENC(self.apiPass) data_string = f"{apiKey}:{apiPass}" data_bytes = data_string.encode("ascii") token = base64.b64encode(data_bytes).decode("ascii") appjson = "application/json" proxies = {"http": "http://", "https": "http://"} certPath = "/" xForceClient = xForce._IBMxForce(token, appjson, proxy=proxies, ca=certPath) # xForceClient = xForce._IBMxForce(token,appjson) if xForceClient != None: persistentData["xForce"] = {} persistentData["xForce"]["client"] = xForceClient try: if self.isValidIp(observable): result = xForceClient.checkReuptationHistoryIP( param, observable) actionResult["xforceResults"] = result actionResult["result"] = True actionResult["rc"] = 200 elif self.isValidDomain( observable): #if self.isValidDomain(observable): result = xForceClient.checkReuptationHistoryURL( param, observable) actionResult["xforceResults"] = result actionResult["result"] = True actionResult["rc"] = 200 else: result = xForceClient.checkMalwareFileHash(observable) # could be an invalid type returned if result != None: actionResult["xforceResults"] = result actionResult["result"] = True actionResult["rc"] = 200 except Exception as e: line_number = sys.exc_info()[-1].tb_lineno print( f"(xForce Action) Exception has been raised on Line : {line_number}\nWith the following message: {e}" ) self.resultMessage(actionResult, False, 400, f"an Error has occured\n{e}") return actionResult
def check(self): if not self.humioOverrideSettings: if "ca" in humioSettings: h = humio.humioClass(humioSettings["host"], humioSettings["port"], humioSettings["apiToken"], humioSettings["secure"], humioSettings["ca"], humioSettings["requestTimeout"]) else: h = humio.humioClass( humioSettings["host"], humioSettings["port"], humioSettings["apiToken"], humioSettings["secure"], requestTimeout=humioSettings["requestTimeout"]) else: humioTimeout = 30 if self.humioTimeout > 0: humioTimeout = self.humioTimeout if not hasattr(self, "plain_humioAPIToken"): self.plain_humioAPIToken = auth.getPasswordFromENC( self.humioAPIToken) if "ca" in humioSettings: h = humio.humioClass(self.humioHost, self.humioPort, self.plain_humioAPIToken, True, humioSettings["ca"], humioTimeout) else: h = humio.humioClass(self.humioHost, self.humioPort, self.plain_humioAPIToken, True, requestTimeout=humioTimeout) if "000000000001010000000000" in self._id: self.humioJob = "" if not self.humioJob or not self.searchLive: logging.debug( "Humio No Existing Job Found, class={0}".format( self.parse(True)), 10) kwargs = {} # Skipping any undefined search values if self.searchQuery: kwargs["searchQuery"] = self.searchQuery if self.searchStart: kwargs["searchStart"] = self.searchStart if self.searchLive: kwargs["searchLive"] = self.searchLive if self.searchEnd: kwargs["searchEnd"] = self.searchEnd createJobResult = h.createJob(self.searchRepository, **kwargs) if createJobResult[0] == 200: self.humioJob = createJobResult[1] self.update(["humioJob"]) logging.debug( "Humio Job Created, jobID={0}, class={1}".format( self.humioJob, self.parse(True)), 8) time.sleep(self.jobStartWaitTime) else: raise humio.jobCreateException(self._id, self.name, self.searchQuery) if self.humioJob: logging.debug( "Humio polling..., class={0}".format(self.parse(True)), 15) wait = False if not self.searchLive: wait = True pollResult = h.pollJob(self.searchRepository, self.humioJob, wait) if pollResult[0] == 200 and "events" in pollResult[1]: if self.onlyNew: events = [] if len(pollResult[1]["events"]) > 0: for event in pollResult[1]["events"]: if int(event["@timestamp"] ) > self.lastEventTimestamp: events.append(event) self.lastEventTimestamp = int( pollResult[1]["events"][-1]["@timestamp"]) / 1000 self.update(["lastEventTimestamp"]) self.result["events"] = events else: self.result["events"] = pollResult[1]["events"] self.result["plugin"]["humio"] = { "searchQuery": self.searchQuery, "searchRepository": str(self.searchRepository) } else: self.humioJob = "" self.update(["humioJob"]) raise humio.jobPollException(self._id, self.name, self.humioJob)
def run(self, data, persistentData, actionResult): apiKey = helpers.evalString(self.apiKey, {"data": data}) if self.apiPass.startswith("ENC"): apiPass = auth.getPasswordFromENC(self.apiPass) #Use previous class obj in flow if self.usePersistentData == True: if "xForce" in persistentData: if "client" in persistentData["xForce"]: xForceClient = persistentData["xForce"]["client"] creditsRemaining = xForceClient.checkApiUsage() freeCreditsRemaining = creditsRemaining[0][ "quotaRemaining"] if self.useThreshold == True: if self.threshold != None: if self.threshold > int(freeCreditsRemaining): actionResult["data"][ "xforceCredits"] = freeCreditsRemaining actionResult["data"][ "xforceAPIUsage"] = creditsRemaining self.resultMessage( actionResult, False, 308, "User specified threshold hit - exiting") return actionResult else: self.resultMessage( actionResult, False, 308, "Threshold enabled but max number not supplied - exiting" ) return actionResult actionResult["data"][ "xforceCredits"] = freeCreditsRemaining actionResult["data"]["xforceAPIUsage"] = creditsRemaining actionResult["result"] = True actionResult["rc"] = 200 #Could not find config else: self.resultMessage(actionResult, False, 400, "Could not find condig") # Using User supplied conf else: try: if self.apiPass == "" or apiKey == "": self.resultMessage(actionResult, False, 400, "Please supply credentials") else: data_string = f"{apiKey}:{apiPass}" data_bytes = data_string.encode("ascii") token = base64.b64encode(data_bytes).decode("ascii") appjson = "application/json" xForceClient = xForce._IBMxForce(token, appjson) creditsRemaining = xForceClient.checkApiUsage() if int(threshold) < int(creditsRemaining): actionResult["data"][ "xforceCredits"] = creditsRemaining self.resultMessage( actionResult, False, 308, "User specified threshold hit - exiting") return actionResult actionResult["data"]["xforceCredits"] = creditsRemaining actionResult["result"] = True actionResult["rc"] = 200 except Exception as e: line_number = sys.exc_info()[-1].tb_lineno print( f"(xForce Action) Exception has been raised on Line : {line_number}\nWith the following message: {e}" ) self.resultMessage(actionResult, False, 400, "Could not check API") return actionResult
def run(self, data, persistentData, actionResult): apiKey = helpers.evalString(self.apiKey, {"data": data}) #Helpers if self.apiPass.startswith("ENC"): apiPass = auth.getPasswordFromENC(self.apiPass) data_string = f"{apiKey}:{apiPass}" data_bytes = data_string.encode("ascii") token = base64.b64encode(data_bytes).decode("ascii") appjson = "application/json" proxies = {"http": "http://", "https": "http://"} certPath = "/" xForceClient = xForce._IBMxForce(token, appjson, proxy=proxies, ca=certPath) # xForceClient = xForce._IBMxForce(token,appjson) # scanResults = gvmscan._gvmscan().query(query={ "gvmTarget" : scanName })["results"] xForceThreatIntel = ibmXforce._ibmXforceThreatIntel().query( query={"intelSource": "command_and_control_IPV4"})["results"] if not xForceThreatIntel: document = {"intelSource": "command_and_control_IPV4"} ibmXforce._ibmXforceThreatIntel()._dbCollection.insert_one( document) if xForceClient != None: persistentData["xForce"] = {} persistentData["xForce"]["client"] = xForceClient try: response = xForceClient.premiumFetchCNCData() # response = "IP_List" epochTime = time.time() queryDate = datetime.datetime.now() if "IP_List" in response: ipList = response["IP_List"] indicatorCount = response["indicatorCount"] if "data" in xForceThreatIntel[0]: currentIndicators = set(xForceThreatIntel[0]["data"]) newIndicators = set(ipList) difference = newIndicators.difference(currentIndicators) combinedIndicators = currentIndicators.union(newIndicators) ibmXforce._ibmXforceThreatIntel().api_update( query={"intelSource": "command_and_control_IPV4"}, update={ "$set": { "data": list(combinedIndicators), "queryDateHumanReadible": f"{queryDate}", "queryDate": f"{epochTime}" } }) actionResult["xforceResults"] = list(combinedIndicators) actionResult["xforceCNCnewIOCs"] = len(difference) actionResult["result"] = True actionResult["rc"] = 200 #IPV4 Intel Is Null - populate else: ibmXforce._ibmXforceThreatIntel().api_update( query={"intelSource": "command_and_control_IPV4"}, update={ "$set": { "data": ipList, "queryDateHumanReadible": f"{queryDate}", "queryDate": f"{epochTime}" } }) actionResult["xforceResults"] = ipList actionResult["result"] = True actionResult["rc"] = 200 except Exception as e: line_number = sys.exc_info()[-1].tb_lineno print( f"(xForce Action) Exception has been raised on Line : {line_number}\nWith the following message: {e}" ) self.resultMessage(actionResult, False, 400, f"an Error has occured\n{e}") return actionResult
def run(self, data, persistentData, actionResult): observableType = helpers.evalString(self.observabletype, {"data": data}) observable = helpers.evalString(self.observable, {"data": data}) resultType = helpers.evalString(self.resultType, {"data": data}) apiKey = helpers.evalString(self.apiKey, {"data": data}) #Helpers paramMap = { "current results only": "report", "current + previous results": "history" } if resultType != None: param = paramMap[resultType] # if observableType or observable or resultType == None: # actionResult["result"] = False # actionResult["rc"] = 400 # actionResult["message"] = "Parameters cannot be null" if self.apiPass.startswith("ENC"): apiPass = auth.getPasswordFromENC(self.apiPass) data_string = f"{apiKey}:{apiPass}" data_bytes = data_string.encode("ascii") token = base64.b64encode(data_bytes).decode("ascii") xForceResults = ibmXforce._ibmXforce().query( query={"observable": observable})[ "results"] #, "queryType": observableType })["results"] # if observable != "": # if not xForceResults: # ibmXforce._ibmXforce().new(f"{observable}") #Not working ???? appjson = "application/json" proxies = {"http": "http://", "https": "http://"} certPath = "//" xForceClient = xForce._IBMxForce(token, appjson, proxy=proxies, ca=certPath) # xForceClient = xForce._IBMxForce(token,appjson) if xForceClient != None: persistentData["xForce"] = {} persistentData["xForce"]["client"] = xForceClient if observableType == "IPV4 Address" or observableType == "IPV6 Address": if self.isValidIp(observable): result = xForceClient.checkReuptationHistoryIP( param, observable) actionResult["xforceResults"] = result actionResult["result"] = True actionResult["rc"] = 200 else: self.resultMessage(actionResult, False, 400, "not valid IP") elif observableType == "Domain": if self.isValidDomain( observable): #if self.isValidDomain(observable): result = xForceClient.checkReuptationHistoryURL( param, observable) actionResult["xforceResults"] = result actionResult["result"] = True actionResult["rc"] = 200 else: self.resultMessage(actionResult, False, 400, "not valid domain") elif observableType == "Hash": result = xForceClient.checkMalwareFileHash(observable) if result != None: actionResult["xforceResults"] = result actionResult["result"] = True actionResult["rc"] = 200 else: self.resultMessage(actionResult, False, 400, "an Error has occured") return actionResult
def run(self, data, persistentData, actionResult): searchQuery = helpers.evalString(self.searchQuery, {"data": data}) searchRepository = helpers.evalString(self.searchRepository, {"data": data}) searchStart = helpers.evalString(self.searchStart, {"data": data}) searchEnd = helpers.evalString(self.searchEnd, {"data": data}) if not self.humioOverrideSettings: if "ca" in humioSettings: h = humio.humioClass(humioSettings["host"], humioSettings["port"], humioSettings["apiToken"], humioSettings["secure"], humioSettings["ca"], humioSettings["requestTimeout"]) else: h = humio.humioClass( humioSettings["host"], humioSettings["port"], humioSettings["apiToken"], humioSettings["secure"], requestTimeout=humioSettings["requestTimeout"]) else: humioTimeout = 30 if self.humioTimeout > 0: humioTimeout = self.humioTimeout if not hasattr(self, "plain_humioAPIToken"): self.plain_humioAPIToken = auth.getPasswordFromENC( self.humioAPIToken) if "ca" in humioSettings: h = humio.humioClass(self.humioHost, self.humioPort, self.plain_humioAPIToken, True, humioSettings["ca"], humioTimeout) else: h = humio.humioClass(self.humioHost, self.humioPort, self.plain_humioAPIToken, True, requestTimeout=humioTimeout) if not self.searchLive: kwargs = {} # Skipping any undefined search values if searchQuery: kwargs["searchQuery"] = searchQuery if searchStart: kwargs["searchStart"] = searchStart kwargs["searchLive"] = self.searchLive if searchEnd: kwargs["searchEnd"] = searchEnd createJobResult = h.createJob(searchRepository, **kwargs) if createJobResult[0] == 200: humioJob = createJobResult[1] wait = True pollResult = h.pollJob(searchRepository, humioJob, wait) if pollResult[0] == 200 and "events" in pollResult[1]: actionResult["events"] = pollResult[1]["events"] actionResult["rc"] = 0 actionResult["result"] = True return actionResult else: if not self.humioJob: logging.debug( "Humio No Existing Job Found, class={0}".format( self.parse(True)), 10) kwargs = {} # Skipping any undefined search values if self.searchQuery: kwargs["searchQuery"] = self.searchQuery if self.searchStart: kwargs["searchStart"] = self.searchStart if self.searchLive: kwargs["searchLive"] = self.searchLive if self.searchEnd: kwargs["searchEnd"] = self.searchEnd createJobResult = h.createJob(self.searchRepository, **kwargs) if createJobResult[0] == 200: self.humioJob = createJobResult[1] self.update(["humioJob"]) logging.debug( "Humio Job Created, jobID={0}, class={1}".format( self.humioJob, self.parse(True)), 8) else: raise humio.jobCreateException(self._id, self.name, self.searchQuery) if self.humioJob: logging.debug( "Humio polling..., class={0}".format(self.parse(True)), 15) wait = False if not self.searchLive: wait = True pollResult = h.pollJob(self.searchRepository, self.humioJob, wait) if pollResult[0] == 200 and "events" in pollResult[1]: actionResult["events"] = pollResult[1]["events"] actionResult["humio"] = { "searchQuery": self.searchQuery, "searchRepository": str(self.searchRepository) } actionResult["rc"] = 0 actionResult["result"] = True else: self.humioJob = "" self.update(["humioJob"]) actionResult[ "msg"] = "Error: Unable to poll humio job. job='{0}'".format( self.humioJob) actionResult["rc"] = -1 actionResult["result"] = False